Attention is currently required from: tnt.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36655?usp=email )
Change subject: icE1usb: Configure the RX mode according to CRC4 mode
......................................................................
Patch Set 2: Code-Review+2
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36655?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: Ic9da7d2a32f9aa9bf5de296dc4885eeaf56b138e
Gerrit-Change-Number: 36655
Gerrit-PatchSet: 2
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Thu, 02 May 2024 11:25:09 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
falconia has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bts/+/36706?usp=email )
Change subject: rsl.adoc: document RSL_IE_OSMO_RTP_EXTENSIONS
......................................................................
rsl.adoc: document RSL_IE_OSMO_RTP_EXTENSIONS
This addition to Abis RSL is an Osmocom-specific IE, intended for
Osmocom flavor of Abis over IP. It requests the use of non-standard
enhanced RTP transport formats.
Change-Id: I6117049b17ced5fb6635ac70d9238169033af4de
---
M doc/manuals/abis/rsl.adoc
1 file changed, 42 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/06/36706/1
diff --git a/doc/manuals/abis/rsl.adoc b/doc/manuals/abis/rsl.adoc
index e627f5c..09c7207 100644
--- a/doc/manuals/abis/rsl.adoc
+++ b/doc/manuals/abis/rsl.adoc
@@ -518,6 +518,7 @@
| IP Speech Mode | <<RSL_IE_IPAC_SPEECH_MODE>> | O | TV | 2
| RTP Payload Type 2 | <<RSL_IE_IPAC_RTP_PAYLOAD2>> | O | TV | 2
| RTP CSD Format | <<RSL_IE_IPAC_RTP_CSD_FORMAT>> | O | TV | 2
+| RTP Extensions | <<RSL_IE_OSMO_RTP_EXTENSIONS>> | O | TLV | 3
|===
[[rsl_crcx_msg_ack]]
@@ -579,6 +580,7 @@
| IP Speech Mode | <<RSL_IE_IPAC_SPEECH_MODE>> | O | TV | 2
| RTP Payload Type 2 | <<RSL_IE_IPAC_RTP_PAYLOAD2>> | O | TV | 2
| RTP CSD Format | <<RSL_IE_IPAC_RTP_CSD_FORMAT>> | O | TV | 2
+| RTP Extensions | <<RSL_IE_OSMO_RTP_EXTENSIONS>> | O | TLV | 3
|===
[[rsl_mdcx_msg_ack]]
@@ -867,6 +869,9 @@
| 0x01 | RSL_IE_CHAN_NR | <<RSL_IE_CHAN_NR>>
| 0x60 | RSL_IE_OSMO_REP_ACCH_CAP | <<RSL_IE_OSMO_REP_ACCH_CAP>>
| 0x61 | RSL_IE_OSMO_TRAINING_SEQUENCE | <<RSL_IE_OSMO_TRAINING_SEQUENCE>>
+| 0x62 | RSL_IE_OSMO_TEMP_OVP_ACCH_CAP | <<RSL_IE_OSMO_TEMP_OVP_ACCH_CAP>>
+| 0x63 | RSL_IE_OSMO_OSMUX_CID | <<RSL_IE_OSMO_OSMUX_CID>>
+| 0x64 | RSL_IE_OSMO_RTP_EXTENSIONS | <<RSL_IE_OSMO_RTP_EXTENSIONS>>
| 0xf0 | RSL_IE_IPAC_REMOTE_IP | <<RSL_IE_IPAC_REMOTE_IP>>
| 0xf1 | RSL_IE_IPAC_REMOTE_PORT | <<RSL_IE_IPAC_REMOTE_PORT>>
| 0xf3 | RSL_IE_IPAC_LOCAL_PORT | <<RSL_IE_IPAC_LOCAL_PORT>>
@@ -1089,6 +1094,30 @@
| 8..255 | reserved values
|===
+[[RSL_IE_OSMO_TEMP_OVP_ACCH_CAP]]
+==== RSL_IE_OSMO_TEMP_OVP_ACCH_CAP
+
+FIXME.
+
+[[RSL_IE_OSMO_OSMUX_CID]]
+==== RSL_IE_OSMO_OSMUX_CID
+
+FIXME.
+
+[[RSL_IE_OSMO_RTP_EXTENSIONS]]
+==== RSL_IE_OSMO_RTP_EXTENSIONS
+
+This information element requests the use of non-standard enhanced RTP
+transport formats, currently TW-TS-001 and TW-TS-002, but possibly
+other formats in the future.
+Only the first octet is currently defined, any additional octets
+are for future expansion.
+
+The first octet of this IE has the same bit definitions as in TW-TS-003:
+the least significant bit indicates the use of TW-TS-001, the second
+least significant bit indicates the use of TW-TS-002, and all other bits
+are reserved.
+
[[RSL_IE_IPAC_RTP_CSD_FORMAT]]
==== RSL_IE_IPAC_RTP_CSD_FORMAT
--
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/36706?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I6117049b17ced5fb6635ac70d9238169033af4de
Gerrit-Change-Number: 36706
Gerrit-PatchSet: 1
Gerrit-Owner: falconia <falcon(a)freecalypso.org>
Gerrit-MessageType: newchange
falconia has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/36704?usp=email )
Change subject: bts_features: add feature flags for TWTS001 and TWTS002
......................................................................
bts_features: add feature flags for TWTS001 and TWTS002
TW-TS-001 and TW-TS-002 (Themyscira Wireless Technical Specifications)
are enhanced RTP payload formats that replicate the functionality and
semantics of 3GPP TS 48.060 and 48.061 (respectively) over IP transport.
Companion spec TW-TS-003 defines a BSSMAP extension whereby the CN
tells the BSS that it wishes to use these otherwise non-standard RTP
formats - but these RTP extensions need to originate at the BTS, as
their main purpose is to pass along information that is otherwise lost
in RTP transport with standard payload formats.
Define feature flags whereby OsmoBTS can tell OsmoBSC that it supports
these RTP extensions.
Change-Id: Ia2cd1d5fa37e9d10927ca5d6cad79ec538fd0a11
---
M include/osmocom/gsm/bts_features.h
M src/gsm/bts_features.c
2 files changed, 27 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/04/36704/1
diff --git a/include/osmocom/gsm/bts_features.h b/include/osmocom/gsm/bts_features.h
index cf1db4a..8da08d8 100644
--- a/include/osmocom/gsm/bts_features.h
+++ b/include/osmocom/gsm/bts_features.h
@@ -36,6 +36,8 @@
BTS_FEAT_OSMUX, /* Osmux (Osmocom RTP muxing) support */
BTS_FEAT_VBS, /* Voice Broadcast Service support, 3GPP TS 43.069 */
BTS_FEAT_VGCS, /* Voice Group Call Service support, 3GPP TS 44.068 */
+ BTS_FEAT_TWTS001, /* TW-TS-001: enhanced RTP transport for FR & EFR */
+ BTS_FEAT_TWTS002, /* TW-TS-002: enhanced RTP transport for HRv1 */
_NUM_BTS_FEAT
};
diff --git a/src/gsm/bts_features.c b/src/gsm/bts_features.c
index b6cd82e..158937a 100644
--- a/src/gsm/bts_features.c
+++ b/src/gsm/bts_features.c
@@ -47,6 +47,8 @@
{ BTS_FEAT_OSMUX, "Osmux (Osmocom RTP multiplexing)" },
{ BTS_FEAT_VBS, "Voice Broadcast Service" },
{ BTS_FEAT_VGCS, "Voice Group Call Service" },
+ { BTS_FEAT_TWTS001, "TW-TS-001 RTP format" },
+ { BTS_FEAT_TWTS002, "TW-TS-002 RTP format" },
{ 0, NULL }
};
@@ -88,6 +90,8 @@
{ BTS_FEAT_OSMUX, "OSMUX" },
{ BTS_FEAT_VBS, "VBS" },
{ BTS_FEAT_VGCS, "VGCS" },
+ { BTS_FEAT_TWTS001, "TWTS001" },
+ { BTS_FEAT_TWTS002, "TWTS002" },
{}
};
--
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/36704?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: Ia2cd1d5fa37e9d10927ca5d6cad79ec538fd0a11
Gerrit-Change-Number: 36704
Gerrit-PatchSet: 1
Gerrit-Owner: falconia <falcon(a)freecalypso.org>
Gerrit-MessageType: newchange
Attention is currently required from: laforge.
tnt has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36655?usp=email )
Change subject: icE1usb: Configure the RX mode according to CRC4 mode
......................................................................
Patch Set 2:
(1 comment)
Patchset:
PS2:
> just to be clear: this will not break backwards compatibility between new DAHDI driver and old firmw […]
No, it will do the exact same thing as before.
In the old firmware the 'rx mode' does nothing.
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36655?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: Ic9da7d2a32f9aa9bf5de296dc4885eeaf56b138e
Gerrit-Change-Number: 36655
Gerrit-PatchSet: 2
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: laforge <laforge(a)osmocom.org>
Gerrit-Comment-Date: Wed, 01 May 2024 12:57:19 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: laforge <laforge(a)osmocom.org>
Gerrit-MessageType: comment
Attention is currently required from: tnt.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36695?usp=email )
Change subject: icE1usb: Show accumulated error count from GPSDO state in sysfs
......................................................................
Patch Set 2: Code-Review+1
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36695?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: Idc4ff2a3a7411df758a432fc4c6fe5a88963b626
Gerrit-Change-Number: 36695
Gerrit-PatchSet: 2
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Wed, 01 May 2024 12:54:22 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Attention is currently required from: tnt.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36655?usp=email )
Change subject: icE1usb: Configure the RX mode according to CRC4 mode
......................................................................
Patch Set 2: Code-Review+1
(1 comment)
Patchset:
PS2:
just to be clear: this will not break backwards compatibility between new DAHDI driver and old firmware, right?
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36655?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: Ic9da7d2a32f9aa9bf5de296dc4885eeaf56b138e
Gerrit-Change-Number: 36655
Gerrit-PatchSet: 2
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Wed, 01 May 2024 12:53:31 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Attention is currently required from: tnt.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36654?usp=email )
Change subject: icE1usb: Use ICE1USB_TX_MODE_TS0_CRC4_E to set E bits automatically
......................................................................
Patch Set 2: Code-Review+2
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36654?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: Iea936a6c908ef5e175be3090a8fbcafaeb5a0aed
Gerrit-Change-Number: 36654
Gerrit-PatchSet: 2
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Wed, 01 May 2024 12:52:09 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36703?usp=email )
Change subject: frame_fifo: add missing declaration
......................................................................
Patch Set 1: Verified+1 Code-Review+2
(1 comment)
Patchset:
PS1:
builds only after https://gerrit.osmocom.org/c/dahdi-linux/+/36700/2 is applied - either single one of those patches still fails to build.
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36703?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I02eccb9c404157352d6c317b02d742b90c229deb
Gerrit-Change-Number: 36703
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Comment-Date: Wed, 01 May 2024 12:43:34 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Attention is currently required from: roox.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36700?usp=email )
Change subject: Fix build against linux >= 6.5.12
......................................................................
Patch Set 2: Code-Review+2
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36700?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I992eccc503a19e348d3575147edcb9c2e78845eb
Gerrit-Change-Number: 36700
Gerrit-PatchSet: 2
Gerrit-Owner: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Attention: roox <mardnh(a)gmx.de>
Gerrit-Comment-Date: Wed, 01 May 2024 12:42:45 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Attention is currently required from: tnt.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36654?usp=email )
Change subject: icE1usb: Use ICE1USB_TX_MODE_TS0_CRC4_E to set E bits automatically
......................................................................
Patch Set 1:
(1 comment)
Patchset:
PS1:
> Mark as verified since build failure is vs linux master and unrelated
proposed fix is in https://gerrit.osmocom.org/c/dahdi-linux/+/36703
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36654?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: Iea936a6c908ef5e175be3090a8fbcafaeb5a0aed
Gerrit-Change-Number: 36654
Gerrit-PatchSet: 1
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Wed, 01 May 2024 12:40:35 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: tnt <tnt(a)246tNt.com>
Gerrit-MessageType: comment
Attention is currently required from: roox.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email )
Change subject: strlcpy() was removed with linux kernel commit d26270061ae6 use strscpy() instead.
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I5beb8dfadf2d240b04e69822721b3360aa81d782
Gerrit-Change-Number: 36697
Gerrit-PatchSet: 1
Gerrit-Owner: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: roox <mardnh(a)gmx.de>
Gerrit-Comment-Date: Wed, 01 May 2024 12:37:37 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/36699?usp=email )
Change subject: gmm: mmctx_timer_stop(): warn about timer not running
......................................................................
gmm: mmctx_timer_stop(): warn about timer not running
This turns errors like:
DMM ERROR MM(262420000000038/e2ff704e) Stopping MM timer 3350 but 0 is running
into warnings with a more accurate reason:
DMM NOTICE MM(262420000000037/e2ff704e) Stopping *inactive* MM timer 3350
Change-Id: I56ecad9d8f1049974b0896f6d0e7fc61580155ec
---
M src/sgsn/gprs_gmm.c
1 file changed, 23 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/99/36699/1
diff --git a/src/sgsn/gprs_gmm.c b/src/sgsn/gprs_gmm.c
index 768b321..653c425 100644
--- a/src/sgsn/gprs_gmm.c
+++ b/src/sgsn/gprs_gmm.c
@@ -111,9 +111,14 @@
static void mmctx_timer_stop(struct sgsn_mm_ctx *mm, unsigned int T)
{
- if (mm->T != T)
+ if (!osmo_timer_pending(&mm->timer)) {
+ LOGMMCTXP(LOGL_NOTICE, mm, "Stopping *inactive* MM timer %u\n", T);
+ return;
+ }
+ if (mm->T != T) {
LOGMMCTXP(LOGL_ERROR, mm, "Stopping MM timer %u but "
"%u is running\n", T, mm->T);
+ }
osmo_timer_del(&mm->timer);
}
--
To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/36699?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-sgsn
Gerrit-Branch: master
Gerrit-Change-Id: I56ecad9d8f1049974b0896f6d0e7fc61580155ec
Gerrit-Change-Number: 36699
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de>
Gerrit-MessageType: newchange
roox has removed a vote from this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email )
Change subject: strlcpy() was removed with linux kernel commit d26270061ae6 use strscpy() instead.
......................................................................
Removed Code-Review+2 by roox <mardnh(a)gmx.de>
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I5beb8dfadf2d240b04e69822721b3360aa81d782
Gerrit-Change-Number: 36697
Gerrit-PatchSet: 1
Gerrit-Owner: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-MessageType: deleteVote
roox has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email )
Change subject: strlcpy() was removed with linux kernel commit d26270061ae6 use strscpy() instead.
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I5beb8dfadf2d240b04e69822721b3360aa81d782
Gerrit-Change-Number: 36697
Gerrit-PatchSet: 1
Gerrit-Owner: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Wed, 01 May 2024 08:18:34 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Attention is currently required from: roox.
tnt has posted comments on this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email )
Change subject: strlcpy() was removed with linux kernel commit d26270061ae6 use strscpy() instead.
......................................................................
Patch Set 1: Verified+1 Code-Review+1
(1 comment)
Patchset:
PS1:
Manually added verify since build failures on linus master only are unrelated to the change.
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I5beb8dfadf2d240b04e69822721b3360aa81d782
Gerrit-Change-Number: 36697
Gerrit-PatchSet: 1
Gerrit-Owner: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: tnt <tnt(a)246tNt.com>
Gerrit-Attention: roox <mardnh(a)gmx.de>
Gerrit-Comment-Date: Wed, 01 May 2024 08:08:03 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Attention is currently required from: roox.
tnt has removed a vote from this change. ( https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email )
Change subject: strlcpy() was removed with linux kernel commit d26270061ae6 use strscpy() instead.
......................................................................
