mbed TLS Build

Dependents:   Encrypt_Decrypt1 mbed_blink_tls encrypt encrypt

Committer:
markrad
Date:
Thu Jan 05 00:18:44 2017 +0000
Revision:
0:cdf462088d13
Initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 This documents the X.509 CAs, certificates, and CRLS used for testing.
markrad 0:cdf462088d13 2
markrad 0:cdf462088d13 3 Certification authorities
markrad 0:cdf462088d13 4 -------------------------
markrad 0:cdf462088d13 5
markrad 0:cdf462088d13 6 There are two main CAs for use as trusted roots:
markrad 0:cdf462088d13 7 - test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
markrad 0:cdf462088d13 8 uses a RSA-2048 key
markrad 0:cdf462088d13 9 - test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
markrad 0:cdf462088d13 10 uses an EC key with NIST P-384 (aka secp384r1)
markrad 0:cdf462088d13 11 variants used to test the keyUsage extension
markrad 0:cdf462088d13 12 The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
markrad 0:cdf462088d13 13
markrad 0:cdf462088d13 14 Two intermediate CAs are signed by them:
markrad 0:cdf462088d13 15 - test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
markrad 0:cdf462088d13 16 uses RSA-4096, signed by test-ca2
markrad 0:cdf462088d13 17 - test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
markrad 0:cdf462088d13 18 uses an EC key with NIST P-256, signed by test-ca
markrad 0:cdf462088d13 19
markrad 0:cdf462088d13 20 A third intermediate CA is signed by test-int-ca2.crt:
markrad 0:cdf462088d13 21 - test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
markrad 0:cdf462088d13 22
markrad 0:cdf462088d13 23 Finally, other CAs for specific purposes:
markrad 0:cdf462088d13 24 - enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
markrad 0:cdf462088d13 25 enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string.
markrad 0:cdf462088d13 26 - test-ca-v1.crt: v1 "CA", signs
markrad 0:cdf462088d13 27 server1-v1.crt: v1 "intermediate CA", signs
markrad 0:cdf462088d13 28 server2-v1*.crt: EE cert (without of with chain in same file)
markrad 0:cdf462088d13 29 - keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set
markrad 0:cdf462088d13 30
markrad 0:cdf462088d13 31 End-entity certificates
markrad 0:cdf462088d13 32 -----------------------
markrad 0:cdf462088d13 33
markrad 0:cdf462088d13 34 Short information fields:
markrad 0:cdf462088d13 35
markrad 0:cdf462088d13 36 - name or pattern
markrad 0:cdf462088d13 37 - issuing CA: 1 -> test-ca.crt
markrad 0:cdf462088d13 38 2 -> test-ca2.crt
markrad 0:cdf462088d13 39 I1 -> test-int-ca.crt
markrad 0:cdf462088d13 40 I2 -> test-int-ca2.crt
markrad 0:cdf462088d13 41 I3 -> test-int-ca3.crt
markrad 0:cdf462088d13 42 O -> other
markrad 0:cdf462088d13 43 - key type: R -> RSA, E -> EC
markrad 0:cdf462088d13 44 - C -> there is a CRL revoking this cert (see below)
markrad 0:cdf462088d13 45 - L -> CN=localhost (useful for local test servers)
markrad 0:cdf462088d13 46 - P1, P2 if the file includes parent (resp. parent + grandparent)
markrad 0:cdf462088d13 47 - free-form comments
markrad 0:cdf462088d13 48
markrad 0:cdf462088d13 49 List of certificates:
markrad 0:cdf462088d13 50
markrad 0:cdf462088d13 51 - cert_example_multi*.crt: 1/O R: subjectAltName
markrad 0:cdf462088d13 52 - cert_example_wildcard.crt: 1 R: wildcard in subject's CN
markrad 0:cdf462088d13 53 - cert_md*.crt, cert_sha*.crt: 1 R: signature hash
markrad 0:cdf462088d13 54 - cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
markrad 0:cdf462088d13 55 - cli2.crt: 2 E: basic
markrad 0:cdf462088d13 56 - enco-cert-utf8str.pem: see enco-ca-prstr.pem above
markrad 0:cdf462088d13 57 - server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above)
markrad 0:cdf462088d13 58 *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
markrad 0:cdf462088d13 59 P1 only for _ca.crt
markrad 0:cdf462088d13 60 - server2-v1*.crt: O R: see test-ca-v1.crt above
markrad 0:cdf462088d13 61 - server2*.crt: 1 R L: misc
markrad 0:cdf462088d13 62 - server3.crt: 1 E L: EC cert signed by RSA CA
markrad 0:cdf462088d13 63 - server4.crt: 2 R L: RSA cert signed by EC CA
markrad 0:cdf462088d13 64 - server5*.crt: 2* E L: misc *(except server5-selfsigned)
markrad 0:cdf462088d13 65 -sha*: hashes
markrad 0:cdf462088d13 66 -eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
markrad 0:cdf462088d13 67 -ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
markrad 0:cdf462088d13 68 - server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
markrad 0:cdf462088d13 69 - server6.crt, server6.pem: 2 E L C: revoked
markrad 0:cdf462088d13 70 - server7*.crt: I1 E L P1*: EC signed by RSA signed by EC
markrad 0:cdf462088d13 71 *P1 except 7.crt, P2 _int-ca_ca2.crt
markrad 0:cdf462088d13 72 *_space: with PEM error(s)
markrad 0:cdf462088d13 73 - server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
markrad 0:cdf462088d13 74 - server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
markrad 0:cdf462088d13 75 *CRL for: 9.crt, -badsign, -with-ca (P1)
markrad 0:cdf462088d13 76 - server10*.crt: I3 E L P2/P3
markrad 0:cdf462088d13 77
markrad 0:cdf462088d13 78 Certificate revocation lists
markrad 0:cdf462088d13 79 ----------------------------
markrad 0:cdf462088d13 80
markrad 0:cdf462088d13 81 Signing CA in parentheses (same meaning as certificates).
markrad 0:cdf462088d13 82
markrad 0:cdf462088d13 83 - crl-ec-sha*.pem: (2) server6.crt
markrad 0:cdf462088d13 84 - crl-future.pem: (2) server6.crt + unknown
markrad 0:cdf462088d13 85 - crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
markrad 0:cdf462088d13 86 - crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
markrad 0:cdf462088d13 87 - crl_md*.pem: crl_sha*.pem: (1) same as crl.pem
markrad 0:cdf462088d13 88 - crt_cat_*.pem: (1+2) concatenations in various orders:
markrad 0:cdf462088d13 89 ec = crl-ec-sha256.pem, ecfut = crl-future.pem
markrad 0:cdf462088d13 90 rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
markrad 0:cdf462088d13 91
markrad 0:cdf462088d13 92 Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
markrad 0:cdf462088d13 93 crl-rsa-pss* would revoke server6.crt if signed by CA 2