diff --git a/certs/client-ecc384-cert.der b/certs/client-ecc384-cert.der new file mode 100644 index 000000000..9bf89c7f1 Binary files /dev/null and b/certs/client-ecc384-cert.der differ diff --git a/certs/client-ecc384-cert.pem b/certs/client-ecc384-cert.pem new file mode 100644 index 000000000..e8392fcf1 --- /dev/null +++ b/certs/client-ecc384-cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7jCCAnOgAwIBAgICEAEwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3 +b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz +c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx +OTEzNDEwMloXDTQ4MTAxMTEzNDEwMlowgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj +MRMwEQYDVQQLDApFQ0MzODRDbGl0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wdjAQBgcqhkjOPQIBBgUr +gQQAIgNiAARmxAg9ZqehFdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7C +pkobpxKoa5BMHLusXW4OYs5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKv +lYHL4yQ264WjgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYD +VR0OBBYEFB7y0Bv4/KXLP9yK9ZcqQlOwQvnUMB8GA1UdIwQYMBaAFKvgwyZMGNRy +u9KEjJwKBZKAElNSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD +AgYIKwYBBQUHAwQwCgYIKoZIzj0EAwMDaQAwZgIxAPQNeML87vVHHBRaob0yBP0Q +K4wxvwQEuyes/XSEHupNYfSvcK24YuLVm2mrx+3NyAIxAIn8dyiX85tuunv89xNC +XIkXUHZlvK60fMYi9PBucuYhdy7UO22IRrRncuURVs3oJQ== +-----END CERTIFICATE----- diff --git a/certs/client-ecc384-key.der b/certs/client-ecc384-key.der new file mode 100644 index 000000000..96b8270e0 Binary files /dev/null and b/certs/client-ecc384-key.der differ diff --git a/certs/client-ecc384-key.pem b/certs/client-ecc384-key.pem new file mode 100644 index 000000000..c12526d3d --- /dev/null +++ b/certs/client-ecc384-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB1nVO7/TbLqFdjldpO +TH23WVi/DIOkNaLUNEpfkh3gbrWk1AQ2OgnmrBSgMI8FN5ahZANiAARmxAg9Zqeh +FdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7CpkobpxKoa5BMHLusXW4O +Ys5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKvlYHL4yQ264U= +-----END PRIVATE KEY----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 6a0f15c33..7cf4bf6e4 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -17,25 +17,23 @@ setup_files() { mkdir demoCA || exit 1 touch ./demoCA/index.txt || exit 1 touch ./index.txt || exit 1 - touch ../ecc/index.txt || exit 1 + touch ../crl/index.txt || exit 1 touch ./crlnumber || exit 1 - touch ../ecc/crlnumber || exit 1 + touch ../crl/crlnumber || exit 1 echo "01" >> crlnumber || exit 1 - echo "01" >> ../ecc/crlnumber || exit 1 + echo "01" >> ../crl/crlnumber || exit 1 touch ./blank.index.txt || exit 1 touch ./demoCA/index.txt.attr || exit 1 - touch ../ecc/index.txt.attr || exit 1 + touch ../crl/index.txt.attr || exit 1 } cleanup_files() { rm blank.index.txt || exit 1 rm index.* || exit 1 rm crlnumber* || exit 1 - rm ../ecc/crlnumber* || exit 1 - rm ../ecc/index.* || exit 1 - rm -r demoCA || exit 1 + rm -rf demoCA || exit 1 echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/" - echo " ../ecc/index.txt" + echo " ../crl/index.txt" echo "" exit 0 } @@ -171,12 +169,12 @@ mv tmp eccSrvCRL.pem # caEccCrl echo "Step 21" -openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem +openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem check_result $? # ca-ecc384-cert echo "Step 22" -openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem +openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem check_result $? exit 0 diff --git a/certs/crl/include.am b/certs/crl/include.am index 0cdd3a91c..c5d635df8 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -9,7 +9,8 @@ EXTRA_DIST += \ certs/crl/eccCliCRL.pem \ certs/crl/crl2.pem \ certs/crl/caEccCrl.pem \ - certs/crl/caEcc384Crl.pem + certs/crl/caEcc384Crl.pem \ + certs/crl/wolfssl.cnf EXTRA_DIST += \ certs/crl/crl.revoked diff --git a/certs/crl/wolfssl.cnf b/certs/crl/wolfssl.cnf new file mode 100644 index 000000000..78593cb8e --- /dev/null +++ b/certs/crl/wolfssl.cnf @@ -0,0 +1,110 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations relevant to where the script is executing +dir = . +certs = $dir/../ +new_certs_dir = $dir/../ +database = $dir/../crl/index.txt +serial = $dir/../crl/serial +# This should come from the system disregard local pathing +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/../ca-ecc-key.pem +certificate = $dir/../ca-ecc-cert.pem + +# For certificate revocation lists. +crlnumber = $dir/../crl/crlnumber +crl_extensions = crl_ext +default_crl_days = 1000 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +preserve = no +policy = policy_loose + + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = Washington +localityName = Seattle +0.organizationName = wolfSSL +organizationalUnitName = Development +commonName = www.wolfssl.com +emailAddress = info@wolfssl.com + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always diff --git a/certs/ecc/genecc.sh b/certs/ecc/genecc.sh index ef28371ba..2efb033c9 100755 --- a/certs/ecc/genecc.sh +++ b/certs/ecc/genecc.sh @@ -13,21 +13,17 @@ echo 2000 > ./certs/ecc/crlnumber # generate ECC 256-bit CA openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1 -openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" +openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \ + -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER rm ./certs/ca-ecc-key.par -# generate ECC 384-bit CA -openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1 -openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" +# Gen CA CRL +openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem -openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER -openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER - -rm ./certs/ca-ecc384-key.par # Generate ECC 256-bit server cert @@ -40,9 +36,53 @@ openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der rm ./certs/server-ecc-req.pem -# Gen CRL -openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem -openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem + + +# generate ECC 384-bit CA +openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \ + -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" + +openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER +openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER + +rm ./certs/ca-ecc384-key.par + +# Gen CA CRL +openssl ca -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem + + + +# Generate ECC 384-bit server cert +openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER + +# Sign server certificate +openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem +openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der + +rm ./certs/server-ecc384-req.pem +rm ./certs/server-ecc384-key.par + +# Generate ECC 384-bit client cert +openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1 +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \ + -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/" +openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER + +# Sign client certificate +openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem +openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der + +rm ./certs/client-ecc384-req.pem +rm ./certs/client-ecc384-key.par + # Also manually need to: # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der` diff --git a/certs/ecc/include.am b/certs/ecc/include.am index 3c4eddbd4..b9897c1c2 100644 --- a/certs/ecc/include.am +++ b/certs/ecc/include.am @@ -4,5 +4,5 @@ EXTRA_DIST += \ certs/ecc/genecc.sh \ - certs/ecc/wolfssl.cnf - + certs/ecc/wolfssl.cnf \ + certs/ecc/wolfssl_384.cnf diff --git a/certs/ecc/wolfssl.cnf b/certs/ecc/wolfssl.cnf index 969fdb9a3..a974aeb35 100644 --- a/certs/ecc/wolfssl.cnf +++ b/certs/ecc/wolfssl.cnf @@ -5,19 +5,19 @@ default_ca = CA_default [ CA_default ] # Directory and file locations relevant to where the script is executing dir = . -certs = $dir/../ -new_certs_dir = $dir/../ -database = $dir/../ecc/index.txt -serial = $dir/../ecc/serial +certs = $dir/certs +new_certs_dir = $dir/certs +database = $dir/certs/ecc/index.txt +serial = $dir/certs/ecc/serial # This should come from the system disregard local pathing RANDFILE = $dir/private/.rand # The root key and root certificate. -private_key = $dir/../ca-ecc-key.pem -certificate = $dir/../ca-ecc-cert.pem +private_key = $dir/certs/ca-ecc-key.pem +certificate = $dir/certs/ca-ecc-cert.pem # For certificate revocation lists. -crlnumber = $dir/../ecc/crlnumber +crlnumber = $dir/certs/ecc/crlnumber crl_extensions = crl_ext default_crl_days = 1000 diff --git a/certs/ecc/wolfssl_384.cnf b/certs/ecc/wolfssl_384.cnf new file mode 100644 index 000000000..7cb35f709 --- /dev/null +++ b/certs/ecc/wolfssl_384.cnf @@ -0,0 +1,110 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations relevant to where the script is executing +dir = . +certs = $dir/certs +new_certs_dir = $dir/certs +database = $dir/certs/ecc/index.txt +serial = $dir/certs/ecc/serial +# This should come from the system disregard local pathing +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/certs/ca-ecc384-key.pem +certificate = $dir/certs/ca-ecc384-cert.pem + +# For certificate revocation lists. +crlnumber = $dir/certs/ecc/crlnumber +crl_extensions = crl_ext +default_crl_days = 1000 + +# SHA-384 is default +default_md = sha384 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +preserve = no +policy = policy_loose + + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-384 is default +default_md = sha384 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = Washington +localityName = Seattle +0.organizationName = wolfSSL +organizationalUnitName = Development +commonName = www.wolfssl.com +emailAddress = info@wolfssl.com + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always diff --git a/certs/server-ecc384-cert.der b/certs/server-ecc384-cert.der new file mode 100644 index 000000000..ea466cb11 Binary files /dev/null and b/certs/server-ecc384-cert.der differ diff --git a/certs/server-ecc384-cert.pem b/certs/server-ecc384-cert.pem new file mode 100644 index 000000000..ed415bf8e --- /dev/null +++ b/certs/server-ecc384-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAxigAwIBAgICEAAwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3 +b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz +c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx +OTEzNDA0M1oXDTQ4MTAxMTEzNDA0M1owgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj +MRIwEAYDVQQLDAlFQ0MzODRTcnYxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf +MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqGSM49AgEGBSuB +BAAiA2IABOrPk08sCbs5FA9WZMNAtN8OY67lcUsAzASX/+HpOJa7X5Gyasy1OV+P +cFnxAfZaKwFsaAvPVSWvbZhICqh0yakXoAzD+9MjaP4EPGNQiDu5T3xnNPc7qXPn +G8NRXiIY7KOCATUwggExMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMB0G +A1UdDgQWBBSCO/JlL/O0AMa8Bv15QnVLZdHOvDCBzAYDVR0jBIHEMIHBgBSr4MMm +TBjUcrvShIycCgWSgBJTUqGBnaSBmjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx +FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQD8OQSkDqVshzAOBgNV +HQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwMDaAAw +ZQIxAOia1gUcnnky9I/5RZ4A7r19gJvqudLrnujFOsHcaqvmGVe4tg1QSS2TDfzH +t5uKyQIwUAkNmwgdmhfE5ytISptkpxyWq3z8NWWPefjOmUpzBG/gVxX1Wvn+Wc2Z +WeMuU92v +-----END CERTIFICATE----- diff --git a/certs/server-ecc384-key.der b/certs/server-ecc384-key.der new file mode 100644 index 000000000..9dde67642 Binary files /dev/null and b/certs/server-ecc384-key.der differ diff --git a/certs/server-ecc384-key.pem b/certs/server-ecc384-key.pem new file mode 100644 index 000000000..5d3d61d0c --- /dev/null +++ b/certs/server-ecc384-key.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCk5QboBhY+q4n4YEPA +YCXbunv+GTUIVWV24tzgAYtraN/Pb4ASznk36yuce8RoHHShZANiAATqz5NPLAm7 +ORQPVmTDQLTfDmOu5XFLAMwEl//h6TiWu1+RsmrMtTlfj3BZ8QH2WisBbGgLz1Ul +r22YSAqodMmpF6AMw/vTI2j+BDxjUIg7uU98ZzT3O6lz5xvDUV4iGOw= +-----END PRIVATE KEY----- diff --git a/tests/test.conf b/tests/test.conf index a678f52c4..faad62e6e 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -2364,3 +2364,17 @@ -v 3 -l ECDHE-RSA-AES256-GCM-SHA384 -H useSupCurve + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc384-cert.pem +-k ./certs/server-ecc384-key.pem +-A ./certs/ca-ecc384-cert.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/client-ecc384-cert.pem +-k ./certs/client-ecc384-key.pem +-A ./certs/ca-ecc384-cert.pem