Removed Verified-1 by Jenkins Builder (1000002)
--
To view, visit https://gerrit.osmocom.org/c/dahdi-linux/+/36697?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: dahdi-linux
Gerrit-Branch: master
Gerrit-Change-Id: I5beb8dfadf2d240b04e69822721b3360aa81d782
Gerrit-Change-Number: 36697
Gerrit-PatchSet: 1
Gerrit-Owner: roox <mardnh(a)gmx.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Attention: roox <mardnh(a)gmx.de>
Gerrit-MessageType: deleteVote
Attention is currently required from: tnt.
laforge has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-e1-hardware/+/36676?usp=email )
Change subject: icE1usb fw: Avoid casting random pointer to struct in set_{rx,tx}_mode
......................................................................
Patch Set 1: Code-Review+1
--
To view, visit https://gerrit.osmocom.org/c/osmo-e1-hardware/+/36676?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-e1-hardware
Gerrit-Branch: master
Gerrit-Change-Id: I110ee4c014e8cfe058f7fc357decb7ab99e0be64
Gerrit-Change-Number: 36676
Gerrit-PatchSet: 1
Gerrit-Owner: tnt <tnt(a)246tNt.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Attention: tnt <tnt(a)246tNt.com>
Gerrit-Comment-Date: Wed, 01 May 2024 08:05:59 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36229?usp=email )
Change subject: IPAd_Tests: add testsuite for an IPAd
......................................................................
IPAd_Tests: add testsuite for an IPAd
With this patch we add a testsuite that can be used to test an IPAd
implementation.
The testsuite emulates the ESipa and the ES10x (pcsc cardreader)
interface and is capable of testing a direct profile download and other
ESipa features like the execution of an eIM package (eCO, PSMO).
Change-Id: Ic9ea8c69e56a2e8ddf0f506861ece6d40cbcb06d
Related: SYS#6564
---
M .checkpatch.conf
M Makefile
A ipad/IPAd_Tests.cfg
A ipad/IPAd_Tests.default
A ipad/IPAd_Tests.ttcn
A ipad/example_ca/pki/ca.crt
A ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem
A ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem
A ipad/example_ca/pki/index.txt
A ipad/example_ca/pki/index.txt.attr
A ipad/example_ca/pki/index.txt.attr.old
A ipad/example_ca/pki/index.txt.old
A ipad/example_ca/pki/issued/alttest.cabundle
A ipad/example_ca/pki/issued/alttest.crt
A ipad/example_ca/pki/issued/alttest.notes
A ipad/example_ca/pki/issued/testsuite.cabundle
A ipad/example_ca/pki/issued/testsuite.crt
A ipad/example_ca/pki/issued/testsuite.notes
A ipad/example_ca/pki/openssl-easyrsa.cnf
A ipad/example_ca/pki/private/alttest.key
A ipad/example_ca/pki/private/ca.key
A ipad/example_ca/pki/private/testsuite.key
A ipad/example_ca/pki/reqs/alttest.req
A ipad/example_ca/pki/reqs/testsuite.req
A ipad/example_ca/pki/safessl-easyrsa.cnf
A ipad/example_ca/pki/serial
A ipad/example_ca/pki/serial.old
A ipad/example_ca/pki/vars
A ipad/example_ca/pki/vars.example
A ipad/gen_links.sh
A ipad/regen_makefile.sh
M regen-makefile.sh
32 files changed, 2,177 insertions(+), 2 deletions(-)
Approvals:
Jenkins Builder: Verified
pespin: Looks good to me, but someone else must approve
laforge: Looks good to me, approved
diff --git a/.checkpatch.conf b/.checkpatch.conf
index 700e952..2317bec 100644
--- a/.checkpatch.conf
+++ b/.checkpatch.conf
@@ -1,2 +1,5 @@
--exclude ^library/sbcap/.*\.asn$
--exclude ^library/DIAMETER_Types.ttcn$
+--exclude ^ipad/example_ca/pki/certs_by_serial/.*\.pem$
+--exclude ^ipad/example_ca/pki/issued/.*\.crt$
+--exclude ^ipad/example_ca/vars$
\ No newline at end of file
diff --git a/Makefile b/Makefile
index bd88ca5..d216aab 100644
--- a/Makefile
+++ b/Makefile
@@ -30,6 +30,7 @@
hnbgw \
hnodeb \
hss \
+ ipad \
mgw \
mme \
msc \
diff --git a/ipad/IPAd_Tests.cfg b/ipad/IPAd_Tests.cfg
new file mode 100644
index 0000000..ae44ac5
--- /dev/null
+++ b/ipad/IPAd_Tests.cfg
@@ -0,0 +1,23 @@
+[ORDERED_INCLUDE]
+# Common configuration, shared between test suites
+"../Common.cfg"
+# testsuite specific configuration, not expected to change
+"./IPAd_Tests.default"
+
+# Local configuration below
+
+[LOGGING]
+
+[TESTPORT_PARAMETERS]
+system.HTTP_server_port.use_notification_ASPs := "no"
+system.HTTP_server_port.KEYFILE := "./example_ca/pki/private/alttest.key"
+system.HTTP_server_port.CERTIFICATEFILE := "./example_ca/pki/issued/alttest.crt"
+system.HTTP_server_port.PASSWORD := "katinka1"
+system.HTTP_server_port.http_debugging := "yes"
+
+[MODULE_PARAMETERS]
+
+[MAIN_CONTROLLER]
+
+[EXECUTE]
+IPAd_Tests.control
diff --git a/ipad/IPAd_Tests.default b/ipad/IPAd_Tests.default
new file mode 100644
index 0000000..95b42e9
--- /dev/null
+++ b/ipad/IPAd_Tests.default
@@ -0,0 +1,8 @@
+[LOGGING]
+mtc.FileMask := LOG_ALL | TTCN_DEBUG | TTCN_MATCHING; // | DEBUG_ENCDEC;
+
+[TESTPORT_PARAMETERS]
+
+[MODULE_PARAMETERS]
+
+[EXECUTE]
diff --git a/ipad/IPAd_Tests.ttcn b/ipad/IPAd_Tests.ttcn
new file mode 100644
index 0000000..35ab79f
--- /dev/null
+++ b/ipad/IPAd_Tests.ttcn
@@ -0,0 +1,708 @@
+/* IPAd testsuite in TTCN-3
+ *
+ * Author: Philipp Maier <pmaier(a)sysmocom.de> / sysmocom - s.f.m.c. GmbH
+ *
+ * Released under the terms of GNU General Public License, Version 2 or
+ * (at your option) any later version.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+module IPAd_Tests {
+
+import from Misc_Helpers all;
+import from General_Types all;
+import from Osmocom_Types all;
+
+import from SGP32Definitions all;
+import from SGP32Definitions_Types all;
+import from SGP32Definitions_Templates all;
+
+import from RSPDefinitions all;
+import from RSPDefinitions_Types all;
+import from RSPDefinitions_Templates all;
+
+import from PKIX1Explicit88 all;
+import from PKIX1Explicit88_Templates all;
+import from PKIX1Explicit88_Types all;
+
+import from HTTP_Server_Emulation all;
+import from HTTPmsg_Types all;
+
+import from VPCD_Types all;
+import from VPCD_CodecPort all;
+import from VPCD_Adapter all;
+
+modulepar {
+ /* emulated eIM HTTPs server */
+ charstring mp_esipa_ip := "127.0.0.1";
+ integer mp_esipa_port := 4430;
+ boolean mp_esipa_disable_ssl := false;
+ boolean mp_use_vpcd := true;
+ float mp_restart_guardtime := 2.0
+}
+
+/* Altstep to handle card power up/down and ATR transmission */
+private altstep as_vpcd_atr() runs on VPCD_Adapter_CT {
+ [] VPCD.receive(tr_VPCD_Recv(g_vpcd_conn_id, tr_VPCD_CTRL_ATR)) {
+ f_vpcd_send(ts_VPCD_DATA('3B9F96801FC78031A073BE21136743200718000001A5'O));
+ repeat;
+ }
+ [] VPCD.receive(tr_VPCD_Recv(g_vpcd_conn_id, tr_VPCD_CTRL_OFF)) {
+ repeat;
+ }
+ [] VPCD.receive(tr_VPCD_Recv(g_vpcd_conn_id, tr_VPCD_CTRL_ON)) {
+ repeat;
+ }
+}
+
+/* Helper template to format HTTP responses */
+private template (value) HTTPMessage ts_http_resp(template (value) octetstring resp := ''O) := {
+ response_binary := {
+ client_id := omit,
+ version_major := 1,
+ version_minor := 1,
+ statuscode := 200,
+ statustext := "OK",
+ /* See also SGP.32, section 6.1.1 */
+ header := {
+ {
+ header_name := "X-Admin-Protocol",
+ header_value := "gsma/rsp/v1.0.0"
+ },
+ {
+ header_name := "Content-Type",
+ header_value := "application/x-gsma-rsp-asn1"
+ },
+ {
+ header_name := "Content-Length",
+ header_value := int2str(lengthof(resp))
+ }
+ },
+ body := resp
+ }
+}
+
+type component MTC_CT {
+ timer g_Tguard;
+
+ /* HTTP server */
+ var HTTP_Server_Emulation_CT vc_HTTP;
+};
+
+type component IPAd_ConnHdlr extends HTTP_ConnHdlr, VPCD_Adapter_CT {
+ var IPAd_ConnHdlrPars g_pars;
+};
+
+type record IPAd_ConnHdlrPars {
+ /* TODO: add some useful parameters */
+};
+
+private function f_init_pars()
+runs on MTC_CT return IPAd_ConnHdlrPars {
+ var IPAd_ConnHdlrPars pars := {
+ /* TODO: fill parameters with meaninful values */
+ };
+ return pars;
+}
+
+private altstep as_Tguard() runs on MTC_CT {
+ [] g_Tguard.timeout {
+ Misc_Helpers.f_shutdown(__BFILE__, __LINE__, fail, "Tguard timeout");
+ }
+}
+
+private type function void_fn(charstring id) runs on IPAd_ConnHdlr;
+
+private function f_init_handler(void_fn fn, charstring id, IPAd_ConnHdlrPars pars) runs on IPAd_ConnHdlr {
+ g_pars := pars;
+
+ /* Initialize VPDC (virtual smartcard) */
+ if (mp_use_vpcd) {
+ VPCD_Adapter.f_connect();
+ activate(as_vpcd_atr());
+ }
+
+ fn.apply(id);
+}
+
+private function f_start_handler(void_fn fn, IPAd_ConnHdlrPars pars)
+runs on MTC_CT return IPAd_ConnHdlr {
+ var IPAd_ConnHdlr vc_conn;
+ var charstring id := testcasename();
+
+ vc_conn := IPAd_ConnHdlr.create(id);
+
+ if (isbound(vc_HTTP)) {
+ connect(vc_conn:HTTP_SRV, vc_HTTP:CLIENT);
+ connect(vc_conn:HTTP_SRV_PROC, vc_HTTP:CLIENT_PROC);
+ }
+
+ vc_conn.start(f_init_handler(fn, id, pars));
+ return vc_conn;
+}
+
+function f_init_esipa(charstring id) runs on MTC_CT {
+ var HttpServerEmulationCfg http_cfg := {
+ http_bind_ip := mp_esipa_ip,
+ http_bind_port := mp_esipa_port,
+ use_ssl := not mp_esipa_disable_ssl
+ };
+
+ vc_HTTP := HTTP_Server_Emulation_CT.create(id);
+ vc_HTTP.start(HTTP_Server_Emulation.main(http_cfg));
+}
+
+private function f_init(charstring id, float t_guard := 40.0) runs on MTC_CT {
+ /* Ensure a guard time inbetween tests. This is to make sure that the IPAd is able to finish its current poll
+ * cycle. In practice this means that the IPAd will notice that the connectivity towards the eIM is lost and
+ * since this is one of the conditions for ending the current poll cycle it will exit. A freshly restarted
+ * IPAd is a mandatory start condition for the tests since all tests expect the initialization procedure
+ * (selection of ISD-P etc.) that the IPAd executes on startup. */
+ f_sleep(mp_restart_guardtime);
+
+ g_Tguard.start(t_guard);
+ activate(as_Tguard());
+ f_init_esipa(id);
+}
+
+/* Expect a GetResponse request from IUT and transfer as many response bytes the IUT requests */
+private function f_vpcd_get_response(octetstring response) runs on IPAd_ConnHdlr return integer {
+ var octetstring sw;
+ var VPCD_PDU req;
+ var integer len;
+
+ req := f_vpcd_exp(tr_VPCD_DATA(?));
+ len := oct2int(req.u.data[4]);
+ if (len == 0) {
+ len := 256;
+ }
+
+ /* Make sure that the request APDU is actually a GetResponse request (on logical channel 2) */
+ if (substr(req.u.data, 0, 4) != '01c00000'O) {
+ setverdict(fail, "unexpected APDU, expecting GetResponse");
+ return 0;
+ }
+
+ /* Compute status word, in case the requested data is shorter then the response data we intend to send, we must
+ * tell the IUT that there is still data available, so that a consecutive GetResponse request can be issued.
