From: Francis Dupont Date: Thu, 11 Feb 2021 14:34:32 +0000 (+0100) Subject: [#1661] Imported ca and updated Makefiles X-Git-Tag: Kea-1.9.6~133 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0a42cec63588d00f8de73bdbbe9b1b5ee8b63dc;p=thirdparty%2Fkea.git [#1661] Imported ca and updated Makefiles --- diff --git a/src/lib/asiolink/tests/Makefile.am b/src/lib/asiolink/tests/Makefile.am index db32572bb4..8f976cc4e1 100644 --- a/src/lib/asiolink/tests/Makefile.am +++ b/src/lib/asiolink/tests/Makefile.am @@ -10,6 +10,28 @@ if USE_STATIC_LINK AM_LDFLAGS = -static endif +EXTRA_DIST = +EXTRA_DIST += ca/0c7eedb9.0 +EXTRA_DIST += ca/3071e5ff.0 +EXTRA_DIST += ca/ad950210.0 +EXTRA_DIST += ca/d3d11a5f.0 +EXTRA_DIST += ca/doc +EXTRA_DIST += ca/ext-addr-conf.cnf +EXTRA_DIST += ca/ext-conf.cnf +EXTRA_DIST += ca/kea-ca.crt +EXTRA_DIST += ca/kea-ca.key +EXTRA_DIST += ca/kea-client.crt +EXTRA_DIST += ca/kea-client.csr +EXTRA_DIST += ca/kea-client.key +EXTRA_DIST += ca/kea-client.p12 +EXTRA_DIST += ca/kea-server-addr.crt +EXTRA_DIST += ca/kea-server-addr.csr +EXTRA_DIST += ca/kea-server.crt +EXTRA_DIST += ca/kea-server.csr +EXTRA_DIST += ca/kea-server.key +EXTRA_DIST += ca/server-addr-conf.cnf +EXTRA_DIST += ca/server-conf.cnf + CLEANFILES = *.gcno *.gcda test-socket DISTCLEANFILES = process_spawn_app.sh diff --git a/src/lib/asiolink/tests/ca/0c7eedb9.0 b/src/lib/asiolink/tests/ca/0c7eedb9.0 new file mode 120000 index 0000000000..bedcce508b --- /dev/null +++ b/src/lib/asiolink/tests/ca/0c7eedb9.0 @@ -0,0 +1 @@ +kea-server.crt \ No newline at end of file diff --git a/src/lib/asiolink/tests/ca/3071e5ff.0 b/src/lib/asiolink/tests/ca/3071e5ff.0 new file mode 120000 index 0000000000..25804e5f96 --- /dev/null +++ b/src/lib/asiolink/tests/ca/3071e5ff.0 @@ -0,0 +1 @@ +kea-client.crt \ No newline at end of file diff --git a/src/lib/asiolink/tests/ca/ad950210.0 b/src/lib/asiolink/tests/ca/ad950210.0 new file mode 120000 index 0000000000..fbadeccd57 --- /dev/null +++ b/src/lib/asiolink/tests/ca/ad950210.0 @@ -0,0 +1 @@ +kea-server-addr.crt \ No newline at end of file diff --git a/src/lib/asiolink/tests/ca/d3d11a5f.0 b/src/lib/asiolink/tests/ca/d3d11a5f.0 new file mode 120000 index 0000000000..7ceeb6f30a --- /dev/null +++ b/src/lib/asiolink/tests/ca/d3d11a5f.0 @@ -0,0 +1 @@ +kea-ca.crt \ No newline at end of file diff --git a/src/lib/asiolink/tests/ca/doc b/src/lib/asiolink/tests/ca/doc new file mode 100644 index 0000000000..e70f35a4af --- /dev/null +++ b/src/lib/asiolink/tests/ca/doc @@ -0,0 +1,96 @@ +Similar to doc/examples/https/nginx/kea-nginx.conf + password is keatest + Country Name is US + Organization Name is ISC Inc. + Common Name is the key name. + +1 - create a CA self signed certificate (password is keatest) + openssl genrsa -aes128 -out kea-ca.key 4096 + openssl req -new -x509 -days 3650 -key kea-ca.key -out kea-ca.crt + +2 - create a key for the client and decipher it + openssl genrsa -aes128 -out kea-client-aes.key 2048 + openssl rsa -in kea-client-aes.key -out kea-client.key + rm kea-client-aes.key + +3 - create a certificate for the client + openssl req -new -key kea-client.key -out kea-client.csr + openssl x509 -req -days 3650 -in kea-client.csr -CA kea-ca.crt \ + -CAkey kea-ca.key -set_serial 10 -out kea-client.crt + +4 - create a PKCS#12 bundle on macOS (password is keatest) + openssl pkcs12 -in kea-client.crt -inkey kea-client.key -export \ + -out kea-client.p12 + +5 - create a key for the server and decipher it (same than 2) + openssl genrsa -aes128 -out kea-server-aes.key 2048 + openssl rsa -in kea-server-aes.key -out kea-server.key + rm kea-server-aes.key + +6 - create a certificate with a subject alternate name set to localhost + for the server + openssl req -new -key kea-server.key -out kea-server.csr \ + -config server-conf.cnf + openssl x509 -req -days 3650 -in kea-server.csr -CA kea-ca.crt \ + -CAkey kea-ca.key -set_serial 20 -out kea-server.crt \ + -extfile ext-conf.cnf + +7 - create a certificate with a subject alternate name set to 127.0.0.1 + and ::1 for the server + openssl req -new -key kea-server.key -out kea-server-addr.csr \ + -config server-addr-conf.cnf + openssl x509 -req -days 3650 -in kea-server-addrr.csr -CA kea-ca.crt \ + -CAkey kea-ca.key -set_serial 30 -out kea-server-addr.crt \ + -extfile ext-addr-conf.cnf + +8 - use c_rehash or openssl rehash to create hashes + +Setup the control agent: kea-ctrl-agent.json sample. + +Setup nginx: + nginx configs to use from this directory are: + nginx.conf (server authentication) + nginx+auth (mutual authentication i.e. the client certification is required) + Commands are 'nginx -c `pwd`/nginx{,+auth}.conf' and 'nginx -s stop' + +Setup the reverse proxy: kea-reverse-proxy.json +(from the reverse_proxy directory) + +Using curl (change 443 (nginx) to 4443 (kea-reverse-proxy) if needed). +Note the localhost is important: using 127.0.0.1 instead can make the +subjectAltName check to fail. curl is also picky about http vs https. + +to send a command (e.g. list-commands) directly to the control agent +listening at port 8000: + +curl -D - -X POST -H Content-Type:application/json \ + -d '{ "command": "list-commands" }' http://localhost:8000 + +With the CA only (so authenticating the server only): +curl -D - -X POST -H Content-Type:application/json --cacert kea-ca.crt \ + -d '{ "command": "list-commands" }' https://localhost:443 + +With mutual authentication using OpenSSL: +curl -D - -X POST -H Content-Type:application/json \ + --cacert kea-ca.crt --cert kea-client.crt --key kea-client.key \ + +With the mutual authentication on macOS (when the OpenSSL one fails): +curl -D - -X POST -H Content-Type:application/json \ + --cacert kea-ca.crt --cert kea-client.p12:keatest --cert-type P12 \ + -d '{ "command": "list-commands" }' https://localhost:443 + +Using kea-secure-shell