mbed TLS Build
Dependents: Encrypt_Decrypt1 mbed_blink_tls encrypt encrypt
tests/data_files/Readme-x509.txt@0:cdf462088d13, 2017-01-05 (annotated)
- Committer:
- markrad
- Date:
- Thu Jan 05 00:18:44 2017 +0000
- Revision:
- 0:cdf462088d13
Initial commit
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
markrad | 0:cdf462088d13 | 1 | This documents the X.509 CAs, certificates, and CRLS used for testing. |
markrad | 0:cdf462088d13 | 2 | |
markrad | 0:cdf462088d13 | 3 | Certification authorities |
markrad | 0:cdf462088d13 | 4 | ------------------------- |
markrad | 0:cdf462088d13 | 5 | |
markrad | 0:cdf462088d13 | 6 | There are two main CAs for use as trusted roots: |
markrad | 0:cdf462088d13 | 7 | - test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA" |
markrad | 0:cdf462088d13 | 8 | uses a RSA-2048 key |
markrad | 0:cdf462088d13 | 9 | - test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA" |
markrad | 0:cdf462088d13 | 10 | uses an EC key with NIST P-384 (aka secp384r1) |
markrad | 0:cdf462088d13 | 11 | variants used to test the keyUsage extension |
markrad | 0:cdf462088d13 | 12 | The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways. |
markrad | 0:cdf462088d13 | 13 | |
markrad | 0:cdf462088d13 | 14 | Two intermediate CAs are signed by them: |
markrad | 0:cdf462088d13 | 15 | - test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA" |
markrad | 0:cdf462088d13 | 16 | uses RSA-4096, signed by test-ca2 |
markrad | 0:cdf462088d13 | 17 | - test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA" |
markrad | 0:cdf462088d13 | 18 | uses an EC key with NIST P-256, signed by test-ca |
markrad | 0:cdf462088d13 | 19 | |
markrad | 0:cdf462088d13 | 20 | A third intermediate CA is signed by test-int-ca2.crt: |
markrad | 0:cdf462088d13 | 21 | - test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3" |
markrad | 0:cdf462088d13 | 22 | |
markrad | 0:cdf462088d13 | 23 | Finally, other CAs for specific purposes: |
markrad | 0:cdf462088d13 | 24 | - enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert |
markrad | 0:cdf462088d13 | 25 | enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string. |
markrad | 0:cdf462088d13 | 26 | - test-ca-v1.crt: v1 "CA", signs |
markrad | 0:cdf462088d13 | 27 | server1-v1.crt: v1 "intermediate CA", signs |
markrad | 0:cdf462088d13 | 28 | server2-v1*.crt: EE cert (without of with chain in same file) |
markrad | 0:cdf462088d13 | 29 | - keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set |
markrad | 0:cdf462088d13 | 30 | |
markrad | 0:cdf462088d13 | 31 | End-entity certificates |
markrad | 0:cdf462088d13 | 32 | ----------------------- |
markrad | 0:cdf462088d13 | 33 | |
markrad | 0:cdf462088d13 | 34 | Short information fields: |
markrad | 0:cdf462088d13 | 35 | |
markrad | 0:cdf462088d13 | 36 | - name or pattern |
markrad | 0:cdf462088d13 | 37 | - issuing CA: 1 -> test-ca.crt |
markrad | 0:cdf462088d13 | 38 | 2 -> test-ca2.crt |
markrad | 0:cdf462088d13 | 39 | I1 -> test-int-ca.crt |
markrad | 0:cdf462088d13 | 40 | I2 -> test-int-ca2.crt |
markrad | 0:cdf462088d13 | 41 | I3 -> test-int-ca3.crt |
markrad | 0:cdf462088d13 | 42 | O -> other |
markrad | 0:cdf462088d13 | 43 | - key type: R -> RSA, E -> EC |
markrad | 0:cdf462088d13 | 44 | - C -> there is a CRL revoking this cert (see below) |
markrad | 0:cdf462088d13 | 45 | - L -> CN=localhost (useful for local test servers) |
markrad | 0:cdf462088d13 | 46 | - P1, P2 if the file includes parent (resp. parent + grandparent) |