+ * (caller must check return code to determine if a consecutive GetResponse is needed/expected) */
+ if (lengthof(response) > len) {
+ if (lengthof(response) - len > 255) {
+ sw := '6100'O;
+ } else {
+ sw := '61'O & int2oct(lengthof(response) - len, 1);
+ }
+ } else {
+ sw := '9000'O;
+ }
+
+ /* Send response to IUT */
+ f_vpcd_send(ts_VPCD_DATA(substr(response, 0, len) & sw));
+
+ /* Return how many bytes have sent */
+ return len;
+}
+
+/* Expect one or more GetResponse requests from IUT until the full response is transferred */
+private function f_vpcd_get_response_multi(octetstring response) runs on IPAd_ConnHdlr {
+ var integer bytes_sent := 0;
+ var octetstring response_remainder := response;
+
+ while (true) {
+ response_remainder := substr(response_remainder, bytes_sent, lengthof(response_remainder) - bytes_sent);
+ bytes_sent := f_vpcd_get_response(response_remainder);
+
+ /* Check if we reached the last chunk */
+ if (lengthof(response_remainder) <= bytes_sent) {
+ return;
+ }
+ }
+}
+
+/* Expect one or more STORE DATA requests until the IUT has completed the transmision cycle */
+private function f_vpcd_store_data(octetstring exp := ''O) runs on IPAd_ConnHdlr return octetstring {
+
+ var VPCD_PDU req;
+ var octetstring block;
+ var integer len;
+ var octetstring data := ''O;
+
+ while (true) {
+ req := f_vpcd_exp(tr_VPCD_DATA(?));
+
+ /* Make sure that the request APDU is actually a STORE DATA request (on logical channel 1) */
+ if (substr(req.u.data, 0, 3) != '81E291'O and
+ substr(req.u.data, 0, 3) != '81E211'O) {
+ setverdict(fail, "unexpected APDU, expecting GetResponse");
+ return ''O;
+ }
+
+ if (lengthof(req.u.data) - 5 > 255) {
+ len := 255;
+ } else {
+ len := lengthof(req.u.data) - 5;
+ }
+ block := substr(req.u.data, 5, len);
+ data := data & block;
+
+ /* The final status word contains the length of the response. We can not send it right now
+ * since the caller must first process the received data block and compute a response. When
+ * the exact length of the response data is known. The final status word can be sent using
+ * f_vpcd_store_data_final_ack() */
+ if (substr(req.u.data, 2, 1) == '91'O) {
+ if (exp != ''O and block != exp) {
+ setverdict(fail, "received block contains unexpected data (", block, " != ", exp, ")");
+ }
+ return block;
+ }
+
+ f_vpcd_send(ts_VPCD_DATA('9000'O));
+ }
+
+ setverdict(fail, "no data? (we should not reach this code path)");
+ return ''O;
+}
+
+/* Send a final status word to acknowledge the last block of a STORE DATA transmission. The status word will tell
+ * the IUT how many response bytes are available. (The IUT will immediately begin to fetch the response using
+ * one or more GetResponse requests */
+private function f_vpcd_store_data_final_ack(integer response_len) runs on IPAd_ConnHdlr {
+ var octetstring second_sw_byte;
+ var octetstring first_sw_byte;
+
+ if (response_len > 255) {
+ second_sw_byte := '00'O;
+ } else {
+ second_sw_byte := int2oct(response_len, 1);
+ }
+
+ if (response_len > 0) {
+ first_sw_byte := '61'O; /* 61xx */
+ } else {
+ first_sw_byte := '90'O; /* 9000 */
+ }
+
+ f_vpcd_send(ts_VPCD_DATA(first_sw_byte & second_sw_byte));
+}
+
+/* Expect a pre-defined request (optional), and send a pre-defined response. This is a shortcut that only works in case
+ * the response does not depend on the request. */
+private function f_vpcd_transceive(octetstring response, octetstring expected_request := ''O) runs on IPAd_ConnHdlr {
+
+ /* In case we do not use the VPCD (because we have some other kind of eUICC emulation or even a real card
+ * present), we just skip. */
+ if (mp_use_vpcd == false) {
+ return;
+ }
+
+ f_vpcd_store_data(expected_request);
+ f_vpcd_store_data_final_ack(lengthof(response));
+ if (response != ''O) {
+ f_vpcd_get_response_multi(response);
+ }
+}
+
+/* Handle the opening of logical channel 1 and the selection of the ISD-R */
+private function f_es10x_init() runs on IPAd_ConnHdlr {
+ var charstring eim_fqdn := mp_esipa_ip & ":" & int2str(mp_esipa_port);
+
+ /* If we decide not to use vpcd, then we must not initialize anything here */
+ if (mp_use_vpcd == false) {
+ return;
+ }
+
+ /* Expect a MANAGE CHANNEL request that opens logical channel 1 */
+ f_vpcd_exp(tr_VPCD_DATA('0070000100'O));
+ f_vpcd_send(ts_VPCD_DATA('9000'O));
+
+ /* Expect selection of ISD-R request */
+ f_vpcd_exp(tr_VPCD_DATA('01a4040410a0000005591010ffffffff8900000100'O));
+ f_vpcd_send(ts_VPCD_DATA('6121'O)); /* 21 bytes of response, which are not requested by the ipad. */
+
+ /* Expect the IPAd to query the eID from the eUICC */
+ f_vpcd_transceive(enc_GetEuiccDataResponse(valueof(ts_getEuiccDataResponse)), 'BF3E035C015A'O);
+
+ /* Expect the IPAd to query the eIM configuration data from the eUICC */
+ f_vpcd_transceive(enc_GetEimConfigurationDataResponse(valueof(ts_getEimConfigurationDataResponse(eim_fqdn))), 'BF5500'O);
+}
+
+/* Handle the closing of logical channel 1 */
+private function f_es10x_close() runs on IPAd_ConnHdlr {
+
+ /* Expect a MANAGE CHANNEL request that closes logical channel 1 */
+ f_vpcd_exp(tr_VPCD_DATA('0070800100'O));
+ f_vpcd_send(ts_VPCD_DATA('9000'O));
+}
+
+/* Receive ESipa HTTP request */
+private function f_esipa_receive() runs on IPAd_ConnHdlr return EsipaMessageFromIpaToEim {
+ var HTTPMessage esipa_req;
+ timer T := 10.0;
+ var EsipaMessageFromIpaToEim request;
+
+ T.start;
+ alt {
+ [] HTTP_SRV.receive({ request_binary := ? }) -> value esipa_req {
+ request := dec_EsipaMessageFromIpaToEim(esipa_req.request_binary.body);
+ }
+ [] T.timeout {
+ setverdict(fail, "no HTTP request received?");
+ }
+ }
+
+ return request;
+}
+
+/* Send ESipa HTTP response */
+private function f_esipa_send(EsipaMessageFromEimToIpa response) runs on IPAd_ConnHdlr {
+ var octetstring esipa_res;
+ esipa_res := enc_EsipaMessageFromEimToIpa(response);
+ HTTP_SRV.send(ts_http_resp(esipa_res));
+}
+
+/* Perform one ESipa HTTP request/response cycle */
+private function f_esipa_transceive(EsipaMessageFromEimToIpa response) runs on IPAd_ConnHdlr return EsipaMessageFromIpaToEim {
+ var EsipaMessageFromIpaToEim request;
+
+ request := f_esipa_receive();
+ f_esipa_send(response);
+
+ return request;
+}
+
+/* Perform one ESipa HTTP request/response cycle but with an empty response */
+private function f_esipa_transceive_empty_response() runs on IPAd_ConnHdlr return EsipaMessageFromIpaToEim {
+ var EsipaMessageFromIpaToEim request;
+
+ request := f_esipa_receive();
+ HTTP_SRV.send(ts_http_resp(''O));
+ return request;
+}
+
+/* Common Mutual Authentication Procedure, see also: GSMA SGP.22, section 3.0.1 */
+private function f_proc_cmn_mtl_auth() runs on IPAd_ConnHdlr {
+ var EsipaMessageFromIpaToEim esipa_req;
+ var EsipaMessageFromEimToIpa esipa_res;
+
+ /* Step #1 */
+ f_vpcd_transceive(enc_EUICCInfo1(valueof(ts_EUICCInfo1)), 'bf2000'O);
+
+ /* Step #2-#4 */
+ f_vpcd_transceive(enc_GetEuiccChallengeResponse(valueof(ts_GetEuiccChallengeResponse)), 'bf2e00'O);
+
+ /* Step #5-#10 */
+ esipa_req := f_esipa_receive();
+ if (not match(esipa_req, tr_initiateAuthenticationRequestEsipa)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+ esipa_res := valueof(ts_initiateAuthenticationResponseEsipa(euiccChallenge := esipa_req.initiateAuthenticationRequestEsipa.euiccChallenge));
+ f_esipa_send(esipa_res);
+
+ /* Step #11-#14 */
+ f_vpcd_transceive(enc_AuthenticateServerResponse(valueof(ts_authenticateServerResponse)));
+
+ /* Step #15-#17 */
+ esipa_req := f_esipa_transceive(valueof(ts_authenticateClientResponseEsipa_dpe));
+ if (not match(esipa_req, tr_authenticateClientRequestEsipa)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+}
+
+/* ********************************************* */
+/* ********** BELOW ONLY TESTCASES! ************ */
+/* ********************************************* */
+
+
+/* A testcase to try out an the Common Mutual Authentication Procedure */
+private function f_TC_proc_direct_prfle_dwnld(charstring id) runs on IPAd_ConnHdlr {
+ var EsipaMessageFromIpaToEim esipa_req;
+ var EsipaMessageFromEimToIpa esipa_res;
+ var integer i;
+ var charstring eim_fqdn := mp_esipa_ip & ":" & int2str(mp_esipa_port);
+ var BoundProfilePackage boundProfilePackage;
+
+ f_es10x_init();
+ f_http_register();
+
+ /* Prepare direct profile download by responding with a download trigger request */
+ esipa_res := valueof(ts_getEimPackageResponse_dnlTrigReq);
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_getEimPackageRequest)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* Expect the IPAd to query the eIM configuration data from the eUICC */
+ f_vpcd_transceive(enc_GetEimConfigurationDataResponse(valueof(ts_getEimConfigurationDataResponse(eim_fqdn))), 'BF5500'O);
+
+ f_proc_cmn_mtl_auth();
+
+ f_vpcd_transceive(enc_PrepareDownloadResponse(valueof(ts_prepareDownloadResponse)));
+
+ esipa_res := valueof(ts_getBoundProfilePackageResponseEsipa);
+ esipa_req := f_esipa_transceive(esipa_res);
+ boundProfilePackage := esipa_res.getBoundProfilePackageResponseEsipa.getBoundProfilePackageOkEsipa.boundProfilePackage;
+ /* TODO: match response (we do not have a template yet) */
+
+ /* initialiseSecureChannelRequest */
+ f_vpcd_transceive(''O);
+
+ /* Step #3 (ES8+.ConfigureISDP) */
+ for (i := 0; i < sizeof(boundProfilePackage.firstSequenceOf87); i := i + 1) {
+ f_vpcd_transceive(''O);
+ }
+
+ /* Step #4 (ES8+.StoreMetadata) */
+ for (i := 0; i < sizeof(boundProfilePackage.sequenceOf88); i := i + 1) {
+ f_vpcd_transceive(''O);
+ }
+
+ /* Step #5 (ES8+.ReplaceSessionKeys", optional, left out) */
+ if (ispresent(boundProfilePackage.secondSequenceOf87)) {
+ for (i := 0; i < sizeof(boundProfilePackage.secondSequenceOf87); i := i + 1) {
+ f_vpcd_transceive(''O);
+ }
+ }
+
+ /* Step #6 (ES8+.LoadProfileElements) */
+ for (i := 0; i < sizeof(boundProfilePackage.sequenceOf86); i := i + 1) {
+ if (i < sizeof(boundProfilePackage.sequenceOf86) - 1) {
+ f_vpcd_transceive(''O);
+ } else {
+ /* In the last message we send the ProfileInstallationResult */
+ f_vpcd_transceive(enc_ProfileInstallationResult(valueof(ts_profileInstallationResult)));
+ }
+ }
+
+ /* Receive ProfileInstallationResult from iPAD->eIM */
+ esipa_req := f_esipa_transceive_empty_response();
+ /* TODO: match response (we do not have a template yet) */
+
+ /* Receive RemoveNotificationFromList from iPAD->eUICC */
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+
+ /* Wait some time until the the last HTTP response is actually delivered */
+ f_sleep(2.0);
+
+ f_es10x_close();
+
+ setverdict(pass);
+}
+testcase TC_proc_direct_prfle_dwnld() runs on MTC_CT {
+ var charstring id := testcasename();
+ var IPAd_ConnHdlrPars pars := f_init_pars();
+ var IPAd_ConnHdlr vc_conn;
+ f_init(id);
+ vc_conn := f_start_handler(refers(f_TC_proc_direct_prfle_dwnld), pars);
+ vc_conn.done;
+ setverdict(pass);
+}
+
+
+/* A testcase to try out an the Generic eUICC Package Download and Execution Procedure */
+private function f_TC_proc_euicc_pkg_dwnld_exec(charstring id) runs on IPAd_ConnHdlr {
+ var EsipaMessageFromIpaToEim esipa_req;
+ var EsipaMessageFromEimToIpa esipa_res;
+
+ f_es10x_init();
+ f_http_register();
+
+ /* Step #1-#2 */
+ esipa_res := valueof(ts_getEimPackageResponse_euiccPkgReq);
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_getEimPackageRequest)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* Step #3-#8 */
+ f_vpcd_transceive(enc_EuiccPackageResult(valueof(ts_euiccPackageResult)));
+
+ /* Step #9 */
+ f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse)));
+
+ /* Step #10-14 */