from the secure_shell directory +(change 4443 (kea-reverse-proxy) to 443 (nginx) if needed) + +To the control agent (kea-shell can be used too): +echo | ./kea-secure-shell + +With server authentication only: +echo | ./kea-secure-shell --ca ../reverse_proxy/tests/ca/kea-ca.crt \ + --port 4443 --host localhost + +With the mutual authentication: +echo | ./kea-secure-shell --ca ../reverse_proxy/tests/ca/kea-ca.crt \ + --port 4443 --host localhost \ + --cert ../reverse_proxy/tests/ca/kea-client.crt \ + --key ../reverse_proxy/tests/ca/kea-client.key diff --git a/src/lib/asiolink/tests/ca/ext-addr-conf.cnf b/src/lib/asiolink/tests/ca/ext-addr-conf.cnf new file mode 100644 index 0000000000..a6b78c19ed --- /dev/null +++ b/src/lib/asiolink/tests/ca/ext-addr-conf.cnf @@ -0,0 +1 @@ +subjectAltName=IP:127.0.0.1,IP:::1 diff --git a/src/lib/asiolink/tests/ca/ext-conf.cnf b/src/lib/asiolink/tests/ca/ext-conf.cnf new file mode 100644 index 0000000000..aafe5bdf92 --- /dev/null +++ b/src/lib/asiolink/tests/ca/ext-conf.cnf @@ -0,0 +1 @@ +subjectAltName=DNS:localhost diff --git a/src/lib/asiolink/tests/ca/kea-ca.crt b/src/lib/asiolink/tests/ca/kea-ca.crt new file mode 100644 index 0000000000..cfb8c53896 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-ca.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE3jCCAsYCCQDVzhmZelXOXDANBgkqhkiG9w0BAQsFADAxMQswCQYDVQQGEwJV +UzERMA8GA1UECgwISVNDIEluYy4xDzANBgNVBAMMBmtlYS1jYTAeFw0yMDA2MTEx +MzU3MzhaFw0zMDA2MDkxMzU3MzhaMDExCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhJ +U0MgSW5jLjEPMA0GA1UEAwwGa2VhLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAvKQ/vJpJnXjZ+/LxZNfPc/QYSChSEQ8qoxh8prBYvPXyDu9ORHOa +Dtd5AWusQLCI3iNYMDaJwrazj0g91jPKcxfvFZbnzFHTAZrDnmJwcTw96UfrP4b7 +PyXpUSF1/YfDf+/M3C7Wm9IJ/e704XHln/vFCw2dR/N5VOrXXJRcCd5NOES/ICXe +xe62Mv7OjUQS8u6ovejtaaMkvoV2hGSG2LXdgVOCv0U8ybRs03Xl8BVM4lFYVO9H +jnQ7O9AeGMqebvuyNAyGK9Dv+ERu65M9hB+pW//d+tVv3Dkfou+d5cOXPFXjf6vI +K+2ClxkBH4A5dhsRJ7vPI41mwXA+H0g+MzxJ8Lg0pzJuLher03RZq3pBHvEc/jek +P4u6mPrc+5J84jQ0hFwH4XIpxaKJsUiE/r1nFDiWRV27PgXMQgEbjdotxFX4IDBN +KPtQNrybxiQHsYoZPdKcEfh8XyVT4NHrcbqN1SNf2ZIfDkm09aeDYXDdINAD+0yZ +E+3YMeH4oWPpOIfW4OVzEDyfBGHyo2klTZfI5zdd54Kp4dKkzSlmIPC7OubdZZGo +SlZfUlWVcRkqMbUAsZ8H2sdz0l+4k8+VmyiA4EWAiO6SV5xmYSncPQIN5dE2PbIx +jKosl9JGhajs2gxCqlK+ZA3zgoFHhG1mKGWW7ucMic8Jy4oEq1XsoI0CAwEAATAN +BgkqhkiG9w0BAQsFAAOCAgEAert/+ovFSWtRWKbFZNXs/o9ElWtVp+dxbOtgUNIS +hdfLSHt/9nXw2FuBrvonDnTtl0kPhci1Qcwd5uAErlgddE6k27kcjOesMuXtwUke +LLb7UQG7TQy3KmB+ARnG+toNTm2d8I5420+VDLqU1oh++x9l9KpWsDENSNeTDulT +lVTJ7fVOTK7++NTCmqrp+Ublri3a2aoTK4pkt1ymcdIGD/kyCNeZro3/CKooV4yU +xyTMBV0Huyu9V6OldtKtfbP2sWrQn5McRY1/18wJVTMq+OV5EI73R4bn/frfwl8o +k8x8PH/ulozK+Pk4wz3z2NdT+ckSIfFs0RtVLW2MF1+8kJyt/9u8yUNfcw7MvNor +94Zr86Mg0ZsHlXgeFfLm7h9dB/lQ5mtotrXfH4C4zltjPz17xouBSuZjZhgbkLaJ +s4nPxWwxM/tN1mSYuVkiwq+qOz8ooePZh7zzEwpDiHr1tgzXxKojDcNC2uvVRTw/ +DKq8htcEb9kFyvDzxTq6zbvuNIyvzmpseEnpYxuzHFqCQtbN54Q88HuyebJlbxEI +0BNb74yxvAQj3P+KS8xY9iqPExBeMiQu85eGmpTtKSnNjP1i09bg+xOVlESOeUPE +cEe2ZsdEBwVaoCvjl5vbt2eJfpdt3UEwg6zfyncxjMZka/315B7d7k5qIEqsD5KO +HXQ= +-----END CERTIFICATE----- diff --git a/src/lib/asiolink/tests/ca/kea-ca.key b/src/lib/asiolink/tests/ca/kea-ca.key new file mode 100644 index 0000000000..4ac82d3399 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-ca.key @@ -0,0 +1,54 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,1E4500430B45CC59A1AFA62E20D0632E + +L1O4pVdZnk9nHSyH4fkoEehRNfhE4xbYt28YMtVctjeOQQWCf6m89k/rtOlSb9c6 +82WMHWiACuWNGxcd3RLZl0dWTPZYE4xk6T3TzTk/GwkDbQRf/6hfzGcRnObVRGYq +kzBq6zXtoqFbq2jAACqCSoRlZgpLOv8hUdUcnto707iT0ebmwbNgPsxCBXjvxOYO +Pvkihpfd7QY5GD8fn14y/y/im/9sqZgpNfhEVeO//Dpo1Nvo6DasU1gTnEoOkRRK +/IBl12N4FxdiAjg16SfDw/M3/uka6ftekdr4PwD616qiUsBdKsuslp9aN82k+5RK +X3iuODmMc/42SUoSskbL5mkuroOZxihwbiKsejcmGOfVygYXuZ9a9tLHLsdKLoWO +1mmTMU4fzNpwXPor4h0yEDaortX2KwBVPnSWOMCJtwreukgt0GHfePfbd08Ojf6M +pyZZ7gVv/q573RSgQL6nipU+4Il6T+cK4Iwdui9WSFahiOKgALuhTX0eY7CmlfcR +hgNqmJhXEuXbEiQONcDA7iEAggdha4W3bm8blCj7QEBpr45fAyDSZxP/dNrIoZWC +BxbrTq+YqzLyhUOOE7THdR5qpCha5Tsoyv8n7K91v77wZjmL1poyqHbXqvWDIJni ++LAPJDd6/Z0lqXLyTV3U9FcE6cAz6kkl5J1aeWFzfWSPtdiSzMPFkaz1MUPPllHF +nyoA1R8PAD1yPj2accSIi8nBMYpOUrwMZcS+MbSW4GsbPEOqkluLgLLas/H9eohp +SdyPsSnNBmWaCAwNHGWRAyRRefeMsrjtlF2AfVMsrCIzUNiSiw0MHsZQV6zlI23i +/xyYxMn3fDmMxqJCJ8FkEHxVx5SeyzbysYmCfBsquKnfzE8JAyjmRQzdqfXHt5H9 +MEctsLiTQ+WPwWMN/6zHjuJMpJFZTfK/y0RUgTUyf02t0C4Bobx30DOx0SM4B7Rx +QQ7uwMlarE8Pg7tCDA0kC2aGCSaHo2u0qssmLVGhNKNkBVKkr7SpS4CM7dcIh+Yk +30Q4UQfCzRbS17RD1LfdUg+SPCeDFoKdh4f4FVoHXrbeEOhPJVeCjPli78nnPuZ0 +kGvndf/v+4DH40Wvt5aZj90mes6q+2Hy4GlgciELEWhMcj2QSiRISNi5UFNYRsSL +RsEhuksONQVrFnRS3n3WvQrZ8X4OLAfatlFewpR9UVvgfWXLuWLy6etDWa056wDa +4OW715YaEedSsF8WrfhRXmU/IDJ19oiQzsQiyeiKoFW3OVRyf2ngb8psUOwLbgA6 +kjcrzt77RsYKlP7TYC2hvycqnvvDhKCe6yQmd6vS1lOdBm8VZWzJCGFfoeucx4i2 +DS5ryWhU9d4VoCxFYEEsNhC8GKkrcATikhLnB8riJgt5PrJenYMBd9EsuwAo3Xaa ++95SeiAdka2XIN2dBDOJ4qAJYKhHyZF/fJpJP/1s3zGsdBN3mkY3C1C3/dYR1fan +7fK9Qx2fcZjeMTkdm91Ito7ui2LQDVjJoTEaZ0LyMh3Gz7hALuDfPeS3Eft3QXMB +Do3Tki68lvtc9DadlDQfTm84WvS4BVyOhQVQqhS2Ttq+ICGrNekPg1zyMUI2N0bo +8ulenrCKStFBqgyWq1aczcLNEDth0GWOFjLdgWUwI2pcN3tuouLHXpfKKARxxdis +Un3Dj5nhg6G2vGhTTTRdxMQeiT0Dr6Q2tD9VUNojVZwJ1c50dgZ6hlhzU5pv+1vU +krBjlx9szF2ikx2pUp8RHDAziKkv17zXDjvEJpE/pvYWHBfBPoQr5NPaPGYnbFIX +qaLYtWOAFlL3BI1XSO/32nYee0+WjnKMr4IOvXJfnaa94S+wU6pJEbTGHP+1aGNS +wsslmcfRDmmeblGd40Bo4ENCc93KxBf3V7g7/JnSUZO39TyfvMnyy1E3JC6fu/A4 +VvnlnFM+6ZjdhkiZ4RJqd2rc2AhA6HhOslJSa0kPRc6UQQqAci+7YHZBc/PELhpD +LpFbBXbqyi1jNQNodhhJtkD8VkvYHOisqzHFTITZp5epK8mjLkBhIW2VUVZ+dDK+ +3kFrKB+CaEvE1OBAlDYeVxMAvT1rmyjT04mqPRnp0G57+5VQQFYrKfVevDddLIt2 +tQphIcgZYAHTU+2otlPAOXqgPJWRoKNTw6Rtc6dELrAOE/kDFqZ4VKRnXRNFmxj3 +NSC8zapuNmkGQTo8CHzJuRI8sfNHjcDrMELHV1Fe8XSoqdovV2X+Xa/fesCaYfrp +6506uFGZSR7SrMdT5MoXGri1IEvGXkGI30UDq5QTEzHiyyYgC7kZFn3E/zREbA0y +/WahS8zICLsEK2ZknSv3q6e9aONokNbYu7PqvQtW5IPGrjdZxuQDtRXEYafiDLKT +c3h9eE8OKk5Si49TRjsYbuR4+BBw9N0R0RIfs5TIDkkGeCu0M4yFPKQVhCN98OAk +h0L+ZhQJZfbDE7QNBuvmRBNcpJYe7JTXl2/p6JjoxeyZTgShk81BiOmMCaWavKB+ +gIqy4X39y+J+AiYMiKy/+B5gtNaZaE9hka7RH2tV5nkiTBilZ6v5N1A4V4Q0PRFT +HZAXgnUwI0HcIRfkqxlF3gXMzhG1+K2wxS9uVn5K0E27xNeswr+ksfLJsyWz+gdT +/ZFgGyErUY6CLmYzmW+WfQox+qd9pd1TMISNuBWXrdoKkX8iFjj8SWyPcZvqMUkx +lo8RVzb/6ugSTcbCQGpf+6H8ZuOe9hZwD9tKBh6XZbC5KtBQ8TtSnrmsk9ufIzn8 +ACrJFTVOG4u/g/xn1j3MY4NIaLA77YSCed+TzOXBPmG+LrJM67n1tMtGWEPoOnGi +6pzJpF5cxsF4i0QoqdYFThqMb6mHtaVPsjjIpdzEXmYyQENLQECERE6lYlz9ZVkS +NsOR3KMOxXZQ+iWmqCptazz0hVVmEBFisg6K6WuQR3BpXcf8N9UP7xUnStlUUaQ7 +G5nf6BZl3AIxZPay/NoM87n4I4lplPaQwyK/ReMztu78OQFyx9mC1BGOHxVtF6hO +W+POZqc7ugCXiY8A08vSv5yt8paWDnU+hHXnEo04Hw0ex2KNOOZeL0Eg+idJTZe0 +/0yl0olct0HUgSyhU3wm0uWiHwulreoa3tNL+a4Xt7k5L2e5XcvAh3T2mgxzDq5q +-----END RSA PRIVATE KEY----- diff --git a/src/lib/asiolink/tests/ca/kea-client.crt b/src/lib/asiolink/tests/ca/kea-client.crt new file mode 100644 index 0000000000..ac50ec434c --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-client.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID2jCCAcICAQowDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCVVMxETAPBgNV +BAoMCElTQyBJbmMuMQ8wDQYDVQQDDAZrZWEtY2EwHhcNMjAwNjExMTQwMzM2WhcN +MzAwNjA5MTQwMzM2WjA1MQswCQYDVQQGEwJVUzERMA8GA1UECgwISVNDIEluYy4x +EzARBgNVBAMMCmtlYS1jbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDKbsDkElojvFhVt234GQOEVVudEp4s8KYnDQTZpsdeidrP3yY+qWfzG1k1 +6qMB5jXF7dRhzq4FiPbZMs5cz3BfwZDlxjWMxgixPaCrVphYLGhI8AOne8PEl47e +4Ae3Cl96dWUfQKQmGIzzHfTcJvCxUOCob5zYOCDvtjk48IxdvHi18Ab/hXyGJKXS +uqCsaXBRK7Amn8/jxMgdhds92tNxm0BiAJtsmkQm9QW8ztcoiEEgO4ViDRJSRKaG +9hVRrAe4GPisOjUzerADkPX/pchHIqmrTJ9YKhngOfDdiAZY1lkZc1cbM6zqqTgT +p1MvttSv8JEN6OMhM+bpCbaiWp4DAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAB2J +PLgkqxRdsHed455EElkOZvDXTCO9EdX3cZ+TQ2ykkEZPuJ9oCIIrQhhHLesU2N5S +PmGERaC/3JfUtYt4Un6BL+603KyKd4e8me/9LQ5VzfA38Bcoj4ojkSMhGL0i2qIA +pkJuVPQLSpA2zNzB7y24EEcAOrAP1wF/KHVOAT04GxdeddtrLa+PJnNumOoNVXIb +i86mThCwVPF0AKvA3M9KYa42GUJklFJjtrq+D55NSMQ32jTfG0soKDGUXUDmUn++ +q0Tz6M0CFjGfGxIpNyQyESb9VoIry87oUVPCh1XhTQjfBpIBl6wnwzGvxxZkuKfa +EPfl9dzjk4iiSGXupQokUXOjG4nLjjcEMP858P4ZWOlJzVbhDLnXKRxFcB8yCHeY +dML/tcX/uG0/Uj2Bj6+uJmleMRjrURef9Jr5NB9izwwFBCDNQqzNLuGpx1E6DqZi +PaY+JtunOV+tC4+8k7akgEqtEwcpAvmOtRkQulTnHCloR1d059PCLGOmbZBXR09/ +ikc4hReRR3bxDdm4kZY8Wc9PXLF/OmPSa/YUtb2d5VtpXXHh8CR5m0XCXhgMyQ8W +PDP4lPZodwJiqRlIBrmKVtODgg2CrWVtuBLkPV7WZ06anDm8+nQ2e+olcLeSblCl +lh0oOMIQ8xWg1hyZCkNs/8ukHE1X4/rFLvKpI0DW +-----END CERTIFICATE----- diff --git a/src/lib/asiolink/tests/ca/kea-client.csr b/src/lib/asiolink/tests/ca/kea-client.csr new file mode 100644 index 0000000000..89c3d02698 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-client.