markrad | 0:cdf462088d13 | 47 | - free-form comments |
markrad | 0:cdf462088d13 | 48 | |
markrad | 0:cdf462088d13 | 49 | List of certificates: |
markrad | 0:cdf462088d13 | 50 | |
markrad | 0:cdf462088d13 | 51 | - cert_example_multi*.crt: 1/O R: subjectAltName |
markrad | 0:cdf462088d13 | 52 | - cert_example_wildcard.crt: 1 R: wildcard in subject's CN |
markrad | 0:cdf462088d13 | 53 | - cert_md*.crt, cert_sha*.crt: 1 R: signature hash |
markrad | 0:cdf462088d13 | 54 | - cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal) |
markrad | 0:cdf462088d13 | 55 | - cli2.crt: 2 E: basic |
markrad | 0:cdf462088d13 | 56 | - enco-cert-utf8str.pem: see enco-ca-prstr.pem above |
markrad | 0:cdf462088d13 | 57 | - server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above) |
markrad | 0:cdf462088d13 | 58 | *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt |
markrad | 0:cdf462088d13 | 59 | P1 only for _ca.crt |
markrad | 0:cdf462088d13 | 60 | - server2-v1*.crt: O R: see test-ca-v1.crt above |
markrad | 0:cdf462088d13 | 61 | - server2*.crt: 1 R L: misc |
markrad | 0:cdf462088d13 | 62 | - server3.crt: 1 E L: EC cert signed by RSA CA |
markrad | 0:cdf462088d13 | 63 | - server4.crt: 2 R L: RSA cert signed by EC CA |
markrad | 0:cdf462088d13 | 64 | - server5*.crt: 2* E L: misc *(except server5-selfsigned) |
markrad | 0:cdf462088d13 | 65 | -sha*: hashes |
markrad | 0:cdf462088d13 | 66 | -eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc) |
markrad | 0:cdf462088d13 | 67 | -ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement) |
markrad | 0:cdf462088d13 | 68 | - server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned |
markrad | 0:cdf462088d13 | 69 | - server6.crt, server6.pem: 2 E L C: revoked |
markrad | 0:cdf462088d13 | 70 | - server7*.crt: I1 E L P1*: EC signed by RSA signed by EC |
markrad | 0:cdf462088d13 | 71 | *P1 except 7.crt, P2 _int-ca_ca2.crt |
markrad | 0:cdf462088d13 | 72 | *_space: with PEM error(s) |
markrad | 0:cdf462088d13 | 73 | - server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2) |
markrad | 0:cdf462088d13 | 74 | - server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS |
markrad | 0:cdf462088d13 | 75 | *CRL for: 9.crt, -badsign, -with-ca (P1) |
markrad | 0:cdf462088d13 | 76 | - server10*.crt: I3 E L P2/P3 |
markrad | 0:cdf462088d13 | 77 | |
markrad | 0:cdf462088d13 | 78 | Certificate revocation lists |
markrad | 0:cdf462088d13 | 79 | ---------------------------- |
markrad | 0:cdf462088d13 | 80 | |
markrad | 0:cdf462088d13 | 81 | Signing CA in parentheses (same meaning as certificates). |
markrad | 0:cdf462088d13 | 82 | |
markrad | 0:cdf462088d13 | 83 | - crl-ec-sha*.pem: (2) server6.crt |
markrad | 0:cdf462088d13 | 84 | - crl-future.pem: (2) server6.crt + unknown |
markrad | 0:cdf462088d13 | 85 | - crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown |
markrad | 0:cdf462088d13 | 86 | - crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown |
markrad | 0:cdf462088d13 | 87 | - crl_md*.pem: crl_sha*.pem: (1) same as crl.pem |
markrad | 0:cdf462088d13 | 88 | - crt_cat_*.pem: (1+2) concatenations in various orders: |
markrad | 0:cdf462088d13 | 89 | ec = crl-ec-sha256.pem, ecfut = crl-future.pem |
markrad | 0:cdf462088d13 | 90 | rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem |
markrad | 0:cdf462088d13 | 91 | |
markrad | 0:cdf462088d13 | 92 | Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1 |
markrad | 0:cdf462088d13 | 93 | crl-rsa-pss* would revoke server6.crt if signed by CA 2 |