+ esipa_res := valueof(ts_provideEimPackageResultResponse_eimAck(eimAcknowledgements := {1,2,3,4}));
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_provideEimPackageResult_ePRAndNotif)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* Step #15-17 */
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+
+ /* Wait some time until the the last HTTP response is actually delivered */
+ f_sleep(2.0);
+
+ f_es10x_close();
+
+ setverdict(pass);
+}
+
+testcase TC_proc_euicc_pkg_dwnld_exec() runs on MTC_CT {
+ var charstring id := testcasename();
+ var IPAd_ConnHdlrPars pars := f_init_pars();
+ var IPAd_ConnHdlr vc_conn;
+ f_init(id);
+ vc_conn := f_start_handler(refers(f_TC_proc_euicc_pkg_dwnld_exec), pars);
+ vc_conn.done;
+ setverdict(pass);
+}
+
+
+/* A testcase to try out an the Generic eUICC Package Download and Execution Procedure, but this time we force a rollback meneuver */
+private function f_TC_proc_euicc_pkg_dwnld_exec_rollback(charstring id) runs on IPAd_ConnHdlr {
+ var EsipaMessageFromIpaToEim esipa_req;
+ var EsipaMessageFromEimToIpa esipa_res;
+
+ f_es10x_init();
+ f_http_register();
+
+ /* Step #1-#2 */
+ esipa_res := valueof(ts_getEimPackageResponse_euiccPkgReq);
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_getEimPackageRequest)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* Step #3-#8 */
+ f_vpcd_transceive(enc_EuiccPackageResult(valueof(ts_euiccPackageResult)));
+
+ /* Step #9 */
+ f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse)));
+
+ /* We now ignore the response from the IPAd. The IPAd will interpret this as a disturbed IP connection. */
+ f_esipa_receive();
+
+ /* To fix the problem, the IPAd will now try a profile rollback meneuver. */
+ f_vpcd_transceive(enc_ProfileRollbackResponse(valueof(ts_profileRollbackResponse)),
+ enc_ProfileRollbackRequest(valueof(ts_profileRollbackRequest)));
+
+ /* At this point the old profile is active again. The IPAd is now expected to start at Step #9 again
+ * to continue the procedure normally. */
+
+ /* Step #9 */
+ f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse)));
+
+ /* Step #10-14 */
+ esipa_res := valueof(ts_provideEimPackageResultResponse_eimAck(eimAcknowledgements := {1,2,3,4}));
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_provideEimPackageResult_ePRAndNotif)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* Step #15-17 */
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+ f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse)));
+
+ /* Wait some time until the the last HTTP response is actually delivered */
+ f_sleep(2.0);
+
+ f_es10x_close();
+
+ setverdict(pass);
+}
+
+testcase TC_proc_euicc_pkg_dwnld_exec_rollback() runs on MTC_CT {
+ var charstring id := testcasename();
+ var IPAd_ConnHdlrPars pars := f_init_pars();
+ var IPAd_ConnHdlr vc_conn;
+ f_init(id);
+ vc_conn := f_start_handler(refers(f_TC_proc_euicc_pkg_dwnld_exec_rollback), pars);
+ vc_conn.done;
+ setverdict(pass);
+}
+
+
+/* A testcase to try out an IpaEuiccDataRequest */
+private function f_TC_proc_euicc_data_req(charstring id) runs on IPAd_ConnHdlr {
+ var EsipaMessageFromIpaToEim esipa_req;
+ var EsipaMessageFromEimToIpa esipa_res;
+ var charstring eim_fqdn := mp_esipa_ip & ":" & int2str(mp_esipa_port);
+
+ f_es10x_init();
+ f_http_register();
+
+ /* IPAd requests a package, we tell it to execute an ipaEuiccDataRequest */
+ esipa_res := valueof(ts_getEimPackageResponse_euiccDataReq);
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_getEimPackageRequest)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* IPAd will obtain the data from the eUICC */
+ f_vpcd_transceive(enc_EuiccConfiguredAddressesResponse(valueof(ts_euiccConfiguredAddressesResponse)));
+ f_vpcd_transceive(enc_EUICCInfo1(valueof(ts_EUICCInfo1)));
+ f_vpcd_transceive(enc_EUICCInfo2(valueof(ts_EUICCInfo2)));
+ f_vpcd_transceive(enc_GetEimConfigurationDataResponse(valueof(ts_getEimConfigurationDataResponse(eim_fqdn))));
+ f_vpcd_transceive(enc_GetCertsResponse(valueof(ts_getCertsResponse)));
+ f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse)));
+
+ /* IPAd will return the data to us */
+ esipa_res := valueof(ts_provideEimPackageResultResponse_eimAck(eimAcknowledgements := {1,2,3,4}));
+ esipa_req := f_esipa_transceive(esipa_res);
+
+ /* Wait some time until the the last HTTP response is actually delivered */
+ f_sleep(2.0);
+
+ f_es10x_close();
+
+ setverdict(pass);
+}
+testcase TC_proc_euicc_data_req() runs on MTC_CT {
+ var charstring id := testcasename();
+ var IPAd_ConnHdlrPars pars := f_init_pars();
+ var IPAd_ConnHdlr vc_conn;
+ f_init(id);
+ vc_conn := f_start_handler(refers(f_TC_proc_euicc_data_req), pars);
+ vc_conn.done;
+ setverdict(pass);
+}
+
+/* A testcase to try out what happens when the eIM package request is rejected */
+private function f_TC_get_eim_pkg_req_rej(charstring id) runs on IPAd_ConnHdlr {
+ var EsipaMessageFromIpaToEim esipa_req;
+ var EsipaMessageFromEimToIpa esipa_res;
+
+ f_es10x_init();
+ f_http_register();
+
+ /* IPAd requests a package, we respond with an eimPackageError code 127 (undefined error) */
+ esipa_res := valueof(ts_getEimPackageResponse_eimPkgErrUndef);
+ esipa_req := f_esipa_transceive(esipa_res);
+ if (not match(esipa_req, tr_getEimPackageRequest)) {
+ setverdict(fail, "unexpected message from IPAd");
+ }
+
+ /* Wait some time until the the last HTTP response is actually delivered */
+ f_sleep(2.0);
+
+ f_es10x_close();
+
+ setverdict(pass);
+}
+testcase TC_get_eim_pkg_req_rej() runs on MTC_CT {
+ var charstring id := testcasename();
+ var IPAd_ConnHdlrPars pars := f_init_pars();
+ var IPAd_ConnHdlr vc_conn;
+ f_init(id);
+ vc_conn := f_start_handler(refers(f_TC_get_eim_pkg_req_rej), pars);
+ vc_conn.done;
+ setverdict(pass);
+}
+
+control {
+ execute ( TC_proc_direct_prfle_dwnld() );
+ execute ( TC_proc_euicc_pkg_dwnld_exec() );
+ execute ( TC_proc_euicc_pkg_dwnld_exec_rollback() );
+ execute ( TC_proc_euicc_data_req() );
+ execute ( TC_get_eim_pkg_req_rej() );
+}
+
+}
diff --git a/ipad/example_ca/pki/ca.crt b/ipad/example_ca/pki/ca.crt
new file mode 100644
index 0000000..4dfdf16
--- /dev/null
+++ b/ipad/example_ca/pki/ca.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIUZjLnFa4g4tdrDjujUMElWkVpFKAwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzMzU2WhgPMzAy
+MzA4MjcxNTMzNTZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR8Y1ESTRhfjVNZ0+nuhQsvkMhZnOMpaEoJz
+pCzHV0Cj6Mi814gPanvflAX/9F+4IjQ2evm7pNKNUpt1vf6kKTmco0EX672spP4p
+8KOQaki/+I/AMYCwAGOvmCMYpHMzNTkV9PZIUUyzLG5YaigiMtJpWY+ji/G+kxAg
+YzPr4WhTjG+mEoPjfc9LQH5dh/dP0cdkoZuIHWx6kFxAw/Okb1EF/oGrUT4pOLzg
+/Z5wkOYZhlK0bicCqvYfsUjJ4y0ftCXfjQUtAYfQ4gq6revQ7eHCNKixh+BB8yXO
+7/z6qrTfMTmN2Ekdo5nAyAMOeugaExaSLwYti3afX71RuqrtTwIDAQABo4GQMIGN
+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNtLqZUsrQWfz8g83jssJ4HXKGVIMFEG
+A1UdIwRKMEiAFNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtF
+YXN5LVJTQSBDQYIUZjLnFa4g4tdrDjujUMElWkVpFKAwCwYDVR0PBAQDAgEGMA0G
+CSqGSIb3DQEBCwUAA4IBAQAADFdB7R2mwfMWj3vUR77v9f3wqJdKgUyleXGKu6ot
+9YL8vYAJUL9sojZ8KeR47PDVpOs7v0Ll3RcfqRrDWQ9/MiMqSMcxh/i9dvyf5d9s
+o2kxqiPaMVPkLzGKE04I0XtAlszqOBYsGO83D2FuJsIWglvvOjNYvJ05LMVJObnq
+gpwY3TwhoKeWAQg6U5Yv6dLDjvbYPTwgArNpY97BxY0GZNyiyJgyag21cVui+tsd
+uLKVKhmW/EhCC52wsEMwLAsiOjNpVXwAkPWaWAbUJIJTyuc2ZFpx9D2T40H1U8Pj
+6UXwCkZ7C9qwKKyusG8duf/Xsdsft3Pm8XykSWWya6Um
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem b/ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem
new file mode 100644
index 0000000..14904d1
--- /dev/null
+++ b/ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem
@@ -0,0 +1,87 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 2a:a3:f8:ff:c3:b5:62:af:c6:78:45:38:9a:5f:2c:5a
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Easy-RSA CA
+ Validity
+ Not Before: Apr 25 15:34:30 2024 GMT
+ Not After : Aug 27 15:34:30 3023 GMT
+ Subject: CN=testsuite
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:bc:0d:37:f1:b1:2d:4c:0e:af:a1:51:85:92:1f:
+ 1b:3c:ef:04:18:24:d1:d6:0e:eb:73:64:86:da:c6:
+ 65:e2:b2:74:fb:6e:c0:b9:5d:fe:67:61:44:3a:bf:
+ 20:6e:a7:53:9c:7b:8e:6b:ec:c4:55:ec:0b:f9:44:
+ 08:6a:54:35:59:82:9a:63:60:0b:37:dd:22:5d:e3:
+ 43:81:4e:51:ae:0a:67:31:bb:b1:d3:70:0e:a8:46:
+ 2f:11:ec:b6:e9:58:25:0a:c9:72:4a:97:f1:d5:7a:
+ 0d:68:90:eb:73:c2:e1:81:12:cd:08:1b:21:e9:ce:
+ 58:3e:dc:81:de:b7:65:31:bd:c4:8b:5a:d1:06:9b:
+ c0:ea:b7:63:8f:fb:a5:67:37:7e:d5:69:07:56:67:
+ f3:e7:37:5d:84:86:52:25:94:9e:6a:60:a2:5c:bf:
+ 5e:0b:cb:c8:83:1a:17:51:84:f1:16:f0:83:46:b6:
+ bb:97:f3:4f:ba:41:1f:30:a8:d5:ee:4e:2e:78:00:
+ 9b:25:fd:0c:ec:cc:57:a3:82:b5:54:56:fd:25:f9:
+ ff:b8:5f:1b:55:ae:57:16:35:0d:cc:9a:cf:d0:2c:
+ 4a:dd:d5:ae:2a:7e:76:73:af:b8:d9:a0:35:61:82:
+ 3d:a0:d1:ce:a3:d8:82:1b:0c:9a:bc:a5:0b:2d:00:
+ d0:e9
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 20:11:06:2E:BB:B0:0B:05:D4:CE:4F:BC:5F:51:39:E7:96:94:4F:26
+ X509v3 Authority Key Identifier:
+ keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48
+ DirName:/CN=Easy-RSA CA
+ serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ X509v3 Subject Alternative Name:
+ DNS:testsuite
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ 78:b1:28:25:f5:17:7a:c2:a0:2e:b8:bb:15:dc:aa:e8:8f:aa:
+ ae:f3:48:0e:46:29:71:d7:24:6b:cd:da:4e:b1:8c:1a:40:01:
+ 79:03:ca:2d:45:76:c9:08:61:50:eb:03:9c:82:9f:d6:37:d8:
+ 60:42:fc:59:35:b7:42:69:fd:36:45:93:a3:17:df:dd:5d:84:
+ 19:04:70:4f:c8:5f:3e:96:27:49:03:81:a7:55:2c:16:7e:be:
+ 65:26:71:48:eb:5b:36:38:c1:a9:87:f0:ad:2e:40:5b:e8:12:
+ 39:f5:d0:60:71:55:d7:4b:fb:d0:bf:35:11:fb:2e:9c:4f:e6:
+ b1:35:c6:45:b4:73:68:99:d9:27:fa:4e:98:25:7d:6e:7c:1b:
+ 22:e8:c2:83:6f:3b:1f:4c:27:70:94:1a:ef:fb:2b:fd:9d:3c:
+ a2:ce:f2:4b:d1:8e:e7:6d:db:ec:22:1c:b9:b4:c1:bc:17:82:
+ ea:e1:1f:76:1a:4a:d6:59:b3:24:e5:e4:67:b9:ce:d3:73:67:
+ dd:48:82:04:bc:8f:50:34:c0:0e:42:6e:7e:63:ac:e6:ab:71:
+ b7:79:5b:f7:8e:8c:48:ac:ef:ae:c6:b0:e9:ae:d7:94:9b:58:
+ e9:2b:e8:40:93:1b:62:51:2d:06:a4:ca:8c:e6:7e:8c:5a:d0:
+ 6d:69:86:6f
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlegAwIBAgIQKqP4/8O1Yq/GeEU4ml8sWjANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAgFw0yNDA0MjUxNTM0MzBaGA8zMDIzMDgy
+NzE1MzQzMFowFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl4rJ0
++27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5Rrgpn
+Mbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdlMb3E
+i1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTxFvCD
+Rra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP0CxK
+3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABo4G4MIG1MAkGA1Ud
+EwQCMAAwHQYDVR0OBBYEFCARBi67sAsF1M5PvF9ROeeWlE8mMFEGA1UdIwRKMEiA
+FNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
+QYIUZjLnFa4g4tdrDjujUMElWkVpFKAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD
+VR0PBAQDAgWgMBQGA1UdEQQNMAuCCXRlc3RzdWl0ZTANBgkqhkiG9w0BAQsFAAOC
+AQEAeLEoJfUXesKgLri7Fdyq6I+qrvNIDkYpcdcka83aTrGMGkABeQPKLUV2yQhh
+UOsDnIKf1jfYYEL8WTW3Qmn9NkWToxff3V2EGQRwT8hfPpYnSQOBp1UsFn6+ZSZx
+SOtbNjjBqYfwrS5AW+gSOfXQYHFV10v70L81EfsunE/msTXGRbRzaJnZJ/pOmCV9
+bnwbIujCg287H0wncJQa7/sr/Z08os7yS9GO523b7CIcubTBvBeC6uEfdhpK1lmz
+JOXkZ7nO03Nn3UiCBLyPUDTADkJufmOs5qtxt3lb946MSKzvrsaw6a7XlJtY6Svo
+QJMbYlEtBqTKjOZ+jFrQbWmGbw==
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem b/ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem
new file mode 100644
index 0000000..070adb2
--- /dev/null
+++ b/ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem
@@ -0,0 +1,87 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ fa:ee:71:ac:9c:f8:5b:80:4d:ce:4b:d3:57:f8:32:09
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Easy-RSA CA
+ Validity
