[XL] Change in osmo-ttcn3-hacks[master]: IPAd_Tests: add testsuite for an IPAd

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36229?usp=email )

Change subject: IPAd_Tests: add testsuite for an IPAd ......................................................................

IPAd_Tests: add testsuite for an IPAd

With this patch we add a testsuite that can be used to test an IPAd implementation.

The testsuite emulates the ESipa and the ES10x (pcsc cardreader) interface and is capable of testing a direct profile download and other ESipa features like the execution of an eIM package (eCO, PSMO).

Change-Id: Ic9ea8c69e56a2e8ddf0f506861ece6d40cbcb06d Related: SYS#6564 --- M .checkpatch.conf M Makefile A ipad/IPAd_Tests.cfg A ipad/IPAd_Tests.default A ipad/IPAd_Tests.ttcn A ipad/example_ca/pki/ca.crt A ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem A ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem A ipad/example_ca/pki/index.txt A ipad/example_ca/pki/index.txt.attr A ipad/example_ca/pki/index.txt.attr.old A ipad/example_ca/pki/index.txt.old A ipad/example_ca/pki/issued/alttest.cabundle A ipad/example_ca/pki/issued/alttest.crt A ipad/example_ca/pki/issued/alttest.notes A ipad/example_ca/pki/issued/testsuite.cabundle A ipad/example_ca/pki/issued/testsuite.crt A ipad/example_ca/pki/issued/testsuite.notes A ipad/example_ca/pki/openssl-easyrsa.cnf A ipad/example_ca/pki/private/alttest.key A ipad/example_ca/pki/private/ca.key A ipad/example_ca/pki/private/testsuite.key A ipad/example_ca/pki/reqs/alttest.req A ipad/example_ca/pki/reqs/testsuite.req A ipad/example_ca/pki/safessl-easyrsa.cnf A ipad/example_ca/pki/serial A ipad/example_ca/pki/serial.old A ipad/example_ca/pki/vars A ipad/example_ca/pki/vars.example A ipad/gen_links.sh A ipad/regen_makefile.sh M regen-makefile.sh 32 files changed, 2,177 insertions(+), 2 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve laforge: Looks good to me, approved

diff --git a/.checkpatch.conf b/.checkpatch.conf index 700e952..2317bec 100644 --- a/.checkpatch.conf +++ b/.checkpatch.conf @@ -1,2 +1,5 @@ --exclude ^library/sbcap/.*.asn$ --exclude ^library/DIAMETER_Types.ttcn$ +--exclude ^ipad/example_ca/pki/certs_by_serial/.*.pem$ +--exclude ^ipad/example_ca/pki/issued/.*.crt$ +--exclude ^ipad/example_ca/vars$ \ No newline at end of file diff --git a/Makefile b/Makefile index bd88ca5..d216aab 100644 --- a/Makefile +++ b/Makefile @@ -30,6 +30,7 @@ hnbgw \ hnodeb \ hss \ + ipad \ mgw \ mme \ msc \ diff --git a/ipad/IPAd_Tests.cfg b/ipad/IPAd_Tests.cfg new file mode 100644 index 0000000..ae44ac5 --- /dev/null +++ b/ipad/IPAd_Tests.cfg @@ -0,0 +1,23 @@ +[ORDERED_INCLUDE] +# Common configuration, shared between test suites +"../Common.cfg" +# testsuite specific configuration, not expected to change +"./IPAd_Tests.default" + +# Local configuration below + +[LOGGING] + +[TESTPORT_PARAMETERS] +system.HTTP_server_port.use_notification_ASPs := "no" +system.HTTP_server_port.KEYFILE := "./example_ca/pki/private/alttest.key" +system.HTTP_server_port.CERTIFICATEFILE := "./example_ca/pki/issued/alttest.crt" +system.HTTP_server_port.PASSWORD := "katinka1" +system.HTTP_server_port.http_debugging := "yes" + +[MODULE_PARAMETERS] + +[MAIN_CONTROLLER] + +[EXECUTE] +IPAd_Tests.control diff --git a/ipad/IPAd_Tests.default b/ipad/IPAd_Tests.default new file mode 100644 index 0000000..95b42e9 --- /dev/null +++ b/ipad/IPAd_Tests.default @@ -0,0 +1,8 @@ +[LOGGING] +mtc.FileMask := LOG_ALL | TTCN_DEBUG | TTCN_MATCHING; // | DEBUG_ENCDEC; + +[TESTPORT_PARAMETERS] + +[MODULE_PARAMETERS] + +[EXECUTE] diff --git a/ipad/IPAd_Tests.ttcn b/ipad/IPAd_Tests.ttcn new file mode 100644 index 0000000..35ab79f --- /dev/null +++ b/ipad/IPAd_Tests.ttcn @@ -0,0 +1,708 @@ +/* IPAd testsuite in TTCN-3 + * + * Author: Philipp Maier pmaier@sysmocom.de / sysmocom - s.f.m.c. GmbH + * + * Released under the terms of GNU General Public License, Version 2 or + * (at your option) any later version. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +module IPAd_Tests { + +import from Misc_Helpers all; +import from General_Types all; +import from Osmocom_Types all; + +import from SGP32Definitions all; +import from SGP32Definitions_Types all; +import from SGP32Definitions_Templates all; + +import from RSPDefinitions all; +import from RSPDefinitions_Types all; +import from RSPDefinitions_Templates all; + +import from PKIX1Explicit88 all; +import from PKIX1Explicit88_Templates all; +import from PKIX1Explicit88_Types all; + +import from HTTP_Server_Emulation all; +import from HTTPmsg_Types all; + +import from VPCD_Types all; +import from VPCD_CodecPort all; +import from VPCD_Adapter all; + +modulepar { + /* emulated eIM HTTPs server */ + charstring mp_esipa_ip := "127.0.0.1"; + integer mp_esipa_port := 4430; + boolean mp_esipa_disable_ssl := false; + boolean mp_use_vpcd := true; + float mp_restart_guardtime := 2.0 +} + +/* Altstep to handle card power up/down and ATR transmission */ +private altstep as_vpcd_atr() runs on VPCD_Adapter_CT { + [] VPCD.receive(tr_VPCD_Recv(g_vpcd_conn_id, tr_VPCD_CTRL_ATR)) { + f_vpcd_send(ts_VPCD_DATA('3B9F96801FC78031A073BE21136743200718000001A5'O)); + repeat; + } + [] VPCD.receive(tr_VPCD_Recv(g_vpcd_conn_id, tr_VPCD_CTRL_OFF)) { + repeat; + } + [] VPCD.receive(tr_VPCD_Recv(g_vpcd_conn_id, tr_VPCD_CTRL_ON)) { + repeat; + } +} + +/* Helper template to format HTTP responses */ +private template (value) HTTPMessage ts_http_resp(template (value) octetstring resp := ''O) := { + response_binary := { + client_id := omit, + version_major := 1, + version_minor := 1, + statuscode := 200, + statustext := "OK", + /* See also SGP.32, section 6.1.1 */ + header := { + { + header_name := "X-Admin-Protocol", + header_value := "gsma/rsp/v1.0.0" + }, + { + header_name := "Content-Type", + header_value := "application/x-gsma-rsp-asn1" + }, + { + header_name := "Content-Length", + header_value := int2str(lengthof(resp)) + } + }, + body := resp + } +} + +type component MTC_CT { + timer g_Tguard; + + /* HTTP server */ + var HTTP_Server_Emulation_CT vc_HTTP; +}; + +type component IPAd_ConnHdlr extends HTTP_ConnHdlr, VPCD_Adapter_CT { + var IPAd_ConnHdlrPars g_pars; +}; + +type record IPAd_ConnHdlrPars { + /* TODO: add some useful parameters */ +}; + +private function f_init_pars() +runs on MTC_CT return IPAd_ConnHdlrPars { + var IPAd_ConnHdlrPars pars := { + /* TODO: fill parameters with meaninful values */ + }; + return pars; +} + +private altstep as_Tguard() runs on MTC_CT { + [] g_Tguard.timeout { + Misc_Helpers.f_shutdown(__BFILE__, __LINE__, fail, "Tguard timeout"); + } +} + +private type function void_fn(charstring id) runs on IPAd_ConnHdlr; + +private function f_init_handler(void_fn fn, charstring id, IPAd_ConnHdlrPars pars) runs on IPAd_ConnHdlr { + g_pars := pars; + + /* Initialize VPDC (virtual smartcard) */ + if (mp_use_vpcd) { + VPCD_Adapter.f_connect(); + activate(as_vpcd_atr()); + } + + fn.apply(id); +} + +private function f_start_handler(void_fn fn, IPAd_ConnHdlrPars pars) +runs on MTC_CT return IPAd_ConnHdlr { + var IPAd_ConnHdlr vc_conn; + var charstring id := testcasename(); + + vc_conn := IPAd_ConnHdlr.create(id); + + if (isbound(vc_HTTP)) { + connect(vc_conn:HTTP_SRV, vc_HTTP:CLIENT); + connect(vc_conn:HTTP_SRV_PROC, vc_HTTP:CLIENT_PROC); + } + + vc_conn.start(f_init_handler(fn, id, pars)); + return vc_conn; +} + +function f_init_esipa(charstring id) runs on MTC_CT { + var HttpServerEmulationCfg http_cfg := { + http_bind_ip := mp_esipa_ip, + http_bind_port := mp_esipa_port, + use_ssl := not mp_esipa_disable_ssl + }; + + vc_HTTP := HTTP_Server_Emulation_CT.create(id); + vc_HTTP.start(HTTP_Server_Emulation.main(http_cfg)); +} + +private function f_init(charstring id, float t_guard := 40.0) runs on MTC_CT { + /* Ensure a guard time inbetween tests. This is to make sure that the IPAd is able to finish its current poll + * cycle. In practice this means that the IPAd will notice that the connectivity towards the eIM is lost and + * since this is one of the conditions for ending the current poll cycle it will exit. A freshly restarted + * IPAd is a mandatory start condition for the tests since all tests expect the initialization procedure + * (selection of ISD-P etc.) that the IPAd executes on startup. */ + f_sleep(mp_restart_guardtime); + + g_Tguard.start(t_guard); + activate(as_Tguard()); + f_init_esipa(id); +} + +/* Expect a GetResponse request from IUT and transfer as many response bytes the IUT requests */ +private function f_vpcd_get_response(octetstring response) runs on IPAd_ConnHdlr return integer { + var octetstring sw; + var VPCD_PDU req; + var integer len; + + req := f_vpcd_exp(tr_VPCD_DATA(?)); + len := oct2int(req.u.data[4]); + if (len == 0) { + len := 256; + } + + /* Make sure that the request APDU is actually a GetResponse request (on logical channel 2) */ + if (substr(req.u.data, 0, 4) != '01c00000'O) { + setverdict(fail, "unexpected APDU, expecting GetResponse"); + return 0; + } + + /* Compute status word, in case the requested data is shorter then the response data we intend to send, we must + * tell the IUT that there is still data available, so that a consecutive GetResponse request can be issued. + * (caller must check return code to determine if a consecutive GetResponse is needed/expected) */ + if (lengthof(response) > len) { + if (lengthof(response) - len > 255) { + sw := '6100'O; + } else { + sw := '61'O & int2oct(lengthof(response) - len, 1); + } + } else { + sw := '9000'O; + } + + /* Send response to IUT */ + f_vpcd_send(ts_VPCD_DATA(substr(response, 0, len) & sw)); + + /* Return how many bytes have sent */ + return len; +} + +/* Expect one or more GetResponse requests from IUT until the full response is transferred */ +private function f_vpcd_get_response_multi(octetstring response) runs on IPAd_ConnHdlr { + var integer bytes_sent := 0; + var octetstring response_remainder := response; + + while (true) { + response_remainder := substr(response_remainder, bytes_sent, lengthof(response_remainder) - bytes_sent); + bytes_sent := f_vpcd_get_response(response_remainder); + + /* Check if we reached the last chunk */ + if (lengthof(response_remainder) <= bytes_sent) { + return; + } + } +} + +/* Expect one or more STORE DATA requests until the IUT has completed the transmision cycle */ +private function f_vpcd_store_data(octetstring exp := ''O) runs on IPAd_ConnHdlr return octetstring { + + var VPCD_PDU req; + var octetstring block; + var integer len; + var octetstring data := ''O; + + while (true) { + req := f_vpcd_exp(tr_VPCD_DATA(?)); + + /* Make sure that the request APDU is actually a STORE DATA request (on logical channel 1) */ + if (substr(req.u.data, 0, 3) != '81E291'O and + substr(req.u.data, 0, 3) != '81E211'O) { + setverdict(fail, "unexpected APDU, expecting GetResponse"); + return ''O; + } + + if (lengthof(req.u.data) - 5 > 255) { + len := 255; + } else { + len := lengthof(req.u.data) - 5; + } + block := substr(req.u.data, 5, len); + data := data & block; + + /* The final status word contains the length of the response. We can not send it right now + * since the caller must first process the received data block and compute a response. When + * the exact length of the response data is known. The final status word can be sent using + * f_vpcd_store_data_final_ack() */ + if (substr(req.u.data, 2, 1) == '91'O) { + if (exp != ''O and block != exp) { + setverdict(fail, "received block contains unexpected data (", block, " != ", exp, ")"); + } + return block; + } + + f_vpcd_send(ts_VPCD_DATA('9000'O)); + } + + setverdict(fail, "no data? (we should not reach this code path)"); + return ''O; +} + +/* Send a final status word to acknowledge the last block of a STORE DATA transmission. The status word will tell + * the IUT how many response bytes are available. (The IUT will immediately begin to fetch the response using + * one or more GetResponse requests */ +private function f_vpcd_store_data_final_ack(integer response_len) runs on IPAd_ConnHdlr { + var octetstring second_sw_byte; + var octetstring first_sw_byte; + + if (response_len > 255) { + second_sw_byte := '00'O; + } else { + second_sw_byte := int2oct(response_len, 1); + } + + if (response_len > 0) { + first_sw_byte := '61'O; /* 61xx */ + } else { + first_sw_byte := '90'O; /* 9000 */ + } + + f_vpcd_send(ts_VPCD_DATA(first_sw_byte & second_sw_byte)); +} + +/* Expect a pre-defined request (optional), and send a pre-defined response. This is a shortcut that only works in case + * the response does not depend on the request. */ +private function f_vpcd_transceive(octetstring response, octetstring expected_request := ''O) runs on IPAd_ConnHdlr { + + /* In case we do not use the VPCD (because we have some other kind of eUICC emulation or even a real card + * present), we just skip. */ + if (mp_use_vpcd == false) { + return; + } + + f_vpcd_store_data(expected_request); + f_vpcd_store_data_final_ack(lengthof(response)); + if (response != ''O) { + f_vpcd_get_response_multi(response); + } +} + +/* Handle the opening of logical channel 1 and the selection of the ISD-R */ +private function f_es10x_init() runs on IPAd_ConnHdlr { + var charstring eim_fqdn := mp_esipa_ip & ":" & int2str(mp_esipa_port); + + /* If we decide not to use vpcd, then we must not initialize anything here */ + if (mp_use_vpcd == false) { + return; + } + + /* Expect a MANAGE CHANNEL request that opens logical channel 1 */ + f_vpcd_exp(tr_VPCD_DATA('0070000100'O)); + f_vpcd_send(ts_VPCD_DATA('9000'O)); + + /* Expect selection of ISD-R request */ + f_vpcd_exp(tr_VPCD_DATA('01a4040410a0000005591010ffffffff8900000100'O)); + f_vpcd_send(ts_VPCD_DATA('6121'O)); /* 21 bytes of response, which are not requested by the ipad. */ + + /* Expect the IPAd to query the eID from the eUICC */ + f_vpcd_transceive(enc_GetEuiccDataResponse(valueof(ts_getEuiccDataResponse)), 'BF3E035C015A'O); + + /* Expect the IPAd to query the eIM configuration data from the eUICC */ + f_vpcd_transceive(enc_GetEimConfigurationDataResponse(valueof(ts_getEimConfigurationDataResponse(eim_fqdn))), 'BF5500'O); +} + +/* Handle the closing of logical channel 1 */ +private function f_es10x_close() runs on IPAd_ConnHdlr { + + /* Expect a MANAGE CHANNEL request that closes logical channel 1 */ + f_vpcd_exp(tr_VPCD_DATA('0070800100'O)); + f_vpcd_send(ts_VPCD_DATA('9000'O)); +} + +/* Receive ESipa HTTP request */ +private function f_esipa_receive() runs on IPAd_ConnHdlr return EsipaMessageFromIpaToEim { + var HTTPMessage esipa_req; + timer T := 10.0; + var EsipaMessageFromIpaToEim request; + + T.start; + alt { + [] HTTP_SRV.receive({ request_binary := ? }) -> value esipa_req { + request := dec_EsipaMessageFromIpaToEim(esipa_req.request_binary.body); + } + [] T.timeout { + setverdict(fail, "no HTTP request received?"); + } + } + + return request; +} + +/* Send ESipa HTTP response */ +private function f_esipa_send(EsipaMessageFromEimToIpa response) runs on IPAd_ConnHdlr { + var octetstring esipa_res; + esipa_res := enc_EsipaMessageFromEimToIpa(response); + HTTP_SRV.send(ts_http_resp(esipa_res)); +} + +/* Perform one ESipa HTTP request/response cycle */ +private function f_esipa_transceive(EsipaMessageFromEimToIpa response) runs on IPAd_ConnHdlr return EsipaMessageFromIpaToEim { + var EsipaMessageFromIpaToEim request; + + request := f_esipa_receive(); + f_esipa_send(response); + + return request; +} + +/* Perform one ESipa HTTP request/response cycle but with an empty response */ +private function f_esipa_transceive_empty_response() runs on IPAd_ConnHdlr return EsipaMessageFromIpaToEim { + var EsipaMessageFromIpaToEim request; + + request := f_esipa_receive(); + HTTP_SRV.send(ts_http_resp(''O)); + return request; +} + +/* Common Mutual Authentication Procedure, see also: GSMA SGP.22, section 3.0.1 */ +private function f_proc_cmn_mtl_auth() runs on IPAd_ConnHdlr { + var EsipaMessageFromIpaToEim esipa_req; + var EsipaMessageFromEimToIpa esipa_res; + + /* Step #1 */ + f_vpcd_transceive(enc_EUICCInfo1(valueof(ts_EUICCInfo1)), 'bf2000'O); + + /* Step #2-#4 */ + f_vpcd_transceive(enc_GetEuiccChallengeResponse(valueof(ts_GetEuiccChallengeResponse)), 'bf2e00'O); + + /* Step #5-#10 */ + esipa_req := f_esipa_receive(); + if (not match(esipa_req, tr_initiateAuthenticationRequestEsipa)) { + setverdict(fail, "unexpected message from IPAd"); + } + esipa_res := valueof(ts_initiateAuthenticationResponseEsipa(euiccChallenge := esipa_req.initiateAuthenticationRequestEsipa.euiccChallenge)); + f_esipa_send(esipa_res); + + /* Step #11-#14 */ + f_vpcd_transceive(enc_AuthenticateServerResponse(valueof(ts_authenticateServerResponse))); + + /* Step #15-#17 */ + esipa_req := f_esipa_transceive(valueof(ts_authenticateClientResponseEsipa_dpe)); + if (not match(esipa_req, tr_authenticateClientRequestEsipa)) { + setverdict(fail, "unexpected message from IPAd"); + } +} + +/* ********************************************* */ +/* ********** BELOW ONLY TESTCASES! ************ */ +/* ********************************************* */ + + +/* A testcase to try out an the Common Mutual Authentication Procedure */ +private function f_TC_proc_direct_prfle_dwnld(charstring id) runs on IPAd_ConnHdlr { + var EsipaMessageFromIpaToEim esipa_req; + var EsipaMessageFromEimToIpa esipa_res; + var integer i; + var charstring eim_fqdn := mp_esipa_ip & ":" & int2str(mp_esipa_port); + var BoundProfilePackage boundProfilePackage; + + f_es10x_init(); + f_http_register(); + + /* Prepare direct profile download by responding with a download trigger request */ + esipa_res := valueof(ts_getEimPackageResponse_dnlTrigReq); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_getEimPackageRequest)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* Expect the IPAd to query the eIM configuration data from the eUICC */ + f_vpcd_transceive(enc_GetEimConfigurationDataResponse(valueof(ts_getEimConfigurationDataResponse(eim_fqdn))), 'BF5500'O); + + f_proc_cmn_mtl_auth(); + + f_vpcd_transceive(enc_PrepareDownloadResponse(valueof(ts_prepareDownloadResponse))); + + esipa_res := valueof(ts_getBoundProfilePackageResponseEsipa); + esipa_req := f_esipa_transceive(esipa_res); + boundProfilePackage := esipa_res.getBoundProfilePackageResponseEsipa.getBoundProfilePackageOkEsipa.boundProfilePackage; + /* TODO: match response (we do not have a template yet) */ + + /* initialiseSecureChannelRequest */ + f_vpcd_transceive(''O); + + /* Step #3 (ES8+.ConfigureISDP) */ + for (i := 0; i < sizeof(boundProfilePackage.firstSequenceOf87); i := i + 1) { + f_vpcd_transceive(''O); + } + + /* Step #4 (ES8+.StoreMetadata) */ + for (i := 0; i < sizeof(boundProfilePackage.sequenceOf88); i := i + 1) { + f_vpcd_transceive(''O); + } + + /* Step #5 (ES8+.ReplaceSessionKeys", optional, left out) */ + if (ispresent(boundProfilePackage.secondSequenceOf87)) { + for (i := 0; i < sizeof(boundProfilePackage.secondSequenceOf87); i := i + 1) { + f_vpcd_transceive(''O); + } + } + + /* Step #6 (ES8+.LoadProfileElements) */ + for (i := 0; i < sizeof(boundProfilePackage.sequenceOf86); i := i + 1) { + if (i < sizeof(boundProfilePackage.sequenceOf86) - 1) { + f_vpcd_transceive(''O); + } else { + /* In the last message we send the ProfileInstallationResult */ + f_vpcd_transceive(enc_ProfileInstallationResult(valueof(ts_profileInstallationResult))); + } + } + + /* Receive ProfileInstallationResult from iPAD->eIM */ + esipa_req := f_esipa_transceive_empty_response(); + /* TODO: match response (we do not have a template yet) */ + + /* Receive RemoveNotificationFromList from iPAD->eUICC */ + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + + /* Wait some time until the the last HTTP response is actually delivered */ + f_sleep(2.0); + + f_es10x_close(); + + setverdict(pass); +} +testcase TC_proc_direct_prfle_dwnld() runs on MTC_CT { + var charstring id := testcasename(); + var IPAd_ConnHdlrPars pars := f_init_pars(); + var IPAd_ConnHdlr vc_conn; + f_init(id); + vc_conn := f_start_handler(refers(f_TC_proc_direct_prfle_dwnld), pars); + vc_conn.done; + setverdict(pass); +} + + +/* A testcase to try out an the Generic eUICC Package Download and Execution Procedure */ +private function f_TC_proc_euicc_pkg_dwnld_exec(charstring id) runs on IPAd_ConnHdlr { + var EsipaMessageFromIpaToEim esipa_req; + var EsipaMessageFromEimToIpa esipa_res; + + f_es10x_init(); + f_http_register(); + + /* Step #1-#2 */ + esipa_res := valueof(ts_getEimPackageResponse_euiccPkgReq); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_getEimPackageRequest)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* Step #3-#8 */ + f_vpcd_transceive(enc_EuiccPackageResult(valueof(ts_euiccPackageResult))); + + /* Step #9 */ + f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse))); + + /* Step #10-14 */ + esipa_res := valueof(ts_provideEimPackageResultResponse_eimAck(eimAcknowledgements := {1,2,3,4})); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_provideEimPackageResult_ePRAndNotif)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* Step #15-17 */ + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + + /* Wait some time until the the last HTTP response is actually delivered */ + f_sleep(2.0); + + f_es10x_close(); + + setverdict(pass); +} + +testcase TC_proc_euicc_pkg_dwnld_exec() runs on MTC_CT { + var charstring id := testcasename(); + var IPAd_ConnHdlrPars pars := f_init_pars(); + var IPAd_ConnHdlr vc_conn; + f_init(id); + vc_conn := f_start_handler(refers(f_TC_proc_euicc_pkg_dwnld_exec), pars); + vc_conn.done; + setverdict(pass); +} + + +/* A testcase to try out an the Generic eUICC Package Download and Execution Procedure, but this time we force a rollback meneuver */ +private function f_TC_proc_euicc_pkg_dwnld_exec_rollback(charstring id) runs on IPAd_ConnHdlr { + var EsipaMessageFromIpaToEim esipa_req; + var EsipaMessageFromEimToIpa esipa_res; + + f_es10x_init(); + f_http_register(); + + /* Step #1-#2 */ + esipa_res := valueof(ts_getEimPackageResponse_euiccPkgReq); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_getEimPackageRequest)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* Step #3-#8 */ + f_vpcd_transceive(enc_EuiccPackageResult(valueof(ts_euiccPackageResult))); + + /* Step #9 */ + f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse))); + + /* We now ignore the response from the IPAd. The IPAd will interpret this as a disturbed IP connection. */ + f_esipa_receive(); + + /* To fix the problem, the IPAd will now try a profile rollback meneuver. */ + f_vpcd_transceive(enc_ProfileRollbackResponse(valueof(ts_profileRollbackResponse)), + enc_ProfileRollbackRequest(valueof(ts_profileRollbackRequest))); + + /* At this point the old profile is active again. The IPAd is now expected to start at Step #9 again + * to continue the procedure normally. */ + + /* Step #9 */ + f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse))); + + /* Step #10-14 */ + esipa_res := valueof(ts_provideEimPackageResultResponse_eimAck(eimAcknowledgements := {1,2,3,4})); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_provideEimPackageResult_ePRAndNotif)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* Step #15-17 */ + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + f_vpcd_transceive(enc_NotificationSentResponse(valueof(ts_notificationSentResponse))); + + /* Wait some time until the the last HTTP response is actually delivered */ + f_sleep(2.0); + + f_es10x_close(); + + setverdict(pass); +} + +testcase TC_proc_euicc_pkg_dwnld_exec_rollback() runs on MTC_CT { + var charstring id := testcasename(); + var IPAd_ConnHdlrPars pars := f_init_pars(); + var IPAd_ConnHdlr vc_conn; + f_init(id); + vc_conn := f_start_handler(refers(f_TC_proc_euicc_pkg_dwnld_exec_rollback), pars); + vc_conn.done; + setverdict(pass); +} + + +/* A testcase to try out an IpaEuiccDataRequest */ +private function f_TC_proc_euicc_data_req(charstring id) runs on IPAd_ConnHdlr { + var EsipaMessageFromIpaToEim esipa_req; + var EsipaMessageFromEimToIpa esipa_res; + var charstring eim_fqdn := mp_esipa_ip & ":" & int2str(mp_esipa_port); + + f_es10x_init(); + f_http_register(); + + /* IPAd requests a package, we tell it to execute an ipaEuiccDataRequest */ + esipa_res := valueof(ts_getEimPackageResponse_euiccDataReq); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_getEimPackageRequest)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* IPAd will obtain the data from the eUICC */ + f_vpcd_transceive(enc_EuiccConfiguredAddressesResponse(valueof(ts_euiccConfiguredAddressesResponse))); + f_vpcd_transceive(enc_EUICCInfo1(valueof(ts_EUICCInfo1))); + f_vpcd_transceive(enc_EUICCInfo2(valueof(ts_EUICCInfo2))); + f_vpcd_transceive(enc_GetEimConfigurationDataResponse(valueof(ts_getEimConfigurationDataResponse(eim_fqdn)))); + f_vpcd_transceive(enc_GetCertsResponse(valueof(ts_getCertsResponse))); + f_vpcd_transceive(enc_RetrieveNotificationsListResponse(valueof(ts_retrieveNotificationsListResponse))); + + /* IPAd will return the data to us */ + esipa_res := valueof(ts_provideEimPackageResultResponse_eimAck(eimAcknowledgements := {1,2,3,4})); + esipa_req := f_esipa_transceive(esipa_res); + + /* Wait some time until the the last HTTP response is actually delivered */ + f_sleep(2.0); + + f_es10x_close(); + + setverdict(pass); +} +testcase TC_proc_euicc_data_req() runs on MTC_CT { + var charstring id := testcasename(); + var IPAd_ConnHdlrPars pars := f_init_pars(); + var IPAd_ConnHdlr vc_conn; + f_init(id); + vc_conn := f_start_handler(refers(f_TC_proc_euicc_data_req), pars); + vc_conn.done; + setverdict(pass); +} + +/* A testcase to try out what happens when the eIM package request is rejected */ +private function f_TC_get_eim_pkg_req_rej(charstring id) runs on IPAd_ConnHdlr { + var EsipaMessageFromIpaToEim esipa_req; + var EsipaMessageFromEimToIpa esipa_res; + + f_es10x_init(); + f_http_register(); + + /* IPAd requests a package, we respond with an eimPackageError code 127 (undefined error) */ + esipa_res := valueof(ts_getEimPackageResponse_eimPkgErrUndef); + esipa_req := f_esipa_transceive(esipa_res); + if (not match(esipa_req, tr_getEimPackageRequest)) { + setverdict(fail, "unexpected message from IPAd"); + } + + /* Wait some time until the the last HTTP response is actually delivered */ + f_sleep(2.0); + + f_es10x_close(); + + setverdict(pass); +} +testcase TC_get_eim_pkg_req_rej() runs on MTC_CT { + var charstring id := testcasename(); + var IPAd_ConnHdlrPars pars := f_init_pars(); + var IPAd_ConnHdlr vc_conn; + f_init(id); + vc_conn := f_start_handler(refers(f_TC_get_eim_pkg_req_rej), pars); + vc_conn.done; + setverdict(pass); +} + +control { + execute ( TC_proc_direct_prfle_dwnld() ); + execute ( TC_proc_euicc_pkg_dwnld_exec() ); + execute ( TC_proc_euicc_pkg_dwnld_exec_rollback() ); + execute ( TC_proc_euicc_data_req() ); + execute ( TC_get_eim_pkg_req_rej() ); +} + +} diff --git a/ipad/example_ca/pki/ca.crt b/ipad/example_ca/pki/ca.crt new file mode 100644 index 0000000..4dfdf16 --- /dev/null +++ b/ipad/example_ca/pki/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIUZjLnFa4g4tdrDjujUMElWkVpFKAwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzMzU2WhgPMzAy +MzA4MjcxNTMzNTZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR8Y1ESTRhfjVNZ0+nuhQsvkMhZnOMpaEoJz +pCzHV0Cj6Mi814gPanvflAX/9F+4IjQ2evm7pNKNUpt1vf6kKTmco0EX672spP4p +8KOQaki/+I/AMYCwAGOvmCMYpHMzNTkV9PZIUUyzLG5YaigiMtJpWY+ji/G+kxAg +YzPr4WhTjG+mEoPjfc9LQH5dh/dP0cdkoZuIHWx6kFxAw/Okb1EF/oGrUT4pOLzg +/Z5wkOYZhlK0bicCqvYfsUjJ4y0ftCXfjQUtAYfQ4gq6revQ7eHCNKixh+BB8yXO +7/z6qrTfMTmN2Ekdo5nAyAMOeugaExaSLwYti3afX71RuqrtTwIDAQABo4GQMIGN +MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNtLqZUsrQWfz8g83jssJ4HXKGVIMFEG +A1UdIwRKMEiAFNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtF +YXN5LVJTQSBDQYIUZjLnFa4g4tdrDjujUMElWkVpFKAwCwYDVR0PBAQDAgEGMA0G +CSqGSIb3DQEBCwUAA4IBAQAADFdB7R2mwfMWj3vUR77v9f3wqJdKgUyleXGKu6ot +9YL8vYAJUL9sojZ8KeR47PDVpOs7v0Ll3RcfqRrDWQ9/MiMqSMcxh/i9dvyf5d9s +o2kxqiPaMVPkLzGKE04I0XtAlszqOBYsGO83D2FuJsIWglvvOjNYvJ05LMVJObnq +gpwY3TwhoKeWAQg6U5Yv6dLDjvbYPTwgArNpY97BxY0GZNyiyJgyag21cVui+tsd +uLKVKhmW/EhCC52wsEMwLAsiOjNpVXwAkPWaWAbUJIJTyuc2ZFpx9D2T40H1U8Pj +6UXwCkZ7C9qwKKyusG8duf/Xsdsft3Pm8XykSWWya6Um +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem b/ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem new file mode 100644 index 0000000..14904d1 --- /dev/null +++ b/ipad/example_ca/pki/certs_by_serial/2AA3F8FFC3B562AFC67845389A5F2C5A.pem @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:a3:f8:ff:c3:b5:62:af:c6:78:45:38:9a:5f:2c:5a + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Easy-RSA CA + Validity + Not Before: Apr 25 15:34:30 2024 GMT + Not After : Aug 27 15:34:30 3023 GMT + Subject: CN=testsuite + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bc:0d:37:f1:b1:2d:4c:0e:af:a1:51:85:92:1f: + 1b:3c:ef:04:18:24:d1:d6:0e:eb:73:64:86:da:c6: + 65:e2:b2:74:fb:6e:c0:b9:5d:fe:67:61:44:3a:bf: + 20:6e:a7:53:9c:7b:8e:6b:ec:c4:55:ec:0b:f9:44: + 08:6a:54:35:59:82:9a:63:60:0b:37:dd:22:5d:e3: + 43:81:4e:51:ae:0a:67:31:bb:b1:d3:70:0e:a8:46: + 2f:11:ec:b6:e9:58:25:0a:c9:72:4a:97:f1:d5:7a: + 0d:68:90:eb:73:c2:e1:81:12:cd:08:1b:21:e9:ce: + 58:3e:dc:81:de:b7:65:31:bd:c4:8b:5a:d1:06:9b: + c0:ea:b7:63:8f:fb:a5:67:37:7e:d5:69:07:56:67: + f3:e7:37:5d:84:86:52:25:94:9e:6a:60:a2:5c:bf: + 5e:0b:cb:c8:83:1a:17:51:84:f1:16:f0:83:46:b6: + bb:97:f3:4f:ba:41:1f:30:a8:d5:ee:4e:2e:78:00: + 9b:25:fd:0c:ec:cc:57:a3:82:b5:54:56:fd:25:f9: + ff:b8:5f:1b:55:ae:57:16:35:0d:cc:9a:cf:d0:2c: + 4a:dd:d5:ae:2a:7e:76:73:af:b8:d9:a0:35:61:82: + 3d:a0:d1:ce:a3:d8:82:1b:0c:9a:bc:a5:0b:2d:00: + d0:e9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 20:11:06:2E:BB:B0:0B:05:D4:CE:4F:BC:5F:51:39:E7:96:94:4F:26 + X509v3 Authority Key Identifier: + keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48 + DirName:/CN=Easy-RSA CA + serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0 + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:testsuite + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 78:b1:28:25:f5:17:7a:c2:a0:2e:b8:bb:15:dc:aa:e8:8f:aa: + ae:f3:48:0e:46:29:71:d7:24:6b:cd:da:4e:b1:8c:1a:40:01: + 79:03:ca:2d:45:76:c9:08:61:50:eb:03:9c:82:9f:d6:37:d8: + 60:42:fc:59:35:b7:42:69:fd:36:45:93:a3:17:df:dd:5d:84: + 19:04:70:4f:c8:5f:3e:96:27:49:03:81:a7:55:2c:16:7e:be: + 65:26:71:48:eb:5b:36:38:c1:a9:87:f0:ad:2e:40:5b:e8:12: + 39:f5:d0:60:71:55:d7:4b:fb:d0:bf:35:11:fb:2e:9c:4f:e6: + b1:35:c6:45:b4:73:68:99:d9:27:fa:4e:98:25:7d:6e:7c:1b: + 22:e8:c2:83:6f:3b:1f:4c:27:70:94:1a:ef:fb:2b:fd:9d:3c: + a2:ce:f2:4b:d1:8e:e7:6d:db:ec:22:1c:b9:b4:c1:bc:17:82: + ea:e1:1f:76:1a:4a:d6:59:b3:24:e5:e4:67:b9:ce:d3:73:67: + dd:48:82:04:bc:8f:50:34:c0:0e:42:6e:7e:63:ac:e6:ab:71: + b7:79:5b:f7:8e:8c:48:ac:ef:ae:c6:b0:e9:ae:d7:94:9b:58: + e9:2b:e8:40:93:1b:62:51:2d:06:a4:ca:8c:e6:7e:8c:5a:d0: + 6d:69:86:6f +-----BEGIN CERTIFICATE----- +MIIDbzCCAlegAwIBAgIQKqP4/8O1Yq/GeEU4ml8sWjANBgkqhkiG9w0BAQsFADAW +MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAgFw0yNDA0MjUxNTM0MzBaGA8zMDIzMDgy +NzE1MzQzMFowFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl4rJ0 ++27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5Rrgpn +Mbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdlMb3E +i1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTxFvCD +Rra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP0CxK +3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABo4G4MIG1MAkGA1Ud +EwQCMAAwHQYDVR0OBBYEFCARBi67sAsF1M5PvF9ROeeWlE8mMFEGA1UdIwRKMEiA +FNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD +QYIUZjLnFa4g4tdrDjujUMElWkVpFKAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD +VR0PBAQDAgWgMBQGA1UdEQQNMAuCCXRlc3RzdWl0ZTANBgkqhkiG9w0BAQsFAAOC +AQEAeLEoJfUXesKgLri7Fdyq6I+qrvNIDkYpcdcka83aTrGMGkABeQPKLUV2yQhh +UOsDnIKf1jfYYEL8WTW3Qmn9NkWToxff3V2EGQRwT8hfPpYnSQOBp1UsFn6+ZSZx +SOtbNjjBqYfwrS5AW+gSOfXQYHFV10v70L81EfsunE/msTXGRbRzaJnZJ/pOmCV9 +bnwbIujCg287H0wncJQa7/sr/Z08os7yS9GO523b7CIcubTBvBeC6uEfdhpK1lmz +JOXkZ7nO03Nn3UiCBLyPUDTADkJufmOs5qtxt3lb946MSKzvrsaw6a7XlJtY6Svo +QJMbYlEtBqTKjOZ+jFrQbWmGbw== +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem b/ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem new file mode 100644 index 0000000..070adb2 --- /dev/null +++ b/ipad/example_ca/pki/certs_by_serial/FAEE71AC9CF85B804DCE4BD357F83209.pem @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + fa:ee:71:ac:9c:f8:5b:80:4d:ce:4b:d3:57:f8:32:09 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Easy-RSA CA + Validity + Not Before: Apr 25 15:34:18 2024 GMT + Not After : Aug 27 15:34:18 3023 GMT + Subject: CN=alttest + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:94:f6:7e:2b:41:ee:00:d6:f5:2f:54:66:f4:41: + 39:69:ee:64:0b:15:46:59:ce:00:b6:bf:2a:aa:f7: + 0e:75:c4:e5:a1:b7:b3:86:1c:24:06:fa:91:41:f1: + 0b:87:3a:ee:26:27:28:62:1d:ac:35:54:e5:a3:ac: + 48:a7:9a:aa:be:2e:60:52:7c:de:cf:c3:28:11:42: + 57:52:9d:44:24:8f:b0:b6:fb:36:ef:4f:aa:7e:2c: + 57:5e:07:8a:03:fc:18:03:e8:58:6b:88:98:a8:93: + ac:69:01:b1:9c:ef:3b:fe:04:47:9e:28:e2:c6:15: + f9:5c:df:de:24:1e:2f:a4:e0:b2:01:94:7e:b8:00: + 76:b0:dd:36:55:22:f2:2d:3a:c7:b1:d8:67:7e:ca: + 2d:22:b8:dc:9d:87:34:0c:c1:11:c7:72:2b:b8:ed: + 1b:d8:75:6d:0d:49:e1:f6:bf:12:dd:19:84:87:2e: + 6d:c6:7d:7e:42:33:2a:05:a2:ff:5d:07:10:83:a4: + c0:35:a9:f8:00:96:29:9f:bc:53:6c:81:18:7b:e4: + c6:41:54:7f:12:a3:5a:77:cb:0f:cf:52:8c:83:9a: + 30:03:ca:77:65:b2:c0:0b:00:67:86:50:77:b1:f5: + 79:b7:20:62:25:f8:3b:ca:cd:c4:da:d1:c0:81:fd: + db:8b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 04:2E:A0:68:00:D7:DB:D3:E5:73:93:FC:1C:E5:30:78:D1:5B:24:E8 + X509v3 Authority Key Identifier: + keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48 + DirName:/CN=Easy-RSA CA + serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0 + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 41:35:5e:7e:14:46:96:3e:c9:8e:fe:88:f8:d6:07:6b:8b:b7: + 8e:02:c4:63:97:79:ec:4a:46:cc:72:4d:7a:cc:9b:13:d9:6b: + 5c:f9:b5:b6:c8:04:cf:f9:e0:23:b2:4e:ec:b0:80:85:84:be: + a9:1d:8d:4e:8b:26:09:d1:50:83:df:a2:d6:cc:ec:8c:36:b0: + c4:a9:cb:14:ba:2d:e2:f3:93:9a:e5:ae:fe:a6:b7:37:c2:17: + 52:17:b2:f3:4e:3a:04:88:9b:50:7e:c5:73:6f:63:5c:ab:32: + 47:0d:1c:b4:63:d4:de:c0:6b:ce:ec:26:8d:8c:40:83:c1:c2: + 29:48:f8:0f:a1:b1:f9:5e:2b:91:fb:0d:32:26:db:73:ef:36: + 03:d1:24:3e:59:8d:39:09:29:61:85:64:69:be:ee:ec:6d:dd: + 6d:7c:93:22:b5:44:19:ed:11:f5:46:7d:f5:be:74:ce:46:85: + 5d:24:9f:4e:b8:27:4b:7f:ba:72:5c:f7:24:10:b6:7b:fb:cb: + a0:d1:59:5b:d3:5f:e9:a3:e9:fd:c3:36:2f:b6:b5:eb:e6:1d: + 9b:71:d6:53:26:95:26:64:14:25:47:b8:3b:d4:96:be:51:98: + e5:4d:cf:47:66:e8:fc:e9:bc:e6:6c:2b:e6:87:d8:cb:64:82: + d8:63:31:c9 +-----BEGIN CERTIFICATE----- +MIIDdDCCAlygAwIBAgIRAPrucayc+FuATc5L01f4MgkwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzNDE4WhgPMzAyMzA4 +MjcxNTM0MThaMBIxEDAOBgNVBAMMB2FsdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCU9n4rQe4A1vUvVGb0QTlp7mQLFUZZzgC2vyqq9w51xOWh +t7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWjrEinmqq+LmBSfN7PwygRQldSnUQkj7C2 ++zbvT6p+LFdeB4oD/BgD6FhriJiok6xpAbGc7zv+BEeeKOLGFflc394kHi+k4LIB +lH64AHaw3TZVIvItOsex2Gd+yi0iuNydhzQMwRHHciu47RvYdW0NSeH2vxLdGYSH +Lm3GfX5CMyoFov9dBxCDpMA1qfgAlimfvFNsgRh75MZBVH8So1p3yw/PUoyDmjAD +yndlssALAGeGUHex9Xm3IGIl+DvKzcTa0cCB/duLAgMBAAGjgb4wgbswCQYDVR0T +BAIwADAdBgNVHQ4EFgQUBC6gaADX29Plc5P8HOUweNFbJOgwUQYDVR0jBEowSIAU +20uplSytBZ/PyDzeOywngdcoZUihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB +ghRmMucVriDi12sOO6NQwSVaRWkUoDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV +HQ8EBAMCBaAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB +CwUAA4IBAQBBNV5+FEaWPsmO/oj41gdri7eOAsRjl3nsSkbMck16zJsT2Wtc+bW2 +yATP+eAjsk7ssICFhL6pHY1OiyYJ0VCD36LWzOyMNrDEqcsUui3i85Oa5a7+prc3 +whdSF7LzTjoEiJtQfsVzb2NcqzJHDRy0Y9TewGvO7CaNjECDwcIpSPgPobH5XiuR ++w0yJttz7zYD0SQ+WY05CSlhhWRpvu7sbd1tfJMitUQZ7RH1Rn31vnTORoVdJJ9O +uCdLf7pyXPckELZ7+8ug0Vlb01/po+n9wzYvtrXr5h2bcdZTJpUmZBQlR7g71Ja+ +UZjlTc9HZuj86bzmbCvmh9jLZILYYzHJ +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/index.txt b/ipad/example_ca/pki/index.txt new file mode 100644 index 0000000..dd39679 --- /dev/null +++ b/ipad/example_ca/pki/index.txt @@ -0,0 +1,2 @@ +V 30230827153418Z FAEE71AC9CF85B804DCE4BD357F83209 unknown /CN=alttest +V 30230827153430Z 2AA3F8FFC3B562AFC67845389A5F2C5A unknown /CN=testsuite diff --git a/ipad/example_ca/pki/index.txt.attr b/ipad/example_ca/pki/index.txt.attr new file mode 100644 index 0000000..3a7e39e --- /dev/null +++ b/ipad/example_ca/pki/index.txt.attr @@ -0,0 +1 @@ +unique_subject = no diff --git a/ipad/example_ca/pki/index.txt.attr.old b/ipad/example_ca/pki/index.txt.attr.old new file mode 100644 index 0000000..3a7e39e --- /dev/null +++ b/ipad/example_ca/pki/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = no diff --git a/ipad/example_ca/pki/index.txt.old b/ipad/example_ca/pki/index.txt.old new file mode 100644 index 0000000..605de4c --- /dev/null +++ b/ipad/example_ca/pki/index.txt.old @@ -0,0 +1 @@ +V 30230827153418Z FAEE71AC9CF85B804DCE4BD357F83209 unknown /CN=alttest diff --git a/ipad/example_ca/pki/issued/alttest.cabundle b/ipad/example_ca/pki/issued/alttest.cabundle new file mode 100644 index 0000000..c7a4426 --- /dev/null +++ b/ipad/example_ca/pki/issued/alttest.cabundle @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDdDCCAlygAwIBAgIRAPrucayc+FuATc5L01f4MgkwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzNDE4WhgPMzAyMzA4 +MjcxNTM0MThaMBIxEDAOBgNVBAMMB2FsdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCU9n4rQe4A1vUvVGb0QTlp7mQLFUZZzgC2vyqq9w51xOWh +t7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWjrEinmqq+LmBSfN7PwygRQldSnUQkj7C2 ++zbvT6p+LFdeB4oD/BgD6FhriJiok6xpAbGc7zv+BEeeKOLGFflc394kHi+k4LIB +lH64AHaw3TZVIvItOsex2Gd+yi0iuNydhzQMwRHHciu47RvYdW0NSeH2vxLdGYSH +Lm3GfX5CMyoFov9dBxCDpMA1qfgAlimfvFNsgRh75MZBVH8So1p3yw/PUoyDmjAD +yndlssALAGeGUHex9Xm3IGIl+DvKzcTa0cCB/duLAgMBAAGjgb4wgbswCQYDVR0T +BAIwADAdBgNVHQ4EFgQUBC6gaADX29Plc5P8HOUweNFbJOgwUQYDVR0jBEowSIAU +20uplSytBZ/PyDzeOywngdcoZUihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB +ghRmMucVriDi12sOO6NQwSVaRWkUoDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV +HQ8EBAMCBaAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB +CwUAA4IBAQBBNV5+FEaWPsmO/oj41gdri7eOAsRjl3nsSkbMck16zJsT2Wtc+bW2 +yATP+eAjsk7ssICFhL6pHY1OiyYJ0VCD36LWzOyMNrDEqcsUui3i85Oa5a7+prc3 +whdSF7LzTjoEiJtQfsVzb2NcqzJHDRy0Y9TewGvO7CaNjECDwcIpSPgPobH5XiuR ++w0yJttz7zYD0SQ+WY05CSlhhWRpvu7sbd1tfJMitUQZ7RH1Rn31vnTORoVdJJ9O +uCdLf7pyXPckELZ7+8ug0Vlb01/po+n9wzYvtrXr5h2bcdZTJpUmZBQlR7g71Ja+ +UZjlTc9HZuj86bzmbCvmh9jLZILYYzHJ +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIUZjLnFa4g4tdrDjujUMElWkVpFKAwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzMzU2WhgPMzAy +MzA4MjcxNTMzNTZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR8Y1ESTRhfjVNZ0+nuhQsvkMhZnOMpaEoJz +pCzHV0Cj6Mi814gPanvflAX/9F+4IjQ2evm7pNKNUpt1vf6kKTmco0EX672spP4p +8KOQaki/+I/AMYCwAGOvmCMYpHMzNTkV9PZIUUyzLG5YaigiMtJpWY+ji/G+kxAg +YzPr4WhTjG+mEoPjfc9LQH5dh/dP0cdkoZuIHWx6kFxAw/Okb1EF/oGrUT4pOLzg +/Z5wkOYZhlK0bicCqvYfsUjJ4y0ftCXfjQUtAYfQ4gq6revQ7eHCNKixh+BB8yXO +7/z6qrTfMTmN2Ekdo5nAyAMOeugaExaSLwYti3afX71RuqrtTwIDAQABo4GQMIGN +MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNtLqZUsrQWfz8g83jssJ4HXKGVIMFEG +A1UdIwRKMEiAFNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtF +YXN5LVJTQSBDQYIUZjLnFa4g4tdrDjujUMElWkVpFKAwCwYDVR0PBAQDAgEGMA0G +CSqGSIb3DQEBCwUAA4IBAQAADFdB7R2mwfMWj3vUR77v9f3wqJdKgUyleXGKu6ot +9YL8vYAJUL9sojZ8KeR47PDVpOs7v0Ll3RcfqRrDWQ9/MiMqSMcxh/i9dvyf5d9s +o2kxqiPaMVPkLzGKE04I0XtAlszqOBYsGO83D2FuJsIWglvvOjNYvJ05LMVJObnq +gpwY3TwhoKeWAQg6U5Yv6dLDjvbYPTwgArNpY97BxY0GZNyiyJgyag21cVui+tsd +uLKVKhmW/EhCC52wsEMwLAsiOjNpVXwAkPWaWAbUJIJTyuc2ZFpx9D2T40H1U8Pj +6UXwCkZ7C9qwKKyusG8duf/Xsdsft3Pm8XykSWWya6Um +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/issued/alttest.crt b/ipad/example_ca/pki/issued/alttest.crt new file mode 100644 index 0000000..070adb2 --- /dev/null +++ b/ipad/example_ca/pki/issued/alttest.crt @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + fa:ee:71:ac:9c:f8:5b:80:4d:ce:4b:d3:57:f8:32:09 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Easy-RSA CA + Validity + Not Before: Apr 25 15:34:18 2024 GMT + Not After : Aug 27 15:34:18 3023 GMT + Subject: CN=alttest + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:94:f6:7e:2b:41:ee:00:d6:f5:2f:54:66:f4:41: + 39:69:ee:64:0b:15:46:59:ce:00:b6:bf:2a:aa:f7: + 0e:75:c4:e5:a1:b7:b3:86:1c:24:06:fa:91:41:f1: + 0b:87:3a:ee:26:27:28:62:1d:ac:35:54:e5:a3:ac: + 48:a7:9a:aa:be:2e:60:52:7c:de:cf:c3:28:11:42: + 57:52:9d:44:24:8f:b0:b6:fb:36:ef:4f:aa:7e:2c: + 57:5e:07:8a:03:fc:18:03:e8:58:6b:88:98:a8:93: + ac:69:01:b1:9c:ef:3b:fe:04:47:9e:28:e2:c6:15: + f9:5c:df:de:24:1e:2f:a4:e0:b2:01:94:7e:b8:00: + 76:b0:dd:36:55:22:f2:2d:3a:c7:b1:d8:67:7e:ca: + 2d:22:b8:dc:9d:87:34:0c:c1:11:c7:72:2b:b8:ed: + 1b:d8:75:6d:0d:49:e1:f6:bf:12:dd:19:84:87:2e: + 6d:c6:7d:7e:42:33:2a:05:a2:ff:5d:07:10:83:a4: + c0:35:a9:f8:00:96:29:9f:bc:53:6c:81:18:7b:e4: + c6:41:54:7f:12:a3:5a:77:cb:0f:cf:52:8c:83:9a: + 30:03:ca:77:65:b2:c0:0b:00:67:86:50:77:b1:f5: + 79:b7:20:62:25:f8:3b:ca:cd:c4:da:d1:c0:81:fd: + db:8b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 04:2E:A0:68:00:D7:DB:D3:E5:73:93:FC:1C:E5:30:78:D1:5B:24:E8 + X509v3 Authority Key Identifier: + keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48 + DirName:/CN=Easy-RSA CA + serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0 + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 41:35:5e:7e:14:46:96:3e:c9:8e:fe:88:f8:d6:07:6b:8b:b7: + 8e:02:c4:63:97:79:ec:4a:46:cc:72:4d:7a:cc:9b:13:d9:6b: + 5c:f9:b5:b6:c8:04:cf:f9:e0:23:b2:4e:ec:b0:80:85:84:be: + a9:1d:8d:4e:8b:26:09:d1:50:83:df:a2:d6:cc:ec:8c:36:b0: + c4:a9:cb:14:ba:2d:e2:f3:93:9a:e5:ae:fe:a6:b7:37:c2:17: + 52:17:b2:f3:4e:3a:04:88:9b:50:7e:c5:73:6f:63:5c:ab:32: + 47:0d:1c:b4:63:d4:de:c0:6b:ce:ec:26:8d:8c:40:83:c1:c2: + 29:48:f8:0f:a1:b1:f9:5e:2b:91:fb:0d:32:26:db:73:ef:36: + 03:d1:24:3e:59:8d:39:09:29:61:85:64:69:be:ee:ec:6d:dd: + 6d:7c:93:22:b5:44:19:ed:11:f5:46:7d:f5:be:74:ce:46:85: + 5d:24:9f:4e:b8:27:4b:7f:ba:72:5c:f7:24:10:b6:7b:fb:cb: + a0:d1:59:5b:d3:5f:e9:a3:e9:fd:c3:36:2f:b6:b5:eb:e6:1d: + 9b:71:d6:53:26:95:26:64:14:25:47:b8:3b:d4:96:be:51:98: + e5:4d:cf:47:66:e8:fc:e9:bc:e6:6c:2b:e6:87:d8:cb:64:82: + d8:63:31:c9 +-----BEGIN CERTIFICATE----- +MIIDdDCCAlygAwIBAgIRAPrucayc+FuATc5L01f4MgkwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzNDE4WhgPMzAyMzA4 +MjcxNTM0MThaMBIxEDAOBgNVBAMMB2FsdHRlc3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCU9n4rQe4A1vUvVGb0QTlp7mQLFUZZzgC2vyqq9w51xOWh +t7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWjrEinmqq+LmBSfN7PwygRQldSnUQkj7C2 ++zbvT6p+LFdeB4oD/BgD6FhriJiok6xpAbGc7zv+BEeeKOLGFflc394kHi+k4LIB +lH64AHaw3TZVIvItOsex2Gd+yi0iuNydhzQMwRHHciu47RvYdW0NSeH2vxLdGYSH +Lm3GfX5CMyoFov9dBxCDpMA1qfgAlimfvFNsgRh75MZBVH8So1p3yw/PUoyDmjAD +yndlssALAGeGUHex9Xm3IGIl+DvKzcTa0cCB/duLAgMBAAGjgb4wgbswCQYDVR0T +BAIwADAdBgNVHQ4EFgQUBC6gaADX29Plc5P8HOUweNFbJOgwUQYDVR0jBEowSIAU +20uplSytBZ/PyDzeOywngdcoZUihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENB +ghRmMucVriDi12sOO6NQwSVaRWkUoDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNV +HQ8EBAMCBaAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB +CwUAA4IBAQBBNV5+FEaWPsmO/oj41gdri7eOAsRjl3nsSkbMck16zJsT2Wtc+bW2 +yATP+eAjsk7ssICFhL6pHY1OiyYJ0VCD36LWzOyMNrDEqcsUui3i85Oa5a7+prc3 +whdSF7LzTjoEiJtQfsVzb2NcqzJHDRy0Y9TewGvO7CaNjECDwcIpSPgPobH5XiuR ++w0yJttz7zYD0SQ+WY05CSlhhWRpvu7sbd1tfJMitUQZ7RH1Rn31vnTORoVdJJ9O +uCdLf7pyXPckELZ7+8ug0Vlb01/po+n9wzYvtrXr5h2bcdZTJpUmZBQlR7g71Ja+ +UZjlTc9HZuj86bzmbCvmh9jLZILYYzHJ +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/issued/alttest.notes b/ipad/example_ca/pki/issued/alttest.notes new file mode 100644 index 0000000..6daca26 --- /dev/null +++ b/ipad/example_ca/pki/issued/alttest.notes @@ -0,0 +1,8 @@ +This certificate is suitable for tests on any machine where testsuite and IPAd +run on the same host. + +The alttest.crt certificate has been created using the following commandline: +./easyrsa --subject-alt-name="DNS:localhost,IP:127.0.0.1" build-server-full alttest nopass + +The alttest.cabundle file has been created manually (alttest certificate at the +top, ca certificate at the bottom). diff --git a/ipad/example_ca/pki/issued/testsuite.cabundle b/ipad/example_ca/pki/issued/testsuite.cabundle new file mode 100644 index 0000000..9768a94 --- /dev/null +++ b/ipad/example_ca/pki/issued/testsuite.cabundle @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDbzCCAlegAwIBAgIQKqP4/8O1Yq/GeEU4ml8sWjANBgkqhkiG9w0BAQsFADAW +MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAgFw0yNDA0MjUxNTM0MzBaGA8zMDIzMDgy +NzE1MzQzMFowFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl4rJ0 ++27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5Rrgpn +Mbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdlMb3E +i1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTxFvCD +Rra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP0CxK +3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABo4G4MIG1MAkGA1Ud +EwQCMAAwHQYDVR0OBBYEFCARBi67sAsF1M5PvF9ROeeWlE8mMFEGA1UdIwRKMEiA +FNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD +QYIUZjLnFa4g4tdrDjujUMElWkVpFKAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD +VR0PBAQDAgWgMBQGA1UdEQQNMAuCCXRlc3RzdWl0ZTANBgkqhkiG9w0BAQsFAAOC +AQEAeLEoJfUXesKgLri7Fdyq6I+qrvNIDkYpcdcka83aTrGMGkABeQPKLUV2yQhh +UOsDnIKf1jfYYEL8WTW3Qmn9NkWToxff3V2EGQRwT8hfPpYnSQOBp1UsFn6+ZSZx +SOtbNjjBqYfwrS5AW+gSOfXQYHFV10v70L81EfsunE/msTXGRbRzaJnZJ/pOmCV9 +bnwbIujCg287H0wncJQa7/sr/Z08os7yS9GO523b7CIcubTBvBeC6uEfdhpK1lmz +JOXkZ7nO03Nn3UiCBLyPUDTADkJufmOs5qtxt3lb946MSKzvrsaw6a7XlJtY6Svo +QJMbYlEtBqTKjOZ+jFrQbWmGbw== +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIUZjLnFa4g4tdrDjujUMElWkVpFKAwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjQwNDI1MTUzMzU2WhgPMzAy +MzA4MjcxNTMzNTZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR8Y1ESTRhfjVNZ0+nuhQsvkMhZnOMpaEoJz +pCzHV0Cj6Mi814gPanvflAX/9F+4IjQ2evm7pNKNUpt1vf6kKTmco0EX672spP4p +8KOQaki/+I/AMYCwAGOvmCMYpHMzNTkV9PZIUUyzLG5YaigiMtJpWY+ji/G+kxAg +YzPr4WhTjG+mEoPjfc9LQH5dh/dP0cdkoZuIHWx6kFxAw/Okb1EF/oGrUT4pOLzg +/Z5wkOYZhlK0bicCqvYfsUjJ4y0ftCXfjQUtAYfQ4gq6revQ7eHCNKixh+BB8yXO +7/z6qrTfMTmN2Ekdo5nAyAMOeugaExaSLwYti3afX71RuqrtTwIDAQABo4GQMIGN +MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFNtLqZUsrQWfz8g83jssJ4HXKGVIMFEG +A1UdIwRKMEiAFNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtF +YXN5LVJTQSBDQYIUZjLnFa4g4tdrDjujUMElWkVpFKAwCwYDVR0PBAQDAgEGMA0G +CSqGSIb3DQEBCwUAA4IBAQAADFdB7R2mwfMWj3vUR77v9f3wqJdKgUyleXGKu6ot +9YL8vYAJUL9sojZ8KeR47PDVpOs7v0Ll3RcfqRrDWQ9/MiMqSMcxh/i9dvyf5d9s +o2kxqiPaMVPkLzGKE04I0XtAlszqOBYsGO83D2FuJsIWglvvOjNYvJ05LMVJObnq +gpwY3TwhoKeWAQg6U5Yv6dLDjvbYPTwgArNpY97BxY0GZNyiyJgyag21cVui+tsd +uLKVKhmW/EhCC52wsEMwLAsiOjNpVXwAkPWaWAbUJIJTyuc2ZFpx9D2T40H1U8Pj +6UXwCkZ7C9qwKKyusG8duf/Xsdsft3Pm8XykSWWya6Um +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/issued/testsuite.crt b/ipad/example_ca/pki/issued/testsuite.crt new file mode 100644 index 0000000..14904d1 --- /dev/null +++ b/ipad/example_ca/pki/issued/testsuite.crt @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:a3:f8:ff:c3:b5:62:af:c6:78:45:38:9a:5f:2c:5a + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Easy-RSA CA + Validity + Not Before: Apr 25 15:34:30 2024 GMT + Not After : Aug 27 15:34:30 3023 GMT + Subject: CN=testsuite + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bc:0d:37:f1:b1:2d:4c:0e:af:a1:51:85:92:1f: + 1b:3c:ef:04:18:24:d1:d6:0e:eb:73:64:86:da:c6: + 65:e2:b2:74:fb:6e:c0:b9:5d:fe:67:61:44:3a:bf: + 20:6e:a7:53:9c:7b:8e:6b:ec:c4:55:ec:0b:f9:44: + 08:6a:54:35:59:82:9a:63:60:0b:37:dd:22:5d:e3: + 43:81:4e:51:ae:0a:67:31:bb:b1:d3:70:0e:a8:46: + 2f:11:ec:b6:e9:58:25:0a:c9:72:4a:97:f1:d5:7a: + 0d:68:90:eb:73:c2:e1:81:12:cd:08:1b:21:e9:ce: + 58:3e:dc:81:de:b7:65:31:bd:c4:8b:5a:d1:06:9b: + c0:ea:b7:63:8f:fb:a5:67:37:7e:d5:69:07:56:67: + f3:e7:37:5d:84:86:52:25:94:9e:6a:60:a2:5c:bf: + 5e:0b:cb:c8:83:1a:17:51:84:f1:16:f0:83:46:b6: + bb:97:f3:4f:ba:41:1f:30:a8:d5:ee:4e:2e:78:00: + 9b:25:fd:0c:ec:cc:57:a3:82:b5:54:56:fd:25:f9: + ff:b8:5f:1b:55:ae:57:16:35:0d:cc:9a:cf:d0:2c: + 4a:dd:d5:ae:2a:7e:76:73:af:b8:d9:a0:35:61:82: + 3d:a0:d1:ce:a3:d8:82:1b:0c:9a:bc:a5:0b:2d:00: + d0:e9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 20:11:06:2E:BB:B0:0B:05:D4:CE:4F:BC:5F:51:39:E7:96:94:4F:26 + X509v3 Authority Key Identifier: + keyid:DB:4B:A9:95:2C:AD:05:9F:CF:C8:3C:DE:3B:2C:27:81:D7:28:65:48 + DirName:/CN=Easy-RSA CA + serial:66:32:E7:15:AE:20:E2:D7:6B:0E:3B:A3:50:C1:25:5A:45:69:14:A0 + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:testsuite + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 78:b1:28:25:f5:17:7a:c2:a0:2e:b8:bb:15:dc:aa:e8:8f:aa: + ae:f3:48:0e:46:29:71:d7:24:6b:cd:da:4e:b1:8c:1a:40:01: + 79:03:ca:2d:45:76:c9:08:61:50:eb:03:9c:82:9f:d6:37:d8: + 60:42:fc:59:35:b7:42:69:fd:36:45:93:a3:17:df:dd:5d:84: + 19:04:70:4f:c8:5f:3e:96:27:49:03:81:a7:55:2c:16:7e:be: + 65:26:71:48:eb:5b:36:38:c1:a9:87:f0:ad:2e:40:5b:e8:12: + 39:f5:d0:60:71:55:d7:4b:fb:d0:bf:35:11:fb:2e:9c:4f:e6: + b1:35:c6:45:b4:73:68:99:d9:27:fa:4e:98:25:7d:6e:7c:1b: + 22:e8:c2:83:6f:3b:1f:4c:27:70:94:1a:ef:fb:2b:fd:9d:3c: + a2:ce:f2:4b:d1:8e:e7:6d:db:ec:22:1c:b9:b4:c1:bc:17:82: + ea:e1:1f:76:1a:4a:d6:59:b3:24:e5:e4:67:b9:ce:d3:73:67: + dd:48:82:04:bc:8f:50:34:c0:0e:42:6e:7e:63:ac:e6:ab:71: + b7:79:5b:f7:8e:8c:48:ac:ef:ae:c6:b0:e9:ae:d7:94:9b:58: + e9:2b:e8:40:93:1b:62:51:2d:06:a4:ca:8c:e6:7e:8c:5a:d0: + 6d:69:86:6f +-----BEGIN CERTIFICATE----- +MIIDbzCCAlegAwIBAgIQKqP4/8O1Yq/GeEU4ml8sWjANBgkqhkiG9w0BAQsFADAW +MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAgFw0yNDA0MjUxNTM0MzBaGA8zMDIzMDgy +NzE1MzQzMFowFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl4rJ0 ++27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5Rrgpn +Mbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdlMb3E +i1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTxFvCD +Rra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP0CxK +3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABo4G4MIG1MAkGA1Ud +EwQCMAAwHQYDVR0OBBYEFCARBi67sAsF1M5PvF9ROeeWlE8mMFEGA1UdIwRKMEiA +FNtLqZUsrQWfz8g83jssJ4HXKGVIoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD +QYIUZjLnFa4g4tdrDjujUMElWkVpFKAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYD +VR0PBAQDAgWgMBQGA1UdEQQNMAuCCXRlc3RzdWl0ZTANBgkqhkiG9w0BAQsFAAOC +AQEAeLEoJfUXesKgLri7Fdyq6I+qrvNIDkYpcdcka83aTrGMGkABeQPKLUV2yQhh +UOsDnIKf1jfYYEL8WTW3Qmn9NkWToxff3V2EGQRwT8hfPpYnSQOBp1UsFn6+ZSZx +SOtbNjjBqYfwrS5AW+gSOfXQYHFV10v70L81EfsunE/msTXGRbRzaJnZJ/pOmCV9 +bnwbIujCg287H0wncJQa7/sr/Z08os7yS9GO523b7CIcubTBvBeC6uEfdhpK1lmz +JOXkZ7nO03Nn3UiCBLyPUDTADkJufmOs5qtxt3lb946MSKzvrsaw6a7XlJtY6Svo +QJMbYlEtBqTKjOZ+jFrQbWmGbw== +-----END CERTIFICATE----- diff --git a/ipad/example_ca/pki/issued/testsuite.notes b/ipad/example_ca/pki/issued/testsuite.notes new file mode 100644 index 0000000..55594a6 --- /dev/null +++ b/ipad/example_ca/pki/issued/testsuite.notes @@ -0,0 +1,8 @@ +This certificate is suitable for tests where the testsuite runs on a separate +machine or VM that has the hostname "testsuite" + +The testsuite.crt certificate has been created using the following commandline: +./easyrsa --subject-alt-name="DNS:testsuite" build-server-full testsuite nopass + +The testsuite.cabundle file has been created manually (alttest certificate at the +top, ca certificate at the bottom). diff --git a/ipad/example_ca/pki/openssl-easyrsa.cnf b/ipad/example_ca/pki/openssl-easyrsa.cnf new file mode 100644 index 0000000..928b195 --- /dev/null +++ b/ipad/example_ca/pki/openssl-easyrsa.cnf @@ -0,0 +1,143 @@ +# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::EASYRSA_PKI # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/certs_by_serial # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = basic_exts # The extensions to add to the cert + +# A placeholder to handle the --copy-ext feature: +#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL +default_md = $ENV::EASYRSA_DIGEST # use public key default MD +preserve = no # keep passed DN ordering + +# This allows to renew certificates which have not been revoked +unique_subject = no + +# A few different ways of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = $ENV::EASYRSA_KEY_SIZE +default_keyfile = privkey.pem +default_md = $ENV::EASYRSA_DIGEST +distinguished_name = $ENV::EASYRSA_DN +x509_extensions = easyrsa_ca # The extensions to add to the self signed cert + +# A placeholder to handle the $EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +# Easy-RSA DN for org support: +[ org ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::EASYRSA_REQ_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::EASYRSA_REQ_ORG + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = $ENV::EASYRSA_REQ_OU + +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +emailAddress = Email Address +emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_max = 64 + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS: +#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/ipad/example_ca/pki/private/alttest.key b/ipad/example_ca/pki/private/alttest.key new file mode 100644 index 0000000..c334f49 --- /dev/null +++ b/ipad/example_ca/pki/private/alttest.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCU9n4rQe4A1vUv +VGb0QTlp7mQLFUZZzgC2vyqq9w51xOWht7OGHCQG+pFB8QuHOu4mJyhiHaw1VOWj +rEinmqq+LmBSfN7PwygRQldSnUQkj7C2+zbvT6p+LFdeB4oD/BgD6FhriJiok6xp +AbGc7zv+BEeeKOLGFflc394kHi+k4LIBlH64AHaw3TZVIvItOsex2Gd+yi0iuNyd +hzQMwRHHciu47RvYdW0NSeH2vxLdGYSHLm3GfX5CMyoFov9dBxCDpMA1qfgAlimf +vFNsgRh75MZBVH8So1p3yw/PUoyDmjADyndlssALAGeGUHex9Xm3IGIl+DvKzcTa +0cCB/duLAgMBAAECggEACbh+yeqG0iiKM3PPNsfoK+YnQnnkRLP8DpuG+Jp1UnDD +iLwTdlWbxut5qH3xrKTHKazge8FH8ur+rqGYKX0fAJjHfFqIXQfKiOXKtlTA6kne +KZ1XG7gX03Kn+ODbvCAqnlv+eSCe0FFirNo0HEjtofPm4IahKx//98mRa3X00fjQ +41+pwrtj5TBeHc8V9QiHDDTfAtUcRKbA3yPyla0xdHektCDak1U6CMoR/p55l+rM +2ffBHJA+wNc28NfxV+ZY1VbpZ0qszAp3/U+gQRn0P9+2scIAWzRBlmQ37EfAMmM8 +ciembbDpoi7/tMQ0UhrhCR/o5hatQwS8ACEuLC3ucQKBgQDLBGSvuGBvWYget/2+ +jhCjYyH5s0Pye0iCcUlZDIsi1RjtgQfXNo5J1yP7uaPHJ/3Saoohb844CD0+kLjS +tYpGSePL+q8HGnjfutjy0Xstew5peD6quc15G6gyfCBKdC39R9BfuC2emw9eZeiG +qRmGpFKwD3PDS5ZNz3HJ/WG41QKBgQC71rlMXGsnq63OVcKvw32Kn6XVsHXhoxFd +DWy43QbGqVV2Lk36/mr8iotBOV4BsofWD8Fx8447lhERuTi9NHSlIaAldnng0Eok +RoW+Lr6QbQanuLjM+NLhPcdrhZPrp4pHFUgnj2PjmLAngmvyaa4l/m88UvYVWPyK +vxUzNtNy3wKBgQCL9ZpoXib1fPbPnq6rOQuVaFla6NBWEdH6Q5l6b6BYQiruSb8b +CnxrwYsIFoInYZWmA1b5GDhF/sAiKumQMiGCtZv62vbhYcmlDA5W0D4oK6bS5Vfm +oTNbY8rACzzDt3ahH2ozIykoJ+QfgwgcFeYIIa7zu6NmJu0W9YWP6EP/hQKBgApq +Y6f6T+7JNEAGvV7lpiZzp8xrln3GfwX74pV1nBST+yssciKCzQfn3sTlG3NYpPOX +uBBLgw2GyreC38SODhHCBZFOOn/ezN2qE2xyRxrXENFoCsdC3N6kgFRT+dnNVnuO +kIuxBcbvBoWKU9YDSibNLvnXV9HjN02yPsiyN5NdAoGAZj0u++sJWrYzBeGDO0ew +a0GJnQK8/4NR+vJz/vvmL/lidfKOFJ5/lNANRha7ep89ig7G96ejabEitghIH9I7 +0+OxHz5uk+lidlTPxTg64ELlJnbsPzdI6QygeFVp8QqxEYgzB3zi8ropSoVIKVkB +2+9FJlDHUFB+PG7cbfR70a8= +-----END PRIVATE KEY----- diff --git a/ipad/example_ca/pki/private/ca.key b/ipad/example_ca/pki/private/ca.key new file mode 100644 index 0000000..ca1c505 --- /dev/null +++ b/ipad/example_ca/pki/private/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdHxjURJNGF+NU +1nT6e6FCy+QyFmc4yloSgnOkLMdXQKPoyLzXiA9qe9+UBf/0X7giNDZ6+buk0o1S +m3W9/qQpOZyjQRfrvayk/inwo5BqSL/4j8AxgLAAY6+YIxikczM1ORX09khRTLMs +blhqKCIy0mlZj6OL8b6TECBjM+vhaFOMb6YSg+N9z0tAfl2H90/Rx2Shm4gdbHqQ +XEDD86RvUQX+gatRPik4vOD9nnCQ5hmGUrRuJwKq9h+xSMnjLR+0Jd+NBS0Bh9Di +Crqt69Dt4cI0qLGH4EHzJc7v/PqqtN8xOY3YSR2jmcDIAw566BoTFpIvBi2Ldp9f +vVG6qu1PAgMBAAECggEAAdFyJRuDuPn5DU961Xm3muSjvdXmUhfBj2NFsOE8Zy5w +rQQGEN7yI1qEjaWvSM/1eyVRUVY+yDSW5b7r8Wa8Jwun4ruGQbTi3VdhRZlT/gKm +qPyRR0FeBKWpZZ62I0nd+jLLYoNj6Q1Zyxzu7e5+icMRc3BWIE7qTbDTgM1SAjxm +OhNnQmWVq/E4wP4JXkjy2zxZZPjbq5awhvPzeApq/QspKNp9PE9rOHRbyi5kknYO +nYc4hn2McHegsfyN0gXsLkDgwKqFG84HZRKOjnDUm8EOCC0L0Zhs2lYmpemeKP+f +4ro5mhvJQ8Xe3iUcfAAQypRUyOyCXVJY7A0yzSWrEQKBgQDO2CoimFzktgHQwN7x +HriYg4Ass1Y/gZq2N7APqbFJZIeJlouKqlZ6uF+eWqMZf96XidOC37BMH2R0yAvP +vPHTGycSZozE0tGNscLxQ8nGYu2tDzryCBrjpNUaKY5HVYK/9D1toSnvOWJAZlHN +lOx5sDOlwCpXR1DANUZtsVRCCQKBgQDCde3B59fW4FbB7+hk0qLxhKnlIt0UFOuB +4Kg/UZZYvJA1bGW1LZGVNXpMIyRpPODW5B979Eb/azF6LtW/MzwZ2ZM9aXKRFA0S ++J2whjdBebWG/PuwEwKHo/wfzEJLeVW2VOEUknirn5PnI4is2LiTCfnls8PlkSzF +klK/7K6qlwKBgEIPse1Yohp9sri8ULfLqwMyxIYCROKFfycBRB7MgI3DKLKdvTVt +T69kIU3O/tZPC4V0hHQBAypcwFW36mXPn6BfxKvQyta1yi2p/2vUzaWpxOUHvzi7 +s/LOmyz+5q0Lt3WdCN1xopX/ysxsoWW6UYhP6T7fz+YOJdEtcq/n+dQZAoGAAhR6 +15EgSOcbZnWnebSbE5REsPO/g6B5qGj7w7merxJNRJUFPXvgS8VHqprRn+KL0SCd +iZjiTYca/2CS3rmwkeI25fhDxnN9dE9+eE3nN2cS3v/DvW1moIbLgpePufjxRsL/ +qVWrvsI1Ncq2gorK5p+7sY5LsR/tZ6uaAP2KHL8CgYEAsPllojZVSxcWuWN8YD6U +hPTsmH9EwxN6kqB2Ai2ZN3i5kmRnZNv8xBJcf9bJY5YlV7ycyPf3RXfNLVlA/8Ox +Tnyn+hpNDDXNnOaiOYjlG0NC1XYesJDN2WyaRNIrXpWXGWD28VGK4sKVNdxV6lOC +fLxfcjGPfAqfHtUoOiQofXU= +-----END PRIVATE KEY----- diff --git a/ipad/example_ca/pki/private/testsuite.key b/ipad/example_ca/pki/private/testsuite.key new file mode 100644 index 0000000..0587614 --- /dev/null +++ b/ipad/example_ca/pki/private/testsuite.