+ Not Before: Apr 25 15:34:18 2024 GMT
+ Not After : Aug 27 15:34:18 3023 GMT
+ Subject: CN=alttest
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:94:f6:7e:2b:41:ee:00:d6:f5:2f:54:66:f4:41:
+ 39:69:ee:64:0b:15:46:59:ce:00:b6:bf:2a:aa:f7:
+ 0e:75:c4:e5:a1:b7:b3:86:1c:24:06:fa:91:41:f1:
+ 0b:87:3a:ee:26:27:28:62:1d:ac:35:54:e5:a3:ac:
+ 48:a7:9a:aa:be:2e:60:52:7c:de:cf:c3:28:11:42:
+ 57:52:9d:44:24:8f:b0:b6:fb:36:ef:4f:aa:7e:2c:
+ 57:5e:07:8a:03:fc:18:03:e8:58:6b:88:98:a8:93:
+ ac:69:01:b1:9c:ef:3b:fe:04:47:9e:28:e2:c6:15:
+ f9:5c:df:de:24:1e:2f:a4:e0:b2:01:94:7e:b8:00:
+ 76:b0:dd:36:55:22:f2:2d:3a:c7:b1:d8:67:7e:ca:
+ 2d:22:b8:dc:9d:87:34:0c:c1:11:c7:72:2b:b8:ed:
+ 1b:d8:75:6d:0d:49:e1:f6:bf:12:dd:19:84:87:2e:
+ 6d:c6:7d:7e:42:33:2a:05:a2:ff:5d:07:10:83:a4:
+ c0:35:a9:f8:00:96:29:9f:bc:53:6c:81:18:7b:e4:
+ c6:41:54:7f:12:a3:5a:77:cb:0f:cf:52:8c:83:9a:
+ 30:03:ca:77:65:b2:c0:0b:00:67:86:50:77:b1:f5:
+ 79:b7:20:62:25:f8:3b:ca:cd:c4:da:d1:c0:81:fd:
+ db:8b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 04:2E:A0:68:00:D7:DB:D3:E5:73:93:FC:1C:E5:30:78:D1:5B:24:E8
+ X509v3 Authority Key Identifier:
+ keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48
+ DirName:/CN=Easy-RSA CA
+ serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ 41:35:5e:7e:14:46:96:3e:c9:8e:fe:88:f8:d6:07:6b:8b:b7:
+ 8e:02:c4:63:97:79:ec:4a:46:cc:72:4d:7a:cc:9b:13:d9:6b:
+ 5c:f9:b5:b6:c8:04:cf:f9:e0:23:b2:4e:ec:b0:80:85:84:be:
+ a9:1d:8d:4e:8b:26:09:d1:50:83:df:a2:d6:cc:ec:8c:36:b0:
+ c4:a9:cb:14:ba:2d:e2:f3:93:9a:e5:ae:fe:a6:b7:37:c2:17:
+ 52:17:b2:f3:4e:3a:04:88:9b:50:7e:c5:73:6f:63:5c:ab:32:
+ 47:0d:1c:b4:63:d4:de:c0:6b:ce:ec:26:8d:8c:40:83:c1:c2:
+ 29:48:f8:0f:a1:b1:f9:5e:2b:91:fb:0d:32:26:db:73:ef:36:
+ 03:d1:24:3e:59:8d:39:09:29:61:85:64:69:be:ee:ec:6d:dd:
+ 6d:7c:93:22:b5:44:19:ed:11:f5:46:7d:f5:be:74:ce:46:85:
+ 5d:24:9f:4e:b8:27:4b:7f:ba:72:5c:f7:24:10:b6:7b:fb:cb:
+ a0:d1:59:5b:d3:5f:e9:a3:e9:fd:c3:36:2f:b6:b5:eb:e6:1d:
+ 9b:71:d6:53:26:95:26:64:14:25:47:b8:3b:d4:96:be:51:98:
+ e5:4d:cf:47:66:e8:fc:e9:bc:e6:6c:2b:e6:87:d8:cb:64:82:
+ d8:63:31:c9
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIRAPrucayc+FuATc5L01f4MgkwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzNDE4WhgPMzAyMzA4
+MjcxNTM0MThaMBIxEDAOBgNVBAMMB2FsdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCU9n4rQe4A1vUvVGb0QTlp7mQLFUZZzgC2vyqq9w51xOWh
+t7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWjrEinmqq+LmBSfN7PwygRQldSnUQkj7C2
++zbvT6p+LFdeB4oD/BgD6FhriJiok6xpAbGc7zv+BEeeKOLGFflc394kHi+k4LIB
+lH64AHaw3TZVIvItOsex2Gd+yi0iuNydhzQMwRHHciu47RvYdW0NSeH2vxLdGYSH
+Lm3GfX5CMyoFov9dBxCDpMA1qfgAlimfvFNsgRh75MZBVH8So1p3yw/PUoyDmjAD
+yndlssALAGeGUHex9Xm3IGIl+DvKzcTa0cCB/duLAgMBAAGjgb4wgbswCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUBC6gaADX29Plc5P8HOUweNFbJOgwUQYDVR0jBEowSIAU
+20uplSytBZ/PyDzeOywngdcoZUihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB
+ghRmMucVriDi12sOO6NQwSVaRWkUoDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV
+HQ8EBAMCBaAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBBNV5+FEaWPsmO/oj41gdri7eOAsRjl3nsSkbMck16zJsT2Wtc+bW2
+yATP+eAjsk7ssICFhL6pHY1OiyYJ0VCD36LWzOyMNrDEqcsUui3i85Oa5a7+prc3
+whdSF7LzTjoEiJtQfsVzb2NcqzJHDRy0Y9TewGvO7CaNjECDwcIpSPgPobH5XiuR
++w0yJttz7zYD0SQ+WY05CSlhhWRpvu7sbd1tfJMitUQZ7RH1Rn31vnTORoVdJJ9O
+uCdLf7pyXPckELZ7+8ug0Vlb01/po+n9wzYvtrXr5h2bcdZTJpUmZBQlR7g71Ja+
+UZjlTc9HZuj86bzmbCvmh9jLZILYYzHJ
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/index.txt b/ipad/example_ca/pki/index.txt
new file mode 100644
index 0000000..dd39679
--- /dev/null
+++ b/ipad/example_ca/pki/index.txt
@@ -0,0 +1,2 @@
+V 30230827153418Z FAEE71AC9CF85B804DCE4BD357F83209 unknown /CN=alttest
+V 30230827153430Z 2AA3F8FFC3B562AFC67845389A5F2C5A unknown /CN=testsuite
diff --git a/ipad/example_ca/pki/index.txt.attr b/ipad/example_ca/pki/index.txt.attr
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/ipad/example_ca/pki/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/ipad/example_ca/pki/index.txt.attr.old b/ipad/example_ca/pki/index.txt.attr.old
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/ipad/example_ca/pki/index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/ipad/example_ca/pki/index.txt.old b/ipad/example_ca/pki/index.txt.old
new file mode 100644
index 0000000..605de4c
--- /dev/null
+++ b/ipad/example_ca/pki/index.txt.old
@@ -0,0 +1 @@
+V 30230827153418Z FAEE71AC9CF85B804DCE4BD357F83209 unknown /CN=alttest
diff --git a/ipad/example_ca/pki/issued/alttest.cabundle b/ipad/example_ca/pki/issued/alttest.cabundle
new file mode 100644
index 0000000..c7a4426
--- /dev/null
+++ b/ipad/example_ca/pki/issued/alttest.cabundle
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIRAPrucayc+FuATc5L01f4MgkwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzNDE4WhgPMzAyMzA4
+MjcxNTM0MThaMBIxEDAOBgNVBAMMB2FsdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCU9n4rQe4A1vUvVGb0QTlp7mQLFUZZzgC2vyqq9w51xOWh
+t7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWjrEinmqq+LmBSfN7PwygRQldSnUQkj7C2
++zbvT6p+LFdeB4oD/BgD6FhriJiok6xpAbGc7zv+BEeeKOLGFflc394kHi+k4LIB
+lH64AHaw3TZVIvItOsex2Gd+yi0iuNydhzQMwRHHciu47RvYdW0NSeH2vxLdGYSH
+Lm3GfX5CMyoFov9dBxCDpMA1qfgAlimfvFNsgRh75MZBVH8So1p3yw/PUoyDmjAD
+yndlssALAGeGUHex9Xm3IGIl+DvKzcTa0cCB/duLAgMBAAGjgb4wgbswCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUBC6gaADX29Plc5P8HOUweNFbJOgwUQYDVR0jBEowSIAU
+20uplSytBZ/PyDzeOywngdcoZUihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB
+ghRmMucVriDi12sOO6NQwSVaRWkUoDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV
+HQ8EBAMCBaAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBBNV5+FEaWPsmO/oj41gdri7eOAsRjl3nsSkbMck16zJsT2Wtc+bW2
+yATP+eAjsk7ssICFhL6pHY1OiyYJ0VCD36LWzOyMNrDEqcsUui3i85Oa5a7+prc3
+whdSF7LzTjoEiJtQfsVzb2NcqzJHDRy0Y9TewGvO7CaNjECDwcIpSPgPobH5XiuR
++w0yJttz7zYD0SQ+WY05CSlhhWRpvu7sbd1tfJMitUQZ7RH1Rn31vnTORoVdJJ9O
+uCdLf7pyXPckELZ7+8ug0Vlb01/po+n9wzYvtrXr5h2bcdZTJpUmZBQlR7g71Ja+
+UZjlTc9HZuj86bzmbCvmh9jLZILYYzHJ
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIUZjLnFa4g4tdrDjujUMElWkVpFKAwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzMzU2WhgPMzAy
+MzA4MjcxNTMzNTZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR8Y1ESTRhfjVNZ0+nuhQsvkMhZnOMpaEoJz
+pCzHV0Cj6Mi814gPanvflAX/9F+4IjQ2evm7pNKNUpt1vf6kKTmco0EX672spP4p
+8KOQaki/+I/AMYCwAGOvmCMYpHMzNTkV9PZIUUyzLG5YaigiMtJpWY+ji/G+kxAg
+YzPr4WhTjG+mEoPjfc9LQH5dh/dP0cdkoZuIHWx6kFxAw/Okb1EF/oGrUT4pOLzg
+/Z5wkOYZhlK0bicCqvYfsUjJ4y0ftCXfjQUtAYfQ4gq6revQ7eHCNKixh+BB8yXO
+7/z6qrTfMTmN2Ekdo5nAyAMOeugaExaSLwYti3afX71RuqrtTwIDAQABo4GQMIGN
+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNtLqZUsrQWfz8g83jssJ4HXKGVIMFEG
+A1UdIwRKMEiAFNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtF
+YXN5LVJTQSBDQYIUZjLnFa4g4tdrDjujUMElWkVpFKAwCwYDVR0PBAQDAgEGMA0G
+CSqGSIb3DQEBCwUAA4IBAQAADFdB7R2mwfMWj3vUR77v9f3wqJdKgUyleXGKu6ot
+9YL8vYAJUL9sojZ8KeR47PDVpOs7v0Ll3RcfqRrDWQ9/MiMqSMcxh/i9dvyf5d9s
+o2kxqiPaMVPkLzGKE04I0XtAlszqOBYsGO83D2FuJsIWglvvOjNYvJ05LMVJObnq
+gpwY3TwhoKeWAQg6U5Yv6dLDjvbYPTwgArNpY97BxY0GZNyiyJgyag21cVui+tsd
+uLKVKhmW/EhCC52wsEMwLAsiOjNpVXwAkPWaWAbUJIJTyuc2ZFpx9D2T40H1U8Pj
+6UXwCkZ7C9qwKKyusG8duf/Xsdsft3Pm8XykSWWya6Um
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/issued/alttest.crt b/ipad/example_ca/pki/issued/alttest.crt
new file mode 100644
index 0000000..070adb2
--- /dev/null
+++ b/ipad/example_ca/pki/issued/alttest.crt
@@ -0,0 +1,87 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ fa:ee:71:ac:9c:f8:5b:80:4d:ce:4b:d3:57:f8:32:09
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Easy-RSA CA
+ Validity
+ Not Before: Apr 25 15:34:18 2024 GMT
+ Not After : Aug 27 15:34:18 3023 GMT
+ Subject: CN=alttest
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:94:f6:7e:2b:41:ee:00:d6:f5:2f:54:66:f4:41:
+ 39:69:ee:64:0b:15:46:59:ce:00:b6:bf:2a:aa:f7:
+ 0e:75:c4:e5:a1:b7:b3:86:1c:24:06:fa:91:41:f1:
+ 0b:87:3a:ee:26:27:28:62:1d:ac:35:54:e5:a3:ac:
+ 48:a7:9a:aa:be:2e:60:52:7c:de:cf:c3:28:11:42:
+ 57:52:9d:44:24:8f:b0:b6:fb:36:ef:4f:aa:7e:2c:
+ 57:5e:07:8a:03:fc:18:03:e8:58:6b:88:98:a8:93:
+ ac:69:01:b1:9c:ef:3b:fe:04:47:9e:28:e2:c6:15:
+ f9:5c:df:de:24:1e:2f:a4:e0:b2:01:94:7e:b8:00:
+ 76:b0:dd:36:55:22:f2:2d:3a:c7:b1:d8:67:7e:ca:
+ 2d:22:b8:dc:9d:87:34:0c:c1:11:c7:72:2b:b8:ed:
+ 1b:d8:75:6d:0d:49:e1:f6:bf:12:dd:19:84:87:2e:
+ 6d:c6:7d:7e:42:33:2a:05:a2:ff:5d:07:10:83:a4:
+ c0:35:a9:f8:00:96:29:9f:bc:53:6c:81:18:7b:e4:
+ c6:41:54:7f:12:a3:5a:77:cb:0f:cf:52:8c:83:9a:
+ 30:03:ca:77:65:b2:c0:0b:00:67:86:50:77:b1:f5:
+ 79:b7:20:62:25:f8:3b:ca:cd:c4:da:d1:c0:81:fd:
+ db:8b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 04:2E:A0:68:00:D7:DB:D3:E5:73:93:FC:1C:E5:30:78:D1:5B:24:E8
+ X509v3 Authority Key Identifier:
+ keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48
+ DirName:/CN=Easy-RSA CA
+ serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ 41:35:5e:7e:14:46:96:3e:c9:8e:fe:88:f8:d6:07:6b:8b:b7:
+ 8e:02:c4:63:97:79:ec:4a:46:cc:72:4d:7a:cc:9b:13:d9:6b:
+ 5c:f9:b5:b6:c8:04:cf:f9:e0:23:b2:4e:ec:b0:80:85:84:be:
+ a9:1d:8d:4e:8b:26:09:d1:50:83:df:a2:d6:cc:ec:8c:36:b0:
+ c4:a9:cb:14:ba:2d:e2:f3:93:9a:e5:ae:fe:a6:b7:37:c2:17:
+ 52:17:b2:f3:4e:3a:04:88:9b:50:7e:c5:73:6f:63:5c:ab:32:
+ 47:0d:1c:b4:63:d4:de:c0:6b:ce:ec:26:8d:8c:40:83:c1:c2:
+ 29:48:f8:0f:a1:b1:f9:5e:2b:91:fb:0d:32:26:db:73:ef:36:
+ 03:d1:24:3e:59:8d:39:09:29:61:85:64:69:be:ee:ec:6d:dd:
+ 6d:7c:93:22:b5:44:19:ed:11:f5:46:7d:f5:be:74:ce:46:85:
+ 5d:24:9f:4e:b8:27:4b:7f:ba:72:5c:f7:24:10:b6:7b:fb:cb:
+ a0:d1:59:5b:d3:5f:e9:a3:e9:fd:c3:36:2f:b6:b5:eb:e6:1d:
+ 9b:71:d6:53:26:95:26:64:14:25:47:b8:3b:d4:96:be:51:98:
+ e5:4d:cf:47:66:e8:fc:e9:bc:e6:6c:2b:e6:87:d8:cb:64:82:
+ d8:63:31:c9
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIRAPrucayc+FuATc5L01f4MgkwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzNDE4WhgPMzAyMzA4
+MjcxNTM0MThaMBIxEDAOBgNVBAMMB2FsdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCU9n4rQe4A1vUvVGb0QTlp7mQLFUZZzgC2vyqq9w51xOWh
+t7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWjrEinmqq+LmBSfN7PwygRQldSnUQkj7C2
++zbvT6p+LFdeB4oD/BgD6FhriJiok6xpAbGc7zv+BEeeKOLGFflc394kHi+k4LIB
+lH64AHaw3TZVIvItOsex2Gd+yi0iuNydhzQMwRHHciu47RvYdW0NSeH2vxLdGYSH
+Lm3GfX5CMyoFov9dBxCDpMA1qfgAlimfvFNsgRh75MZBVH8So1p3yw/PUoyDmjAD
+yndlssALAGeGUHex9Xm3IGIl+DvKzcTa0cCB/duLAgMBAAGjgb4wgbswCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUBC6gaADX29Plc5P8HOUweNFbJOgwUQYDVR0jBEowSIAU
+20uplSytBZ/PyDzeOywngdcoZUihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB
+ghRmMucVriDi12sOO6NQwSVaRWkUoDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV
+HQ8EBAMCBaAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBBNV5+FEaWPsmO/oj41gdri7eOAsRjl3nsSkbMck16zJsT2Wtc+bW2
+yATP+eAjsk7ssICFhL6pHY1OiyYJ0VCD36LWzOyMNrDEqcsUui3i85Oa5a7+prc3
+whdSF7LzTjoEiJtQfsVzb2NcqzJHDRy0Y9TewGvO7CaNjECDwcIpSPgPobH5XiuR
++w0yJttz7zYD0SQ+WY05CSlhhWRpvu7sbd1tfJMitUQZ7RH1Rn31vnTORoVdJJ9O
+uCdLf7pyXPckELZ7+8ug0Vlb01/po+n9wzYvtrXr5h2bcdZTJpUmZBQlR7g71Ja+
+UZjlTc9HZuj86bzmbCvmh9jLZILYYzHJ
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/issued/alttest.notes b/ipad/example_ca/pki/issued/alttest.notes
new file mode 100644
index 0000000..6daca26
--- /dev/null
+++ b/ipad/example_ca/pki/issued/alttest.notes
@@ -0,0 +1,8 @@
+This certificate is suitable for tests on any machine where testsuite and IPAd
+run on the same host.
+
+The alttest.crt certificate has been created using the following commandline:
+./easyrsa --subject-alt-name="DNS:localhost,IP:127.0.0.1" build-server-full alttest nopass
+
+The alttest.cabundle file has been created manually (alttest certificate at the
+top, ca certificate at the bottom).
diff --git a/ipad/example_ca/pki/issued/testsuite.cabundle b/ipad/example_ca/pki/issued/testsuite.cabundle
new file mode 100644
index 0000000..9768a94
--- /dev/null
+++ b/ipad/example_ca/pki/issued/testsuite.cabundle
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlegAwIBAgIQKqP4/8O1Yq/GeEU4ml8sWjANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAgFw0yNDA0MjUxNTM0MzBaGA8zMDIzMDgy
+NzE1MzQzMFowFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl4rJ0
++27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5Rrgpn
+Mbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdlMb3E
+i1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTxFvCD
+Rra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP0CxK
+3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABo4G4MIG1MAkGA1Ud
+EwQCMAAwHQYDVR0OBBYEFCARBi67sAsF1M5PvF9ROeeWlE8mMFEGA1UdIwRKMEiA
+FNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
+QYIUZjLnFa4g4tdrDjujUMElWkVpFKAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD
+VR0PBAQDAgWgMBQGA1UdEQQNMAuCCXRlc3RzdWl0ZTANBgkqhkiG9w0BAQsFAAOC
+AQEAeLEoJfUXesKgLri7Fdyq6I+qrvNIDkYpcdcka83aTrGMGkABeQPKLUV2yQhh
+UOsDnIKf1jfYYEL8WTW3Qmn9NkWToxff3V2EGQRwT8hfPpYnSQOBp1UsFn6+ZSZx
+SOtbNjjBqYfwrS5AW+gSOfXQYHFV10v70L81EfsunE/msTXGRbRzaJnZJ/pOmCV9
+bnwbIujCg287H0wncJQa7/sr/Z08os7yS9GO523b7CIcubTBvBeC6uEfdhpK1lmz
+JOXkZ7nO03Nn3UiCBLyPUDTADkJufmOs5qtxt3lb946MSKzvrsaw6a7XlJtY6Svo
+QJMbYlEtBqTKjOZ+jFrQbWmGbw==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIUZjLnFa4g4tdrDjujUMElWkVpFKAwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzMzU2WhgPMzAy
+MzA4MjcxNTMzNTZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR8Y1ESTRhfjVNZ0+nuhQsvkMhZnOMpaEoJz
+pCzHV0Cj6Mi814gPanvflAX/9F+4IjQ2evm7pNKNUpt1vf6kKTmco0EX672spP4p
+8KOQaki/+I/AMYCwAGOvmCMYpHMzNTkV9PZIUUyzLG5YaigiMtJpWY+ji/G+kxAg
+YzPr4WhTjG+mEoPjfc9LQH5dh/dP0cdkoZuIHWx6kFxAw/Okb1EF/oGrUT4pOLzg
+/Z5wkOYZhlK0bicCqvYfsUjJ4y0ftCXfjQUtAYfQ4gq6revQ7eHCNKixh+BB8yXO
+7/z6qrTfMTmN2Ekdo5nAyAMOeugaExaSLwYti3afX71RuqrtTwIDAQABo4GQMIGN
+MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNtLqZUsrQWfz8g83jssJ4HXKGVIMFEG
+A1UdIwRKMEiAFNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtF
+YXN5LVJTQSBDQYIUZjLnFa4g4tdrDjujUMElWkVpFKAwCwYDVR0PBAQDAgEGMA0G
+CSqGSIb3DQEBCwUAA4IBAQAADFdB7R2mwfMWj3vUR77v9f3wqJdKgUyleXGKu6ot
+9YL8vYAJUL9sojZ8KeR47PDVpOs7v0Ll3RcfqRrDWQ9/MiMqSMcxh/i9dvyf5d9s
+o2kxqiPaMVPkLzGKE04I0XtAlszqOBYsGO83D2FuJsIWglvvOjNYvJ05LMVJObnq
+gpwY3TwhoKeWAQg6U5Yv6dLDjvbYPTwgArNpY97BxY0GZNyiyJgyag21cVui+tsd
+uLKVKhmW/EhCC52wsEMwLAsiOjNpVXwAkPWaWAbUJIJTyuc2ZFpx9D2T40H1U8Pj
+6UXwCkZ7C9qwKKyusG8duf/Xsdsft3Pm8XykSWWya6Um
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/issued/testsuite.crt b/ipad/example_ca/pki/issued/testsuite.crt
new file mode 100644
index 0000000..14904d1
--- /dev/null
+++ b/ipad/example_ca/pki/issued/testsuite.crt
@@ -0,0 +1,87 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 2a:a3:f8:ff:c3:b5:62:af:c6:78:45:38:9a:5f:2c:5a
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Easy-RSA CA
+ Validity
+ Not Before: Apr 25 15:34:30 2024 GMT
+ Not After : Aug 27 15:34:30 3023 GMT
+ Subject: CN=testsuite
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:bc:0d:37:f1:b1:2d:4c:0e:af:a1:51:85:92:1f:
+ 1b:3c:ef:04:18:24:d1:d6:0e:eb:73:64:86:da:c6:
+ 65:e2:b2:74:fb:6e:c0:b9:5d:fe:67:61:44:3a:bf:
+ 20:6e:a7:53:9c:7b:8e:6b:ec:c4:55:ec:0b:f9:44:
+ 08:6a:54:35:59:82:9a:63:60:0b:37:dd:22:5d:e3:
+ 43:81:4e:51:ae:0a:67:31:bb:b1:d3:70:0e:a8:46:
+ 2f:11:ec:b6:e9:58:25:0a:c9:72:4a:97:f1:d5:7a:
+ 0d:68:90:eb:73:c2:e1:81:12:cd:08:1b:21:e9:ce:
+ 58:3e:dc:81:de:b7:65:31:bd:c4:8b:5a:d1:06:9b:
+ c0:ea:b7:63:8f:fb:a5:67:37:7e:d5:69:07:56:67:
+ f3:e7:37:5d:84:86:52:25:94:9e:6a:60:a2:5c:bf:
+ 5e:0b:cb:c8:83:1a:17:51:84:f1:16:f0:83:46:b6:
+ bb:97:f3:4f:ba:41:1f:30:a8:d5:ee:4e:2e:78:00:
+ 9b:25:fd:0c:ec:cc:57:a3:82:b5:54:56:fd:25:f9:
+ ff:b8:5f:1b:55:ae:57:16:35:0d:cc:9a:cf:d0:2c:
+ 4a:dd:d5:ae:2a:7e:76:73:af:b8:d9:a0:35:61:82:
+ 3d:a0:d1:ce:a3:d8:82:1b:0c:9a:bc:a5:0b:2d:00:
+ d0:e9
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 20:11:06:2E:BB:B0:0B:05:D4:CE:4F:BC:5F:51:39:E7:96:94:4F:26
+ X509v3 Authority Key Identifier:
+ keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48
+ DirName:/CN=Easy-RSA CA
+ serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ X509v3 Subject Alternative Name:
+ DNS:testsuite
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ 78:b1:28:25:f5:17:7a:c2:a0:2e:b8:bb:15:dc:aa:e8:8f:aa:
+ ae:f3:48:0e:46:29:71:d7:24:6b:cd:da:4e:b1:8c:1a:40:01:
+ 79:03:ca:2d:45:76:c9:08:61:50:eb:03:9c:82:9f:d6:37:d8:
+ 60:42:fc:59:35:b7:42:69:fd:36:45:93:a3:17:df:dd:5d:84:
+ 19:04:70:4f:c8:5f:3e:96:27:49:03:81:a7:55:2c:16:7e:be:
+ 65:26:71:48:eb:5b:36:38:c1:a9:87:f0:ad:2e:40:5b:e8:12:
+ 39:f5:d0:60:71:55:d7:4b:fb:d0:bf:35:11:fb:2e:9c:4f:e6:
+ b1:35:c6:45:b4:73:68:99:d9:27:fa:4e:98:25:7d:6e:7c:1b:
+ 22:e8:c2:83:6f:3b:1f:4c:27:70:94:1a:ef:fb:2b:fd:9d:3c:
+ a2:ce:f2:4b:d1:8e:e7:6d:db:ec:22:1c:b9:b4:c1:bc:17:82:
+ ea:e1:1f:76:1a:4a:d6:59:b3:24:e5:e4:67:b9:ce:d3:73:67:
+ dd:48:82:04:bc:8f:50:34:c0:0e:42:6e:7e:63:ac:e6:ab:71:
+ b7:79:5b:f7:8e:8c:48:ac:ef:ae:c6:b0:e9:ae:d7:94:9b:58:
+ e9:2b:e8:40:93:1b:62:51:2d:06:a4:ca:8c:e6:7e:8c:5a:d0:
+ 6d:69:86:6f
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlegAwIBAgIQKqP4/8O1Yq/GeEU4ml8sWjANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAgFw0yNDA0MjUxNTM0MzBaGA8zMDIzMDgy
+NzE1MzQzMFowFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl4rJ0
++27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5Rrgpn
+Mbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdlMb3E
+i1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTxFvCD
+Rra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP0CxK
+3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABo4G4MIG1MAkGA1Ud
+EwQCMAAwHQYDVR0OBBYEFCARBi67sAsF1M5PvF9ROeeWlE8mMFEGA1UdIwRKMEiA
+FNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
+QYIUZjLnFa4g4tdrDjujUMElWkVpFKAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD
+VR0PBAQDAgWgMBQGA1UdEQQNMAuCCXRlc3RzdWl0ZTANBgkqhkiG9w0BAQsFAAOC
+AQEAeLEoJfUXesKgLri7Fdyq6I+qrvNIDkYpcdcka83aTrGMGkABeQPKLUV2yQhh
+UOsDnIKf1jfYYEL8WTW3Qmn9NkWToxff3V2EGQRwT8hfPpYnSQOBp1UsFn6+ZSZx
+SOtbNjjBqYfwrS5AW+gSOfXQYHFV10v70L81EfsunE/msTXGRbRzaJnZJ/pOmCV9
+bnwbIujCg287H0wncJQa7/sr/Z08os7yS9GO523b7CIcubTBvBeC6uEfdhpK1lmz
+JOXkZ7nO03Nn3UiCBLyPUDTADkJufmOs5qtxt3lb946MSKzvrsaw6a7XlJtY6Svo
+QJMbYlEtBqTKjOZ+jFrQbWmGbw==
+-----END CERTIFICATE-----
diff --git a/ipad/example_ca/pki/issued/testsuite.notes b/ipad/example_ca/pki/issued/testsuite.notes
new file mode 100644
index 0000000..55594a6
--- /dev/null
+++ b/ipad/example_ca/pki/issued/testsuite.notes
@@ -0,0 +1,8 @@
+This certificate is suitable for tests where the testsuite runs on a separate
+machine or VM that has the hostname "testsuite"
+
+The testsuite.crt certificate has been created using the following commandline:
+./easyrsa --subject-alt-name="DNS:testsuite" build-server-full testsuite nopass
+
+The testsuite.cabundle file has been created manually (alttest certificate at the
+top, ca certificate at the bottom).
diff --git a/ipad/example_ca/pki/openssl-easyrsa.cnf b/ipad/example_ca/pki/openssl-easyrsa.cnf
new file mode 100644
index 0000000..928b195
--- /dev/null
+++ b/ipad/example_ca/pki/openssl-easyrsa.cnf
@@ -0,0 +1,143 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = $ENV::EASYRSA_PKI # Where everything is kept
+certs = $dir # Where the issued certs are kept
+crl_dir = $dir # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/certs_by_serial # default place for new certs.
+
+certificate = $dir/ca.crt # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/ca.key # The private key
+RANDFILE = $dir/.rand # private random number file
+
+x509_extensions = basic_exts # The extensions to add to the cert
+
+# A placeholder to handle the --copy-ext feature:
+#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions = crl_ext
+
+default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
+default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL
+default_md = $ENV::EASYRSA_DIGEST # use public key default MD
+preserve = no # keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject = no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits = $ENV::EASYRSA_KEY_SIZE
+default_keyfile = privkey.pem
+default_md = $ENV::EASYRSA_DIGEST
+distinguished_name = $ENV::EASYRSA_DN
+x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default = $ENV::EASYRSA_REQ_CN
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName = Country Name (2 letter code)
+countryName_default = $ENV::EASYRSA_REQ_COUNTRY
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
+
+localityName = Locality Name (eg, city)
+localityName_default = $ENV::EASYRSA_REQ_CITY
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = $ENV::EASYRSA_REQ_ORG
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
+
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default = $ENV::EASYRSA_REQ_CN
+
+emailAddress = Email Address
+emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
+emailAddress_max = 64
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
+#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/ipad/example_ca/pki/private/alttest.key b/ipad/example_ca/pki/private/alttest.key
new file mode 100644
index 0000000..c334f49
--- /dev/null
+++ b/ipad/example_ca/pki/private/alttest.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCU9n4rQe4A1vUv
+VGb0QTlp7mQLFUZZzgC2vyqq9w51xOWht7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWj
+rEinmqq+LmBSfN7PwygRQldSnUQkj7C2+zbvT6p+LFdeB4oD/BgD6FhriJiok6xp
+AbGc7zv+BEeeKOLGFflc394kHi+k4LIBlH64AHaw3TZVIvItOsex2Gd+yi0iuNyd
+hzQMwRHHciu47RvYdW0NSeH2vxLdGYSHLm3GfX5CMyoFov9dBxCDpMA1qfgAlimf
+vFNsgRh75MZBVH8So1p3yw/PUoyDmjADyndlssALAGeGUHex9Xm3IGIl+DvKzcTa
+0cCB/duLAgMBAAECggEACbh+yeqG0iiKM3PPNsfoK+YnQnnkRLP8DpuG+Jp1UnDD
+iLwTdlWbxut5qH3xrKTHKazge8FH8ur+rqGYKX0fAJjHfFqIXQfKiOXKtlTA6kne
+KZ1XG7gX03Kn+ODbvCAqnlv+eSCe0FFirNo0HEjtofPm4IahKx//98mRa3X00fjQ
+41+pwrtj5TBeHc8V9QiHDDTfAtUcRKbA3yPyla0xdHektCDak1U6CMoR/p55l+rM
+2ffBHJA+wNc28NfxV+ZY1VbpZ0qszAp3/U+gQRn0P9+2scIAWzRBlmQ37EfAMmM8
+ciembbDpoi7/tMQ0UhrhCR/o5hatQwS8ACEuLC3ucQKBgQDLBGSvuGBvWYget/2+
+jhCjYyH5s0Pye0iCcUlZDIsi1RjtgQfXNo5J1yP7uaPHJ/3Saoohb844CD0+kLjS
+tYpGSePL+q8HGnjfutjy0Xstew5peD6quc15G6gyfCBKdC39R9BfuC2emw9eZeiG
+qRmGpFKwD3PDS5ZNz3HJ/WG41QKBgQC71rlMXGsnq63OVcKvw32Kn6XVsHXhoxFd
+DWy43QbGqVV2Lk36/mr8iotBOV4BsofWD8Fx8447lhERuTi9NHSlIaAldnng0Eok
+RoW+Lr6QbQanuLjM+NLhPcdrhZPrp4pHFUgnj2PjmLAngmvyaa4l/m88UvYVWPyK
+vxUzNtNy3wKBgQCL9ZpoXib1fPbPnq6rOQuVaFla6NBWEdH6Q5l6b6BYQiruSb8b
+CnxrwYsIFoInYZWmA1b5GDhF/sAiKumQMiGCtZv62vbhYcmlDA5W0D4oK6bS5Vfm
+oTNbY8rACzzDt3ahH2ozIykoJ+QfgwgcFeYIIa7zu6NmJu0W9YWP6EP/hQKBgApq
+Y6f6T+7JNEAGvV7lpiZzp8xrln3GfwX74pV1nBST+yssciKCzQfn3sTlG3NYpPOX
+uBBLgw2GyreC38SODhHCBZFOOn/ezN2qE2xyRxrXENFoCsdC3N6kgFRT+dnNVnuO
+kIuxBcbvBoWKU9YDSibNLvnXV9HjN02yPsiyN5NdAoGAZj0u++sJWrYzBeGDO0ew
+a0GJnQK8/4NR+vJz/vvmL/lidfKOFJ5/lNANRha7ep89ig7G96ejabEitghIH9I7
+0+OxHz5uk+lidlTPxTg64ELlJnbsPzdI6QygeFVp8QqxEYgzB3zi8ropSoVIKVkB
+2+9FJlDHUFB+PG7cbfR70a8=
+-----END PRIVATE KEY-----
diff --git a/ipad/example_ca/pki/private/ca.key b/ipad/example_ca/pki/private/ca.key
new file mode 100644
index 0000000..ca1c505
--- /dev/null
+++ b/ipad/example_ca/pki/private/ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdHxjURJNGF+NU
+1nT6e6FCy+QyFmc4yloSgnOkLMdXQKPoyLzXiA9qe9+UBf/0X7giNDZ6+buk0o1S
+m3W9/qQpOZyjQRfrvayk/inwo5BqSL/4j8AxgLAAY6+YIxikczM1ORX09khRTLMs
+blhqKCIy0mlZj6OL8b6TECBjM+vhaFOMb6YSg+N9z0tAfl2H90/Rx2Shm4gdbHqQ
+XEDD86RvUQX+gatRPik4vOD9nnCQ5hmGUrRuJwKq9h+xSMnjLR+0Jd+NBS0Bh9Di
+Crqt69Dt4cI0qLGH4EHzJc7v/PqqtN8xOY3YSR2jmcDIAw566BoTFpIvBi2Ldp9f
+vVG6qu1PAgMBAAECggEAAdFyJRuDuPn5DU961Xm3muSjvdXmUhfBj2NFsOE8Zy5w
+rQQGEN7yI1qEjaWvSM/1eyVRUVY+yDSW5b7r8Wa8Jwun4ruGQbTi3VdhRZlT/gKm
+qPyRR0FeBKWpZZ62I0nd+jLLYoNj6Q1Zyxzu7e5+icMRc3BWIE7qTbDTgM1SAjxm
+OhNnQmWVq/E4wP4JXkjy2zxZZPjbq5awhvPzeApq/QspKNp9PE9rOHRbyi5kknYO
+nYc4hn2McHegsfyN0gXsLkDgwKqFG84HZRKOjnDUm8EOCC0L0Zhs2lYmpemeKP+f
+4ro5mhvJQ8Xe3iUcfAAQypRUyOyCXVJY7A0yzSWrEQKBgQDO2CoimFzktgHQwN7x
+HriYg4Ass1Y/gZq2N7APqbFJZIeJlouKqlZ6uF+eWqMZf96XidOC37BMH2R0yAvP
+vPHTGycSZozE0tGNscLxQ8nGYu2tDzryCBrjpNUaKY5HVYK/9D1toSnvOWJAZlHN
+lOx5sDOlwCpXR1DANUZtsVRCCQKBgQDCde3B59fW4FbB7+hk0qLxhKnlIt0UFOuB
+4Kg/UZZYvJA1bGW1LZGVNXpMIyRpPODW5B979Eb/azF6LtW/MzwZ2ZM9aXKRFA0S
++J2whjdBebWG/PuwEwKHo/wfzEJLeVW2VOEUknirn5PnI4is2LiTCfnls8PlkSzF
+klK/7K6qlwKBgEIPse1Yohp9sri8ULfLqwMyxIYCROKFfycBRB7MgI3DKLKdvTVt
+T69kIU3O/tZPC4V0hHQBAypcwFW36mXPn6BfxKvQyta1yi2p/2vUzaWpxOUHvzi7
+s/LOmyz+5q0Lt3WdCN1xopX/ysxsoWW6UYhP6T7fz+YOJdEtcq/n+dQZAoGAAhR6