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC8DTfxsS1MDq+h +UYWSHxs87wQYJNHWDutzZIbaxmXisnT7bsC5Xf5nYUQ6vyBup1Oce45r7MRV7Av5 +RAhqVDVZgppjYAs33SJd40OBTlGuCmcxu7HTcA6oRi8R7LbpWCUKyXJKl/HVeg1o +kOtzwuGBEs0IGyHpzlg+3IHet2UxvcSLWtEGm8Dqt2OP+6VnN37VaQdWZ/PnN12E +hlIllJ5qYKJcv14Ly8iDGhdRhPEW8INGtruX80+6QR8wqNXuTi54AJsl/QzszFej +grVUVv0l+f+4XxtVrlcWNQ3Mms/QLErd1a4qfnZzr7jZoDVhgj2g0c6j2IIbDJq8 +pQstANDpAgMBAAECggEAAq7WTAU+iGz8ttd3iWrjcl8vUfHDiYzsSv8/PwBd4rbW +VuIago9VK/zEcqlrqs+wShJUT4g6hS0BS9QB4gd6L+ERkOALy1Prhu1xQ8p+Fv0C +KI120OjfcqmDevT2p2j49VJdf+b/t3XR2pqXtPuUSIL5lSQmKJehGDuAtSPGpprt +Ri47/bstEZ9l6xweRUbWtLY7v3Ul+nMZO1HDl+MMY2Cy1Ou6JFuJfEyWYWzs4Uor +b47b0uH/8b0STXX4xw4s5o/0NuSQPIsOM/LN6vZIEM3euYqeLsi/VKXFrTjyrLed +WjldhwwJdxUV6Pr+2s3CFXPqfaJ8amFe1cf/gEk4MQKBgQDeBYr9oyHQ9fER1B7o +ob5LY+37BfaEcQnnuscBDGHJteYamlc+XXHa2UAOoNYUC6SMjzupMNdV6u6JEvP5 +35sGZtP+tKLRxElMD9XBc7m17cWUbjWlplgCLVdly7bgprYPANHEr9djwuq9oppq +clsklx7NawpTYFBg+zrzxBYP0QKBgQDY1Mi4x2JdMtFM+X00MyFjQq3lHexSo5XF +rMgU2A145zAlXiuEVkyqR+Pv3hwm38qqoUAkyIDhXth3C7f75gcQgsgthJJbU6LM +jKhh+/PSg4x3/YmBWQfRiHv9KstAvX7y2oaZIBfBK9ZuPID0QY2RIfUA5KYdBkOP +9urhR3fNmQKBgFMpeFpxFGWU+etXrQwuKX1LvQRdw2zwemlWSNxXqvlHLR2h2jP+ +BHuZDKluDUIM6mHL9Oj25nHEQf0OIFzkKMlJEvdA6gvwnhPjiomfs1w15+AlN+sI +V8bY/PegSqvzRhZwlCI8S02O4SaPFY/xrboS8PK4uXFpjjIFaJuOQ0VBAoGAblbp +xc4Aqjif9bHIGvYh+WcHIt61UeBY6Pzh3GmNgYb0Iy/mqTNZVBW9UmUOomGjumzQ +PWei3gzrzrix6YfG9In43+DksYDACaNSVHpoOyoiIzVr8dyic+gmYFCUmd9UaLT3 +ZZjFPdHXDsXPQXzSU5aaHNg+B+sWGn6mS/mYZ5ECgYAHCvNEO4NHf5AfpAIeZyD5 +1x3hWR3LtI6qkD5LmVhxi6S4pjzQj+T5ZC+iiz0ZZ6GoA2n+UDX4kF1aSgEJry1i +P5ByLciv7hbYWZtpOAy0Z+MtKOFB5Wj4WsvWCAZnL/5qk9zRyoNuKWYrs3FQlmEt +WIxjZC8intDxtAv4KiJdGQ== +-----END PRIVATE KEY----- diff --git a/ipad/example_ca/pki/reqs/alttest.req b/ipad/example_ca/pki/reqs/alttest.req new file mode 100644 index 0000000..c3a3241 --- /dev/null +++ b/ipad/example_ca/pki/reqs/alttest.req @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChDCCAWwCAQAwEjEQMA4GA1UEAwwHYWx0dGVzdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAJT2fitB7gDW9S9UZvRBOWnuZAsVRlnOALa/Kqr3DnXE +5aG3s4YcJAb6kUHxC4c67iYnKGIdrDVU5aOsSKeaqr4uYFJ83s/DKBFCV1KdRCSP +sLb7Nu9Pqn4sV14HigP8GAPoWGuImKiTrGkBsZzvO/4ER54o4sYV+Vzf3iQeL6Tg +sgGUfrgAdrDdNlUi8i06x7HYZ37KLSK43J2HNAzBEcdyK7jtG9h1bQ1J4fa/Et0Z +hIcubcZ9fkIzKgWi/10HEIOkwDWp+ACWKZ+8U2yBGHvkxkFUfxKjWnfLD89SjIOa +MAPKd2WywAsAZ4ZQd7H1ebcgYiX4O8rNxNrRwIH924sCAwEAAaAtMCsGCSqGSIb3 +DQEJDjEeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB +CwUAA4IBAQBgx4vAKtNXLloRv+cmqTdtNSrTeUz4gR2OB96tv7/Y8nPInDuOS5YA +H0y/4d9WjybeeKtSGEWfcxWTPtEvye4HdEP5S4ajmDzAVngfqBBtOZ2a9YXYndwf +Y/tG6AeaJZs7r4LAnRaLFJKwf+P+SL4Sz1ygZZnolUgI3KCH5iJFfWXIKcFvsp8Z +QjtFaKTLnODI9DbyBZg4bJUyddRfEvQCBnd4E7BKaIJif32nUaV18YZ027onUONj +IBaPqbMBHbVb5gXAIqc3u39Ut9dtD/XXxGMAkK3vjEGfPBoNqwVQAj5NxK/+CEwZ ++gdlC3YXEn0Bp/QTwGPtkpaiqClqVZiG +-----END CERTIFICATE REQUEST----- diff --git a/ipad/example_ca/pki/reqs/testsuite.req b/ipad/example_ca/pki/reqs/testsuite.req new file mode 100644 index 0000000..877c3a2 --- /dev/null +++ b/ipad/example_ca/pki/reqs/testsuite.req @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgDCCAWgCAQAwFDESMBAGA1UEAwwJdGVzdHN1aXRlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAvA038bEtTA6voVGFkh8bPO8EGCTR1g7rc2SG2sZl +4rJ0+27AuV3+Z2FEOr8gbqdTnHuOa+zEVewL+UQIalQ1WYKaY2ALN90iXeNDgU5R +rgpnMbux03AOqEYvEey26VglCslySpfx1XoNaJDrc8LhgRLNCBsh6c5YPtyB3rdl +Mb3Ei1rRBpvA6rdjj/ulZzd+1WkHVmfz5zddhIZSJZSeamCiXL9eC8vIgxoXUYTx +FvCDRra7l/NPukEfMKjV7k4ueACbJf0M7MxXo4K1VFb9Jfn/uF8bVa5XFjUNzJrP +0CxK3dWuKn52c6+42aA1YYI9oNHOo9iCGwyavKULLQDQ6QIDAQABoCcwJQYJKoZI +hvcNAQkOMRgwFjAUBgNVHREEDTALggl0ZXN0c3VpdGUwDQYJKoZIhvcNAQELBQAD +ggEBAA8Se8HfjHNH9UgQFYE2/elUr0QiPoI5EFEswMwO99E1kDM4pq9g/h2wqwW6 +49NkZzzJfuTERM3ZUQC3+AV7pW9rDEQFf5GGUeM5VmBYiFgPK7FoVJkRJ4MroPti +72uADGBXexYFUsbf6V09T0B80yarmNHNCFUChNY5lhcWEYpJuGXnbpGhzZXTPplw +GZmWDUFVHKSPJX2GZw2AF+MfnyNOCRu+VkU4vjbCm8LQENQBDq1HZ5nYi2eHlW5w +x/rmHZx8wv+ipY3DsG8bCho6fuaSvQI9fHi1UVRJcP1bdocCjFk+N1yj+i58TPRK +FoU4y2362LU2nc1mOPeGuQu11Wk= +-----END CERTIFICATE REQUEST----- diff --git a/ipad/example_ca/pki/safessl-easyrsa.cnf b/ipad/example_ca/pki/safessl-easyrsa.cnf new file mode 100644 index 0000000..d42bba9 --- /dev/null +++ b/ipad/example_ca/pki/safessl-easyrsa.cnf @@ -0,0 +1,143 @@ +# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where everything is kept +certs = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where the issued certs are kept +crl_dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki # Where the issued crl are kept +database = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/index.txt # database index file. +new_certs_dir = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/certs_by_serial # default place for new certs. + +certificate = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/ca.crt # The CA certificate +serial = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/serial # The current serial number +crl = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/crl.pem # The current CRL +private_key = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/private/ca.key # The private key +RANDFILE = /home/user/work/ttcn3/testsuite/osmo-ttcn3-hacks/ipad/example_ca/pki/.rand # private random number file + +x509_extensions = basic_exts # The extensions to add to the cert + +# A placeholder to handle the --copy-ext feature: +#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = 365000 # how long to certify for +default_crl_days = 180 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# This allows to renew certificates which have not been revoked +unique_subject = no + +# A few different ways of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +default_md = sha256 +distinguished_name = cn_only +x509_extensions = easyrsa_ca # The extensions to add to the self signed cert + +# A placeholder to handle the $EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = ChangeMe + +# Easy-RSA DN for org support: +[ org ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = California + +localityName = Locality Name (eg, city) +localityName_default = San Francisco + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Copyleft Certificate Co + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = My Organizational Unit + +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = ChangeMe + +emailAddress = Email Address +emailAddress_default = me@example.net +emailAddress_max = 64 + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS: +#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/ipad/example_ca/pki/serial b/ipad/example_ca/pki/serial new file mode 100644 index 0000000..ec9e3df --- /dev/null +++ b/ipad/example_ca/pki/serial @@ -0,0 +1 @@ +2AA3F8FFC3B562AFC67845389A5F2C5B diff --git a/ipad/example_ca/pki/serial.old b/ipad/example_ca/pki/serial.old new file mode 100644 index 0000000..406eea8 --- /dev/null +++ b/ipad/example_ca/pki/serial.old @@ -0,0 +1 @@ +2aa3f8ffc3b562afc67845389a5f2c5a diff --git a/ipad/example_ca/pki/vars b/ipad/example_ca/pki/vars new file mode 100644 index 0000000..4cb08cd --- /dev/null +++ b/ipad/example_ca/pki/vars @@ -0,0 +1,235 @@ +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your package manager, do not edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades do not wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file "vars" if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the "vars" file. +# +# All of the editable settings are shown commented and start with the command +# "set_var" -- this means any set_var command that is uncommented has been +# modified by the user. If you are happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-escaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DO NOT EDIT THIS SECTION +# +# Easy-RSA 3.x does not source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA *vars* file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "*How to use this file* near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. + +#set_var EASYRSA "${0%/*}" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +#set_var EASYRSA_PKI "$PWD/pki" + +# Define directory for temporary subdirectories. + +#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" + +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below are not used. +# +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +#set_var EASYRSA_DN "cn_only" + +# Organizational fields (used with "org" mode and ignored in "cn_only" mode.) +# These are the default values for fields which will be placed in the +# certificate. Do not leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +# NOTE: The following characters are not supported +# in these "Organizational fields" by Easy-RSA: +# single quote (') +# back-tick (`) +# hash (#) +# ampersand (&) +# dollar sign ($) +# Use them at your own risk! + +#set_var EASYRSA_REQ_COUNTRY "US" +#set_var EASYRSA_REQ_PROVINCE "California" +#set_var EASYRSA_REQ_CITY "San Francisco" +#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +#set_var EASYRSA_REQ_EMAIL "me@example.net" +#set_var EASYRSA_REQ_OU "My Organizational Unit" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. Only used when the crypto alg is rsa (see below.) + +#set_var EASYRSA_KEY_SIZE 2048 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec +# * ed + +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec & ed modes: + +#set_var EASYRSA_CURVE secp384r1 + +# In how many days should the root CA key expire? + +set_var EASYRSA_CA_EXPIRE 365000 + +# In how many days should certificates expire? + +set_var EASYRSA_CERT_EXPIRE 365000 + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. +#set_var EASYRSA_CRL_DAYS 180 + +# How many days before its expiration date a certificate is allowed to be +# renewed? +#set_var EASYRSA_CERT_RENEW 30 + +# For fixed certificate start/end dates - Range 1..365 +# If set here then command line option is always in effect. +# The day number 183 is either July 2nd or 3rd (leap-year) +# Replace with your chosen day-of-year value: +#set_var EASYRSA_FIX_OFFSET 183 + +# Random serial numbers by default, set to no for the old incremental serial numbers +# +#set_var EASYRSA_RAND_SN "yes" + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a "command not found" error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you are doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named "COMMON" is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the "x509-types" dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# If you want to generate KDC certificates, you need to set the realm here. +#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the +# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" + +# Default CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +#set_var EASYRSA_REQ_CN "ChangeMe" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +#set_var EASYRSA_DIGEST "sha256" + +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. + +#set_var EASYRSA_BATCH "" diff --git a/ipad/example_ca/pki/vars.example b/ipad/example_ca/pki/vars.example new file mode 100644 index 0000000..4eab5d0 --- /dev/null +++ b/ipad/example_ca/pki/vars.example @@ -0,0 +1,235 @@ +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your package manager, do not edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades do not wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file "vars" if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the "vars" file. +# +# All of the editable settings are shown commented and start with the command +# "set_var" -- this means any set_var command that is uncommented has been +# modified by the user. If you are happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-escaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DO NOT EDIT THIS SECTION +# +# Easy-RSA 3.x does not source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA *vars* file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "*How to use this file* near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. + +#set_var EASYRSA "${0%/*}" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +#set_var EASYRSA_PKI "$PWD/pki" + +# Define directory for temporary subdirectories. + +#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" + +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below are not used. +# +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +#set_var EASYRSA_DN "cn_only" + +# Organizational fields (used with "org" mode and ignored in "cn_only" mode.) +# These are the default values for fields which will be placed in the +# certificate. Do not leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +# NOTE: The following characters are not supported +# in these "Organizational fields" by Easy-RSA: +# single quote (') +# back-tick (`) +# hash (#) +# ampersand (&) +# dollar sign ($) +# Use them at your own risk! + +#set_var EASYRSA_REQ_COUNTRY "US" +#set_var EASYRSA_REQ_PROVINCE "California" +#set_var EASYRSA_REQ_CITY "San Francisco" +#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +#set_var EASYRSA_REQ_EMAIL "me@example.net" +#set_var EASYRSA_REQ_OU "My Organizational Unit" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. Only used when the crypto alg is rsa (see below.) + +#set_var EASYRSA_KEY_SIZE 2048 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec +# * ed + +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec & ed modes: + +#set_var EASYRSA_CURVE secp384r1 + +# In how many days should the root CA key expire? + +#set_var EASYRSA_CA_EXPIRE 3650 + +# In how many days should certificates expire? + +#set_var EASYRSA_CERT_EXPIRE 825 + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. +#set_var EASYRSA_CRL_DAYS 180 + +# How many days before its expiration date a certificate is allowed to be +# renewed? +#set_var EASYRSA_CERT_RENEW 30 + +# For fixed certificate start/end dates - Range 1..365 +# If set here then command line option is always in effect. +# The day number 183 is either July 2nd or 3rd (leap-year) +# Replace with your chosen day-of-year value: +#set_var EASYRSA_FIX_OFFSET 183 + +# Random serial numbers by default, set to no for the old incremental serial numbers +# +#set_var EASYRSA_RAND_SN "yes" + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a "command not found" error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you are doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named "COMMON" is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the "x509-types" dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# If you want to generate KDC certificates, you need to set the realm here. +#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the +# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" + +# Default CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +#set_var EASYRSA_REQ_CN "ChangeMe" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +#set_var EASYRSA_DIGEST "sha256" + +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. + +#set_var EASYRSA_BATCH "" diff --git a/ipad/gen_links.sh b/ipad/gen_links.sh new file mode 100755 index 0000000..130c68e --- /dev/null +++ b/ipad/gen_links.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +BASEDIR=../deps + +. ../gen_links.sh.inc + +DIR=$BASEDIR/titan.Libraries.TCCUsefulFunctions/src +FILES="TCCInterface_Functions.ttcn TCCConversion_Functions.ttcn TCCConversion.cc TCCInterface.cc TCCInterface_ip.h" +gen_links $DIR $FILES + +DIR=$BASEDIR/titan.TestPorts.Common_Components.Abstract_Socket/src +FILES="Abstract_Socket.cc Abstract_Socket.hh " +gen_links $DIR $FILES + +DIR=$BASEDIR/titan.TestPorts.HTTPmsg/src +FILES="HTTPmsg_MessageLen.ttcn HTTPmsg_MessageLen_Function.cc HTTPmsg_PT.cc HTTPmsg_PT.hh HTTPmsg_PortType.ttcn " +FILES+="HTTPmsg_Types.ttcn" +gen_links $DIR $FILES + +DIR=$BASEDIR/titan.TestPorts.Common_Components.Socket-API/src +FILES="Socket_API_Definitions.ttcn" +gen_links $DIR $FILES + +DIR=$BASEDIR/titan.TestPorts.IPL4asp/src +FILES="IPL4asp_Functions.ttcn IPL4asp_PT.cc IPL4asp_PT.hh IPL4asp_PortType.ttcn IPL4asp_Types.ttcn " +FILES+="IPL4asp_discovery.cc IPL4asp_protocol_L234.hh" +gen_links $DIR $FILES + +DIR=../library/euicc +FILES="PEDefinitions.asn PKIX1Explicit88.asn PKIX1Implicit88.asn RSPDefinitions.asn SGP32Definitions.asn " +FILES+="PKIX1Explicit88_Templates.ttcn PKIX1Explicit88_Types.ttcn PKIX1Implicit88_Templates.ttcn " +FILES+="PKIX1Implicit88_Types.ttcn RSPDefinitions_Templates.ttcn RSPDefinitions_Types.ttcn " +FILES+="SGP32Definitions_Templates.ttcn SGP32Definitions_Types.ttcn " +FILES+="PKIX1Explicit88_EncDec.cc PKIX1Implicit88_EncDec.cc RSPDefinitions_EncDec.cc SGP32Definitions_EncDec.cc" +gen_links $DIR $FILES + +DIR=../library +FILES="Misc_Helpers.ttcn General_Types.ttcn Osmocom_Types.ttcn Native_Functions.ttcn Native_FunctionDefs.cc " +FILES+="VPCD_Types.ttcn VPCD_CodecPort.ttcn VPCD_CodecPort_CtrlFunct.ttcn VPCD_CodecPort_CtrlFunctDef.cc " +FILES+="VPCD_Adapter.ttcn HTTP_Server_Emulation.ttcn" +gen_links $DIR $FILES + +ignore_pp_results diff --git a/ipad/regen_makefile.sh b/ipad/regen_makefile.sh new file mode 100755 index 0000000..9123e43 --- /dev/null +++ b/ipad/regen_makefile.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +NAME=IPAd_Tests + +FILES=" + *.ttcn + *.asn + Abstract_Socket.cc + HTTPmsg_MessageLen_Function.cc + HTTPmsg_PT.cc + IPL4asp_PT.cc + IPL4asp_discovery.cc + Native_FunctionDefs.cc + TCCConversion.cc + TCCInterface.cc + SGP32Definitions_EncDec.cc + RSPDefinitions_EncDec.cc + PKIX1Explicit88_EncDec.cc + PKIX1Implicit88_EncDec.cc + VPCD_CodecPort_CtrlFunctDef.cc +" +../regen-makefile.sh IPAd_Tests.ttcn $FILES + +# required for forkpty(3) used by PIPEasp +sed -i -e '/^LINUX_LIBS/ s/$/ -lutil/' Makefile diff --git a/regen-makefile.sh b/regen-makefile.sh index 09088e0..813b212 100755 --- a/regen-makefile.sh +++ b/regen-makefile.sh @@ -41,12 +41,12 @@

sed -i -e 's/# TTCN3_DIR = /TTCN3_DIR = /usr/' Makefile sed -i -e 's/LDFLAGS = /LDFLAGS = -L /usr/lib/titan/' Makefile -sed -i -e 's/LINUX_LIBS = -lxml2/LINUX_LIBS = -lxml2 -lsctp/' Makefile +sed -i -e 's/LINUX_LIBS = -lxml2/LINUX_LIBS = -lxml2 -lsctp -lssl/' Makefile #sed -i -e 's/TTCN3_LIB = ttcn3-parallel/TTCN3_LIB = ttcn3/' Makefile

# The -DMAKEDEPEND_RUN is a workaround for Debian packaging issue, # see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879816 for details -sed -i -e 's/CPPFLAGS = -D$(PLATFORM)/CPPFLAGS = -D$(PLATFORM) -DMAKEDEPEND_RUN -DUSE_SCTP -DLKSCTP_MULTIHOMING_ENABLED/' Makefile +sed -i -e 's/CPPFLAGS = -D$(PLATFORM)/CPPFLAGS = -D$(PLATFORM) -DMAKEDEPEND_RUN -DUSE_SCTP -DLKSCTP_MULTIHOMING_ENABLED -DAS_USE_SSL/' Makefile

#remove -Wall from CXXFLAGS: we're not interested in generic warnings for autogenerated code cluttering the logs sed -i -e 's/-Wall//' Makefile