+15EgSOcbZnWnebSbE5REsPO/g6B5qGj7w7merxJNRJUFPXvgS8VHqprRn+KL0SCd
+iZjiTYca/2CS3rmwkeI25fhDxnN9dE9+eE3nN2cS3v/DvW1moIbLgpePufjxRsL/
+qVWrvsI1Ncq2gorK5p+7sY5LsR/tZ6uaAP2KHL8CgYEAsPllojZVSxcWuWN8YD6U
+hPTsmH9EwxN6kqB2Ai2ZN3i5kmRnZNv8xBJcf9bJY5YlV7ycyPf3RXfNLVlA/8Ox
+Tnyn+hpNDDXNnOaiOYjlG0NC1XYesJDN2WyaRNIrXpWXGWD28VGK4sKVNdxV6lOC
+fLxfcjGPfAqfHtUoOiQofXU=
+-----END PRIVATE KEY-----
diff --git a/ipad/example_ca/pki/private/testsuite.key b/ipad/example_ca/pki/private/testsuite.key
new file mode 100644
index 0000000..0587614
--- /dev/null
+++ b/ipad/example_ca/pki/private/testsuite.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC8DTfxsS1MDq+h
+UYWSHxs87wQYJNHWDutzZIbaxmXisnT7bsC5Xf5nYUQ6vyBup1Oce45r7MRV7Av5
+RAhqVDVZgppjYAs33SJd40OBTlGuCmcxu7HTcA6oRi8R7LbpWCUKyXJKl/HVeg1o
+kOtzwuGBEs0IGyHpzlg+3IHet2UxvcSLWtEGm8Dqt2OP+6VnN37VaQdWZ/PnN12E
+hlIllJ5qYKJcv14Ly8iDGhdRhPEW8INGtruX80+6QR8wqNXuTi54AJsl/QzszFej
+grVUVv0l+f+4XxtVrlcWNQ3Mms/QLErd1a4qfnZzr7jZoDVhgj2g0c6j2IIbDJq8
+pQstANDpAgMBAAECggEAAq7WTAU+iGz8ttd3iWrjcl8vUfHDiYzsSv8/PwBd4rbW
+VuIago9VK/zEcqlrqs+wShJUT4g6hS0BS9QB4gd6L+ERkOALy1Prhu1xQ8p+Fv0C
+KI120OjfcqmDevT2p2j49VJdf+b/t3XR2pqXtPuUSIL5lSQmKJehGDuAtSPGpprt
+Ri47/bstEZ9l6xweRUbWtLY7v3Ul+nMZO1HDl+MMY2Cy1Ou6JFuJfEyWYWzs4Uor
+b47b0uH/8b0STXX4xw4s5o/0NuSQPIsOM/LN6vZIEM3euYqeLsi/VKXFrTjyrLed
+WjldhwwJdxUV6Pr+2s3CFXPqfaJ8amFe1cf/gEk4MQKBgQDeBYr9oyHQ9fER1B7o
+ob5LY+37BfaEcQnnuscBDGHJteYamlc+XXHa2UAOoNYUC6SMjzupMNdV6u6JEvP5
+35sGZtP+tKLRxElMD9XBc7m17cWUbjWlplgCLVdly7bgprYPANHEr9djwuq9oppq
+clsklx7NawpTYFBg+zrzxBYP0QKBgQDY1Mi4x2JdMtFM+X00MyFjQq3lHexSo5XF
+rMgU2A145zAlXiuEVkyqR+Pv3hwm38qqoUAkyIDhXth3C7f75gcQgsgthJJbU6LM
+jKhh+/PSg4x3/YmBWQfRiHv9KstAvX7y2oaZIBfBK9ZuPID0QY2RIfUA5KYdBkOP
+9urhR3fNmQKBgFMpeFpxFGWU+etXrQwuKX1LvQRdw2zwemlWSNxXqvlHLR2h2jP+
+BHuZDKluDUIM6mHL9Oj25nHEQf0OIFzkKMlJEvdA6gvwnhPjiomfs1w15+AlN+sI
+V8bY/PegSqvzRhZwlCI8S02O4SaPFY/xrboS8PK4uXFpjjIFaJuOQ0VBAoGAblbp
+xc4Aqjif9bHIGvYh+WcHIt61UeBY6Pzh3GmNgYb0Iy/mqTNZVBW9UmUOomGjumzQ
+PWei3gzrzrix6YfG9In43+DksYDACaNSVHpoOyoiIzVr8dyic+gmYFCUmd9UaLT3
+ZZjFPdHXDsXPQXzSU5aaHNg+B+sWGn6mS/mYZ5ECgYAHCvNEO4NHf5AfpAIeZyD5
+1x3hWR3LtI6qkD5LmVhxi6S4pjzQj+T5ZC+iiz0ZZ6GoA2n+UDX4kF1aSgEJry1i
+P5ByLciv7hbYWZtpOAy0Z+MtKOFB5Wj4WsvWCAZnL/5qk9zRyoNuKWYrs3FQlmEt
+WIxjZC8intDxtAv4KiJdGQ==
+-----END PRIVATE KEY-----
diff --git a/ipad/example_ca/pki/reqs/alttest.req b/ipad/example_ca/pki/reqs/alttest.req
new file mode 100644
index 0000000..c3a3241
--- /dev/null
+++ b/ipad/example_ca/pki/reqs/alttest.req
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIChDCCAWwCAQAwEjEQMA4GA1UEAwwHYWx0dGVzdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAJT2fitB7gDW9S9UZvRBOWnuZAsVRlnOALa/Kqr3DnXE
+5aG3s4YcJAb6kUHxC4c67iYnKGIdrDVU5aOsSKeaqr4uYFJ83s/DKBFCV1KdRCSP
+sLb7Nu9Pqn4sV14HigP8GAPoWGuImKiTrGkBsZzvO/4ER54o4sYV+Vzf3iQeL6Tg
+sgGUfrgAdrDdNlUi8i06x7HYZ37KLSK43J2HNAzBEcdyK7jtG9h1bQ1J4fa/Et0Z
+hIcubcZ9fkIzKgWi/10HEIOkwDWp+ACWKZ+8U2yBGHvkxkFUfxKjWnfLD89SjIOa
+MAPKd2WywAsAZ4ZQd7H1ebcgYiX4O8rNxNrRwIH924sCAwEAAaAtMCsGCSqGSIb3
+DQEJDjEeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBgx4vAKtNXLloRv+cmqTdtNSrTeUz4gR2OB96tv7/Y8nPInDuOS5YA
+H0y/4d9WjybeeKtSGEWfcxWTPtEvye4HdEP5S4ajmDzAVngfqBBtOZ2a9YXYndwf
+Y/tG6AeaJZs7r4LAnRaLFJKwf+P+SL4Sz1ygZZnolUgI3KCH5iJFfWXIKcFvsp8Z
+QjtFaKTLnODI9DbyBZg4bJUyddRfEvQCBnd4E7BKaIJif32nUaV18YZ027onUONj
+IBaPqbMBHbVb5gXAIqc3u39Ut9dtD/XXxGMAkK3vjEGfPBoNqwVQAj5NxK/+CEwZ
++gdlC3YXEn0Bp/QTwGPtkpaiqClqVZiG
+-----END CERTIFICATE REQUEST-----
diff --git a/ipad/example_ca/pki/reqs/testsuite.req b/ipad/example_ca/pki/reqs/testsuite.req
new file mode 100644
index 0000000..877c3a2
--- /dev/null
+++ b/ipad/example_ca/pki/reqs/testsuite.req
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgDCCAWgCAQAwFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl
+4rJ0+27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5R
+rgpnMbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdl
+Mb3Ei1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTx
+FvCDRra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP
+0CxK3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABoCcwJQYJKoZI
+hvcNAQkOMRgwFjAUBgNVHREEDTALggl0ZXN0c3VpdGUwDQYJKoZIhvcNAQELBQAD
+ggEBAA8Se8HfjHNH9UgQFYE2/elUr0QiPoI5EFEswMwO99E1kDM4pq9g/h2wqwW6
+49NkZzzJfuTERM3ZUQC3+AV7pW9rDEQFf5GGUeM5VmBYiFgPK7FoVJkRJ4MroPti
+72uADGBXexYFUsbf6V09T0B80yarmNHNCFUChNY5lhcWEYpJuGXnbpGhzZXTPplw
+GZmWDUFVHKSPJX2GZw2AF+MfnyNOCRu+VkU4vjbCm8LQENQBDq1HZ5nYi2eHlW5w
+x/rmHZx8wv+ipY3DsG8bCho6fuaSvQI9fHi1UVRJcP1bdocCjFk+N1yj+i58TPRK
+FoU4y2362LU2nc1mOPeGuQu11Wk=
+-----END CERTIFICATE REQUEST-----
diff --git a/ipad/example_ca/pki/safessl-easyrsa.cnf b/ipad/example_ca/pki/safessl-easyrsa.cnf
new file mode 100644
index 0000000..d42bba9
--- /dev/null
+++ b/ipad/example_ca/pki/safessl-easyrsa.cnf
@@ -0,0 +1,143 @@
+# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where everything is kept
+certs = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where the issued certs are kept
+crl_dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where the issued crl are kept
+database = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/index.txt # database index file.
+new_certs_dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/certs_by_serial # default place for new certs.
+
+certificate = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/ca.crt # The CA certificate
+serial = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/serial # The current serial number
+crl = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/crl.pem # The current CRL
+private_key = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/private/ca.key # The private key
+RANDFILE = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/.rand # private random number file
+
+x509_extensions = basic_exts # The extensions to add to the cert
+
+# A placeholder to handle the --copy-ext feature:
+#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it
+
+# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
+# is designed for will. In return, we get the Issuer attached to CRLs.
+crl_extensions = crl_ext
+
+default_days = 365000 # how long to certify for
+default_crl_days = 180 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# This allows to renew certificates which have not been revoked
+unique_subject = no
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_anything
+
+# For the 'anything' policy, which defines allowed DN fields
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+name = optional
+emailAddress = optional
+
+####################################################################
+# Easy-RSA request handling
+# We key off $DN_MODE to determine how to format the DN
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+default_md = sha256
+distinguished_name = cn_only
+x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
+
+# A placeholder to handle the $EXTRA_EXTS feature:
+#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
+
+####################################################################
+# Easy-RSA DN (Subject) handling
+
+# Easy-RSA DN for cn_only support:
+[ cn_only ]
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default = ChangeMe
+
+# Easy-RSA DN for org support:
+[ org ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = California
+
+localityName = Locality Name (eg, city)
+localityName_default = San Francisco
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Copyleft Certificate Co
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = My Organizational Unit
+
+commonName = Common Name (eg: your user, host, or server name)
+commonName_max = 64
+commonName_default = ChangeMe
+
+emailAddress = Email Address
+emailAddress_default = me(a)example.net
+emailAddress_max = 64
+
+####################################################################
+# Easy-RSA cert extension handling
+
+# This section is effectively unused as the main script sets extensions
+# dynamically. This core section is left to support the odd usecase where
+# a user calls openssl directly.
+[ basic_exts ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+# The Easy-RSA CA extensions
+[ easyrsa_ca ]
+
+# PKIX recommendations:
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This could be marked critical, but it's nice to support reading by any
+# broken clients who attempt to do so.
+basicConstraints = CA:true
+
+# Limit key usage to CA tasks. If you really want to use the generated pair as
+# a self-signed cert, comment this out.
+keyUsage = cRLSign, keyCertSign
+
+# nsCertType omitted by default. Let's try to let the deprecated stuff die.
+# nsCertType = sslCA
+
+# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
+#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
+
+# CRL extensions.
+[ crl_ext ]
+
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/ipad/example_ca/pki/serial b/ipad/example_ca/pki/serial
new file mode 100644
index 0000000..ec9e3df
--- /dev/null
+++ b/ipad/example_ca/pki/serial
@@ -0,0 +1 @@
+2AA3F8FFC3B562AFC67845389A5F2C5B
diff --git a/ipad/example_ca/pki/serial.old b/ipad/example_ca/pki/serial.old
new file mode 100644
index 0000000..406eea8
--- /dev/null
+++ b/ipad/example_ca/pki/serial.old
@@ -0,0 +1 @@
+2aa3f8ffc3b562afc67845389a5f2c5a
diff --git a/ipad/example_ca/pki/vars b/ipad/example_ca/pki/vars
new file mode 100644
index 0000000..4cb08cd
--- /dev/null
+++ b/ipad/example_ca/pki/vars
@@ -0,0 +1,235 @@
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your package manager, do not edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades do not wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file "vars" if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the "vars" file.
+#
+# All of the editable settings are shown commented and start with the command
+# "set_var" -- this means any set_var command that is uncommented has been
+# modified by the user. If you are happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
+# backslashes (single forward slashes are recommended.) This means your path to
+# the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DO NOT EDIT THIS SECTION
+#
+# Easy-RSA 3.x does not source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+ echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
+ echo "This is no longer necessary and is disallowed. See the section called" >&2
+ echo "*How to use this file* near the top comments for more details." >&2
+ return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable is used as the base location of configuration files needed by
+# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
+
+#set_var EASYRSA "${0%/*}"
+
+# If your OpenSSL command is not in the system PATH, you will need to define the
+# path to it here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+
+#set_var EASYRSA_OPENSSL "openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory. By
+# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
+# directory you are currently in).
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly! (Interactive mode will prompt before acting.)
+
+#set_var EASYRSA_PKI "$PWD/pki"
+
+# Define directory for temporary subdirectories.
+
+#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
+
+# Define X509 DN mode.
+# This is used to adjust what elements are included in the Subject field as the DN
+# (this is the "Distinguished Name.")
+# Note that in cn_only mode the Organizational fields further below are not used.
+#
+# Choices are:
+# cn_only - use just a CN value
+# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
+
+#set_var EASYRSA_DN "cn_only"
+
+# Organizational fields (used with "org" mode and ignored in "cn_only" mode.)
+# These are the default values for fields which will be placed in the
+# certificate. Do not leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+
+# NOTE: The following characters are not supported
+# in these "Organizational fields" by Easy-RSA:
+# single quote (')
+# back-tick (`)
+# hash (#)
+# ampersand (&)
+# dollar sign ($)
+# Use them at your own risk!
+
+#set_var EASYRSA_REQ_COUNTRY "US"
+#set_var EASYRSA_REQ_PROVINCE "California"
+#set_var EASYRSA_REQ_CITY "San Francisco"
+#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL "me(a)example.net"
+#set_var EASYRSA_REQ_OU "My Organizational Unit"
+
+# Choose a size in bits for your keypairs. The recommended value is 2048. Using
+# 2048-bit keys is considered more than sufficient for many years into the
+# future. Larger keysizes will slow down TLS negotiation and make key/DH param
+# generation take much longer. Values up to 4096 should be accepted by most
+# software. Only used when the crypto alg is rsa (see below.)
+
+#set_var EASYRSA_KEY_SIZE 2048
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+# * rsa
+# * ec
+# * ed
+
+#set_var EASYRSA_ALGO rsa
+
+# Define the named curve, used in ec & ed modes:
+
+#set_var EASYRSA_CURVE secp384r1
+
+# In how many days should the root CA key expire?
+
+set_var EASYRSA_CA_EXPIRE 365000
+
+# In how many days should certificates expire?
+
+set_var EASYRSA_CERT_EXPIRE 365000
+
+# How many days until the next CRL publish date? Note that the CRL can still be
+# parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+#set_var EASYRSA_CRL_DAYS 180
+
+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW 30
+
+# For fixed certificate start/end dates - Range 1..365
+# If set here then command line option is always in effect.
+# The day number 183 is either July 2nd or 3rd (leap-year)
+# Replace with your chosen day-of-year value:
+#set_var EASYRSA_FIX_OFFSET 183
+
+# Random serial numbers by default, set to no for the old incremental serial numbers
+#
+#set_var EASYRSA_RAND_SN "yes"
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
+# is "no" to discourage use of deprecated extensions. If you require this
+# feature to use with --ns-cert-type, set this to "yes" here. This support
+# should be replaced with the more modern --remote-cert-tls feature. If you do
+# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
+# this defined to "no". When set to "yes", server-signed certs get the
+# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
+# nsComment field.
+
+#set_var EASYRSA_NS_SUPPORT "no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+
+#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
+
+# A temp file used to stage cert extensions during signing. The default should
+# be fine for most users; however, some users might want an alternative under a
+# RAM-based FS, such as /dev/shm or /tmp on some systems.
+
+#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command. The symptom will be
+# some form of a "command not found" error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you are doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named "COMMON" is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the "x509-types" dir. You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
+
+# If you want to generate KDC certificates, you need to set the realm here.
+#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
+# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
+# specific and you cannot just use a standard config file, so this is an
+# advanced feature.
+
+#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
+
+# Default CN:
+# This is best left alone. Interactively you will set this manually, and BATCH
+# callers are expected to set this themselves.
+
+#set_var EASYRSA_REQ_CN "ChangeMe"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+
+#set_var EASYRSA_DIGEST "sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+
+#set_var EASYRSA_BATCH ""
diff --git a/ipad/example_ca/pki/vars.example b/ipad/example_ca/pki/vars.example
new file mode 100644
index 0000000..4eab5d0
--- /dev/null
+++ b/ipad/example_ca/pki/vars.example
@@ -0,0 +1,235 @@
+# Easy-RSA 3 parameter settings
+
+# NOTE: If you installed Easy-RSA from your package manager, do not edit
+# this file in place -- instead, you should copy the entire easy-rsa directory
+# to another location so future upgrades do not wipe out your changes.
+
+# HOW TO USE THIS FILE
+#
+# vars.example contains built-in examples to Easy-RSA settings. You MUST name
+# this file "vars" if you want it to be used as a configuration file. If you do
+# not, it WILL NOT be automatically read when you call easyrsa commands.
+#
+# It is not necessary to use this config file unless you wish to change
+# operational defaults. These defaults should be fine for many uses without the
+# need to copy and edit the "vars" file.
+#
+# All of the editable settings are shown commented and start with the command
+# "set_var" -- this means any set_var command that is uncommented has been
+# modified by the user. If you are happy with a default, there is no need to
+# define the value to its default.
+
+# NOTES FOR WINDOWS USERS
+#
+# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
+# backslashes (single forward slashes are recommended.) This means your path to
+# the openssl binary might look like this:
+# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# A little housekeeping: DO NOT EDIT THIS SECTION
+#
+# Easy-RSA 3.x does not source into the environment directly.
+# Complain if a user tries to do this:
+if [ -z "$EASYRSA_CALLER" ]; then
+ echo "You appear to be sourcing an Easy-RSA *vars* file." >&2
+ echo "This is no longer necessary and is disallowed. See the section called" >&2
+ echo "*How to use this file* near the top comments for more details." >&2
+ return 1
+fi
+
+# DO YOUR EDITS BELOW THIS POINT
+
+# This variable is used as the base location of configuration files needed by
+# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
+
+#set_var EASYRSA "${0%/*}"
+
+# If your OpenSSL command is not in the system PATH, you will need to define the
+# path to it here. Normally this means a full path to the executable, otherwise
+# you could have left it undefined here and the shown default would be used.
+#
+# Windows users, remember to use paths with forward-slashes (or escaped
+# back-slashes.) Windows users should declare the full path to the openssl
+# binary here if it is not in their system PATH.
+
+#set_var EASYRSA_OPENSSL "openssl"
+#
+# This sample is in Windows syntax -- edit it for your path if not using PATH:
+#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
+
+# Edit this variable to point to your soon-to-be-created key directory. By
+# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
+# directory you are currently in).
+#
+# WARNING: init-pki will do a rm -rf on this directory so make sure you define
+# it correctly! (Interactive mode will prompt before acting.)
+
+#set_var EASYRSA_PKI "$PWD/pki"
+
+# Define directory for temporary subdirectories.
+
+#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
+
+# Define X509 DN mode.
+# This is used to adjust what elements are included in the Subject field as the DN
+# (this is the "Distinguished Name.")
+# Note that in cn_only mode the Organizational fields further below are not used.
+#
+# Choices are:
+# cn_only - use just a CN value
+# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
+
+#set_var EASYRSA_DN "cn_only"
+
+# Organizational fields (used with "org" mode and ignored in "cn_only" mode.)
+# These are the default values for fields which will be placed in the
+# certificate. Do not leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+
+# NOTE: The following characters are not supported
+# in these "Organizational fields" by Easy-RSA:
+# single quote (')
+# back-tick (`)
+# hash (#)
+# ampersand (&)
+# dollar sign ($)
+# Use them at your own risk!
+
+#set_var EASYRSA_REQ_COUNTRY "US"
+#set_var EASYRSA_REQ_PROVINCE "California"
+#set_var EASYRSA_REQ_CITY "San Francisco"
+#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
+#set_var EASYRSA_REQ_EMAIL "me(a)example.net"
+#set_var EASYRSA_REQ_OU "My Organizational Unit"
+
+# Choose a size in bits for your keypairs. The recommended value is 2048. Using
+# 2048-bit keys is considered more than sufficient for many years into the
+# future. Larger keysizes will slow down TLS negotiation and make key/DH param
+# generation take much longer. Values up to 4096 should be accepted by most
+# software. Only used when the crypto alg is rsa (see below.)
+
+#set_var EASYRSA_KEY_SIZE 2048
+
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+# * rsa
+# * ec
+# * ed
+
+#set_var EASYRSA_ALGO rsa
+
+# Define the named curve, used in ec & ed modes:
+
+#set_var EASYRSA_CURVE secp384r1
+
+# In how many days should the root CA key expire?
+
+#set_var EASYRSA_CA_EXPIRE 3650
+
+# In how many days should certificates expire?
+
+#set_var EASYRSA_CERT_EXPIRE 825
+
+# How many days until the next CRL publish date? Note that the CRL can still be
+# parsed after this timeframe passes. It is only used for an expected next
+# publication date.
+#set_var EASYRSA_CRL_DAYS 180
+
+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW 30
+
+# For fixed certificate start/end dates - Range 1..365
+# If set here then command line option is always in effect.
+# The day number 183 is either July 2nd or 3rd (leap-year)
+# Replace with your chosen day-of-year value:
+#set_var EASYRSA_FIX_OFFSET 183
+
+# Random serial numbers by default, set to no for the old incremental serial numbers
+#
+#set_var EASYRSA_RAND_SN "yes"
+
+# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
+# is "no" to discourage use of deprecated extensions. If you require this
+# feature to use with --ns-cert-type, set this to "yes" here. This support
+# should be replaced with the more modern --remote-cert-tls feature. If you do
+# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
+# this defined to "no". When set to "yes", server-signed certs get the
+# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
+# nsComment field.
+
+#set_var EASYRSA_NS_SUPPORT "no"
+
+# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
+# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
+
+#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
+
+# A temp file used to stage cert extensions during signing. The default should
+# be fine for most users; however, some users might want an alternative under a
+# RAM-based FS, such as /dev/shm or /tmp on some systems.
+
+#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
+
+# !!
+# NOTE: ADVANCED OPTIONS BELOW THIS POINT
+# PLAY WITH THEM AT YOUR OWN RISK
+# !!
+
+# Broken shell command aliases: If you have a largely broken shell that is
+# missing any of these POSIX-required commands used by Easy-RSA, you will need
+# to define an alias to the proper path for the command. The symptom will be
+# some form of a "command not found" error from your shell. This means your
+# shell is BROKEN, but you can hack around it here if you really need. These
+# shown values are not defaults: it is up to you to know what you are doing if
+# you touch these.
+#
+#alias awk="/alt/bin/awk"
+#alias cat="/alt/bin/cat"
+
+# X509 extensions directory:
+# If you want to customize the X509 extensions used, set the directory to look
+# for extensions here. Each cert type you sign must have a matching filename,
+# and an optional file named "COMMON" is included first when present. Note that
+# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
+# fallback to $EASYRSA for the "x509-types" dir. You may override this
+# detection with an explicit dir here.
+#
+#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
+
+# If you want to generate KDC certificates, you need to set the realm here.
+#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"
+
+# OpenSSL config file:
+# If you need to use a specific openssl config file, you can reference it here.
+# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
+# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
+# specific and you cannot just use a standard config file, so this is an
+# advanced feature.
+
+#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
+
+# Default CN:
+# This is best left alone. Interactively you will set this manually, and BATCH
+# callers are expected to set this themselves.
+
+#set_var EASYRSA_REQ_CN "ChangeMe"
+
+# Cryptographic digest to use.
+# Do not change this default unless you understand the security implications.
+# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
+
+#set_var EASYRSA_DIGEST "sha256"
+
+# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
+# in batch mode without any user input, confirmation on dangerous operations,
+# or most output. Setting this to any non-blank string enables batch mode.
+
+#set_var EASYRSA_BATCH ""
diff --git a/ipad/gen_links.sh b/ipad/gen_links.sh
new file mode 100755
index 0000000..130c68e
--- /dev/null
+++ b/ipad/gen_links.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+BASEDIR=../deps
+
+. ../gen_links.sh.inc
+
+DIR=$BASEDIR/titan.Libraries.TCCUsefulFunctions/src
+FILES="TCCInterface_Functions.ttcn TCCConversion_Functions.ttcn TCCConversion.cc TCCInterface.cc TCCInterface_ip.h"
+gen_links $DIR $FILES
+
+DIR=$BASEDIR/titan.TestPorts.Common_Components.Abstract_Socket/src
+FILES="Abstract_Socket.cc Abstract_Socket.hh "
+gen_links $DIR $FILES
+
+DIR=$BASEDIR/titan.TestPorts.HTTPmsg/src
+FILES="HTTPmsg_MessageLen.ttcn HTTPmsg_MessageLen_Function.cc HTTPmsg_PT.cc HTTPmsg_PT.hh HTTPmsg_PortType.ttcn "
+FILES+="HTTPmsg_Types.ttcn"
+gen_links $DIR $FILES
+
+DIR=$BASEDIR/titan.TestPorts.Common_Components.Socket-API/src
+FILES="Socket_API_Definitions.ttcn"
+gen_links $DIR $FILES
+
+DIR=$BASEDIR/titan.TestPorts.IPL4asp/src
+FILES="IPL4asp_Functions.ttcn IPL4asp_PT.cc IPL4asp_PT.hh IPL4asp_PortType.ttcn IPL4asp_Types.ttcn "
+FILES+="IPL4asp_discovery.cc IPL4asp_protocol_L234.hh"
+gen_links $DIR $FILES
+
+DIR=../library/euicc
+FILES="PEDefinitions.asn PKIX1Explicit88.asn PKIX1Implicit88.asn RSPDefinitions.asn SGP32Definitions.asn "
+FILES+="PKIX1Explicit88_Templates.ttcn PKIX1Explicit88_Types.ttcn PKIX1Implicit88_Templates.ttcn "
+FILES+="PKIX1Implicit88_Types.ttcn RSPDefinitions_Templates.ttcn RSPDefinitions_Types.ttcn "
+FILES+="SGP32Definitions_Templates.ttcn SGP32Definitions_Types.ttcn "
+FILES+="PKIX1Explicit88_EncDec.cc PKIX1Implicit88_EncDec.cc RSPDefinitions_EncDec.cc SGP32Definitions_EncDec.cc"
+gen_links $DIR $FILES
+
+DIR=../library
+FILES="Misc_Helpers.ttcn General_Types.ttcn Osmocom_Types.ttcn Native_Functions.ttcn Native_FunctionDefs.cc "
+FILES+="VPCD_Types.ttcn VPCD_CodecPort.ttcn VPCD_CodecPort_CtrlFunct.ttcn VPCD_CodecPort_CtrlFunctDef.cc "
+FILES+="VPCD_Adapter.ttcn HTTP_Server_Emulation.ttcn"
+gen_links $DIR $FILES
+
+ignore_pp_results
diff --git a/ipad/regen_makefile.sh b/ipad/regen_makefile.sh
new file mode 100755
index 0000000..9123e43
--- /dev/null
+++ b/ipad/regen_makefile.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+NAME=IPAd_Tests
+
+FILES="
+ *.ttcn
+ *.asn
+ Abstract_Socket.cc
+ HTTPmsg_MessageLen_Function.cc
+ HTTPmsg_PT.cc
+ IPL4asp_PT.cc
+ IPL4asp_discovery.cc
+ Native_FunctionDefs.cc
+ TCCConversion.cc
+ TCCInterface.cc
+ SGP32Definitions_EncDec.cc
+ RSPDefinitions_EncDec.cc
+ PKIX1Explicit88_EncDec.cc
+ PKIX1Implicit88_EncDec.cc
+ VPCD_CodecPort_CtrlFunctDef.cc
+"
+../regen-makefile.sh IPAd_Tests.ttcn $FILES
+
+# required for forkpty(3) used by PIPEasp
+sed -i -e '/^LINUX_LIBS/ s/$/ -lutil/' Makefile
diff --git a/regen-makefile.sh b/regen-makefile.sh
index 09088e0..813b212 100755
--- a/regen-makefile.sh
+++ b/regen-makefile.sh
@@ -41,12 +41,12 @@
sed -i -e 's/# TTCN3_DIR = /TTCN3_DIR = \/usr/' Makefile
sed -i -e 's/LDFLAGS = /LDFLAGS = -L \/usr\/lib\/titan/' Makefile
-sed -i -e 's/LINUX_LIBS = -lxml2/LINUX_LIBS = -lxml2 -lsctp/' Makefile
+sed -i -e 's/LINUX_LIBS = -lxml2/LINUX_LIBS = -lxml2 -lsctp -lssl/' Makefile
#sed -i -e 's/TTCN3_LIB = ttcn3-parallel/TTCN3_LIB = ttcn3/' Makefile
# The -DMAKEDEPEND_RUN is a workaround for Debian packaging issue,
# see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879816 for details
-sed -i -e 's/CPPFLAGS = -D$(PLATFORM)/CPPFLAGS = -D$(PLATFORM) -DMAKEDEPEND_RUN -DUSE_SCTP -DLKSCTP_MULTIHOMING_ENABLED/' Makefile
+sed -i -e 's/CPPFLAGS = -D$(PLATFORM)/CPPFLAGS = -D$(PLATFORM) -DMAKEDEPEND_RUN -DUSE_SCTP -DLKSCTP_MULTIHOMING_ENABLED -DAS_USE_SSL/' Makefile
#remove -Wall from CXXFLAGS: we're not interested in generic warnings for autogenerated code cluttering the logs
sed -i -e 's/-Wall//' Makefile
--
To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36229?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Change-Id: Ic9ea8c69e56a2e8ddf0f506861ece6d40cbcb06d
Gerrit-Change-Number: 36229
Gerrit-PatchSet: 9
Gerrit-Owner: dexter <pmaier(a)sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>
Gerrit-MessageType: merged