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICejCCAWICAQAwNTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCElTQyBJbmMuMRMw +EQYDVQQDDAprZWEtY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAym7A5BJaI7xYVbdt+BkDhFVbnRKeLPCmJw0E2abHXonaz98mPqln8xtZNeqj +AeY1xe3UYc6uBYj22TLOXM9wX8GQ5cY1jMYIsT2gq1aYWCxoSPADp3vDxJeO3uAH +twpfenVlH0CkJhiM8x303CbwsVDgqG+c2Dgg77Y5OPCMXbx4tfAG/4V8hiSl0rqg +rGlwUSuwJp/P48TIHYXbPdrTcZtAYgCbbJpEJvUFvM7XKIhBIDuFYg0SUkSmhvYV +UawHuBj4rDo1M3qwA5D1/6XIRyKpq0yfWCoZ4Dnw3YgGWNZZGXNXGzOs6qk4E6dT +L7bUr/CRDejjITPm6Qm2olqeAwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAMgA +4PiiHLAdo5tjjEWyPOsVCaKORAB8PqELc9XJHfZeyyCEDRptQfH//XKe7WRZmbZI +baq1cqjZFVb8yrMjBr1mXUOuBzmofexaXwFEMOufirUawenqGeivkIW23j+Jq6vX +xs2jlXdqE7H6ApXo5De0NhnpeNQS+88xDfQvcaqPYw5TmOrAtPrGt42vSa0x0vf6 +OnnFnOFEFh6AFfj6Sg6SWeNOn61RgUR5iqPkQsH33o/viTqKL4qITroFUHmau7Ec +BimeigqvKOMS785BxmXeYl2qEg9Vu4zaFePAHPPpjIA7LELfXdM/B6TOP9/aCMEd +NhQVPAUOXFxCnBHWo84= +-----END CERTIFICATE REQUEST----- diff --git a/src/lib/asiolink/tests/ca/kea-client.key b/src/lib/asiolink/tests/ca/kea-client.key new file mode 100644 index 0000000000..8a5bf94e46 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-client.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAym7A5BJaI7xYVbdt+BkDhFVbnRKeLPCmJw0E2abHXonaz98m +Pqln8xtZNeqjAeY1xe3UYc6uBYj22TLOXM9wX8GQ5cY1jMYIsT2gq1aYWCxoSPAD +p3vDxJeO3uAHtwpfenVlH0CkJhiM8x303CbwsVDgqG+c2Dgg77Y5OPCMXbx4tfAG +/4V8hiSl0rqgrGlwUSuwJp/P48TIHYXbPdrTcZtAYgCbbJpEJvUFvM7XKIhBIDuF +Yg0SUkSmhvYVUawHuBj4rDo1M3qwA5D1/6XIRyKpq0yfWCoZ4Dnw3YgGWNZZGXNX +GzOs6qk4E6dTL7bUr/CRDejjITPm6Qm2olqeAwIDAQABAoIBAQCiT9OSC7UC2k3p +zL38I/JR9S8T7o2tcveGcEXnTnalMtujuUUtESAsKU2KkaxKJZAQN/YGxnV6Mqva +04XrnNh5rvbDhf4B9feaRdPCDhjw+gpUET6c1/vMcck4o2EMPuD3i5GdUXNMqHq7 +pNVkgESVqEe6RmP4amjeS7nuEdI6hSqFQa7EelC7C7HIIxz/jpiHRYk2pp5o3wx3 +EEyyhR+Ip3+U9EOlGZyqvasaGf6PYgBC2pTjitVP7+ArxokBTx1/VfNmVgOT+A+2 +kkqg4Ee3sgmBGjy0aUatr/QOSEELnJw9cHZLIapklDo+cS/ypSWiGASGUvCyjmBm +VDg/DDDBAoGBAPFXAR1NwmVNs5mU5LA9kgs8Pz/d4LAOa3CrUEFjBSMrfAkB3Je8 +0x0Xmht2QIRVPQ2NFklM07aqToWMtxPSoLoGlovgTEAtcyLWnRrANlhd0VwG0m62 +YlRkIrRcS5m1yS+EKETCEWnsGoCrdYbBdpKJVoNd4pxAHXYgjlzKLPH5AoGBANa6 +tz0RiP6GHU7yONR0yXEYmLhniWnE9A+5UEKjEt4ZOo4rDxocBZSENPwMf7576Vv3 +kTuL4aSkBPA5DxBsjOq/CT3o3Fng2aRLNL37glYrVLAsNIPs/YVWuLJZ2fXJZMbG +PbR2SVhXU8YvQaY3s6OlzfQ07Zd4T5TUnoMpDA7bAoGAJ5638R6d5lGeRX1bGc/R +1QRcAdkkFOMZIlMNht6BrmdqInRqyYJXSjRguVdtegwgTMQ3v2rcauWEpIoYWCnA +9ykzt9znx7VubG69NfIOOe2U/D2meER62g3iYKeyRZbBY4qXrcoKX9BB/ZOoZKoI +FEB1snVMSYiBDa6EkJkkTckCgYBeU3UtAWfxjw6O4H6wbYEUCl8EGo9VhCxGP/yO +2T3vjJuZWjbvHEIjRJRV6FOxZJNVUAJfawo7HcYBlL8WUujwMe0oYgNyBAD3WAYa +MsLFgZFZNoH3NgMEMN0/k5LYkpiPbQQsIw4DHZFybM3k63EhQTOgxCNet34V/fSH +318powKBgH/QdL/jSMUV4DGnPtayzTEszjgNsqt7SPkWvKtA+K+EoX2rlpZf65RI +Mei9BawHU2H4rfCN3QTqimHt2/xNKyCowF+a4fRLPz8bDqOqiWMPZeD+PscWSrKq +r3TDUNfttWQvdE5x1nct20T4dQ9FY1w8MgcsouBbmhFoWYDQOfuO +-----END RSA PRIVATE KEY----- diff --git a/src/lib/asiolink/tests/ca/kea-client.p12 b/src/lib/asiolink/tests/ca/kea-client.p12 new file mode 100644 index 0000000000..f18861fc55 Binary files /dev/null and b/src/lib/asiolink/tests/ca/kea-client.p12 differ diff --git a/src/lib/asiolink/tests/ca/kea-ctrl-agent.json b/src/lib/asiolink/tests/ca/kea-ctrl-agent.json new file mode 100644 index 0000000000..517db0bcfd --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-ctrl-agent.json @@ -0,0 +1,59 @@ +// This is a simple example of a configuration for Control-Agent (CA) or simply +// Agent. This server provides RESTful interface for all Kea servers. +{ + "Control-agent": + { + // We need to specify where the agent should listen to incoming HTTP + // queries. Note that agent does not provide SSL or TLS protection + // on its own, so limiting the traffic to 127.0.0.1 is a good idea. + "http-host": "127.0.0.1", + + // Another mandatory parameter is the HTTP port. + "http-port": 8000, + + // This map specifies where control channel of each server is configured + // to listen on. See 'control-socket' object in the respective + // servers. At this time the only supported socket type is "unix". + // Make sure that the Agent and respective servers configuration + // matches exactly, otherwise they won't be able to communicate. + "control-sockets": + { + // This is how the Agent can communicate with the DHCPv4 server. + "dhcp4": + { + "socket-type": "unix", + "socket-name": "/tmp/kea4-ctrl-socket" + }, + + // Location of the DHCPv6 command channel socket. + "dhcp6": + { + "socket-type": "unix", + "socket-name": "/tmp/kea6-ctrl-socket" + } + + // Currently DHCP-DDNS (nicknamed D2) does not support + // command channel yet, but we hope this will change in the + // future. + /* + "d2-server": + { + "socket-type": "unix", + "socket-name": "/tmp/kea2-socket-d2" + }*/ + }, + + "loggers": [ + { + "name": "kea-ctrl-agent", + "output_options": [ + { + "output": "/var/log/kea-ctrl-agent.log" + } + ], + "severity": "INFO", + "debuglevel": 0 + } + ] + } +} diff --git a/src/lib/asiolink/tests/ca/kea-reverse-proxy.json b/src/lib/asiolink/tests/ca/kea-reverse-proxy.json new file mode 100644 index 0000000000..2ab4277ac1 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-reverse-proxy.json @@ -0,0 +1,55 @@ +{ + // Main entry (required and only entry at this level). + "ReverseProxy": { + // Hostname of the reverse proxy and the control agent. + "host": "127.0.0.1", + // TCP port where the reverse proxy listen on. + "reverse-proxy-port": 4443, + // TCP port where the control agent listen on and + // the reverse proxy connect to. + "control-agent-port": 8000, + // Where to find api files. + "api-files": "../../share/api", + // Role assignment method (mandatory, value issuer or subject). + "assign-role-by": "issuer", + // Assignment method optional parameter. + "assign-role-parameter": { + // Map issuer kea-ca into admin role. + "kea-ca": "admin" + }, + // Default role (reject everything if empty). + "default-role": "user", + // Role list. + "roles": [ + { + // Role name (mandatory). + "name": "admin", + // Accept command filter. + "accept-commands": "all" + }, + { + // Role name (mandatory). + "name" : "user", + // Accept command filter. + "accept-commands": { + // Match access. + "access": "read" + }, + // Filter responses. + "response-filters": [ + // Remove rejected commands from list-commands response. + "list-commands" + ] + } + ], + // Security aka TLS setting. + // Trust anchor aka CA (can be a file or a directory). + "trust-anchor": "tests/ca/kea-ca.crt", + // Server certificate file (please use accepted subjetAltName). + "cert-file": "tests/ca/kea-server.crt", + // Server key file (not ciphered). + "key-file": "tests/ca/kea-server.key", + // Client certificates are required or optional. + "cert-required": false + } +} diff --git a/src/lib/asiolink/tests/ca/kea-server-addr.crt b/src/lib/asiolink/tests/ca/kea-server-addr.crt new file mode 100644 index 0000000000..9d9a9014db --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-server-addr.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAfOgAwIBAgIBHjANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzER +MA8GA1UECgwISVNDIEluYy4xDzANBgNVBAMMBmtlYS1jYTAeFw0yMDA2MTIwODIz +MjJaFw0zMDA2MTAwODIzMjJaMDoxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhJU0Mg +SW5jLjEYMBYGA1UEAwwPa2VhLXNlcnZlci1hZGRyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAveRRgIN0S8oeBXVaIEnsG1DKuDzKKqLoLdBQNfoZrKzD +LIMNzlabxu20h82Y/OU02EdEzar98OstzglIWimKFVI0Omi0AuinUkv9640tjoO0 +g0oyCiWFpJLJ8WOF4j7vmZUWuSS3VthlB+MLWlOZ5zACyPyWPo4Z2noHaYjfiQxB +H8r5GJtQiJGapgWRbeyI+m837bjimpz6V1AGebHvf+zd1Lj+zDOczp38PqIGUbmA +vfKCj+ILMS46wYjjHTvCG5WSCG/Skker2HAJM2cNcEPmQqAOpAkmFQ2G46bXB4rB +Xh9dNZB52U9QkyPFHKrnNn400B/xBGNKoyTSYbLQEwIDAQABoyUwIzAhBgNVHREE +GjAYhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBBQUAA4ICAQBu +Q0ik+bDzzOMVS7L8aLNFZoy6bLCnEdihQLisviebsDFCkBin7lNbRW5zJHGCC5NE +q2r//HtHJ2yg99g2PKiLB9CBtzeK2c7tznnYM2PglzZFDlsOOd6Cmz07TjvHx/s5 +qJPAG6CMVx0bOwN22KCPE9sWdCytZ86SHGxhBYLR1GMWqwsKJEqDTnCwWGE575Mn +okSuzkStKT63Xetsv5zvMDivS4Z3j9n4NuNcA+PRnToU+CvITS8zMYfxHe6nobCv +RefnTAEgpQqUtuy6MR8dTAQdm6SVdGaYMZAH2eZQPqVR3+1GBcxdkhCNF/zs6rgO +TdojUP3rLT9bHT7KBgnZU7aqy0OxRaJNmkI7awkHYLQ/Zwm7IaxK7GNO/06woo/I +l7cUakm/8t9Ms8KslPbb5zz4h/sdTJTAC54Hk5d6D+dcViskyBYJAGa0fAkkmMAJ +prIsJIuhbKi0wiAwfRiUrdk0ZAmnCU9fUQ0jPp1yBaglGE1rlxIr8mo2G9cit6ua +a5V9Lybbpq+Q6CU8oPYVVkq4dYcqYL9+fMYiVe8NUQWCw+5jxzqj0uNPw2bFztUX +SeL5NutnK8z+7BwPtyQWIyATQZfJxgceSf+RH+vNLhfavSSAD7lJwsuW2KTxeyMV +DF52Q1yyWy6VzMhGhTtbQcZnM9D6gyb7dEiX+jNT7Q== +-----END CERTIFICATE----- diff --git a/src/lib/asiolink/tests/ca/kea-server-addr.csr b/src/lib/asiolink/tests/ca/kea-server-addr.csr new file mode 100644 index 0000000000..d6ba063652 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-server-addr.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICyzCCAbMCAQAwOjELMAkGA1UEBhMCVVMxETAPBgNVBAoMCElTQyBJbmMuMRgw +FgYDVQQDDA9rZWEtc2VydmVyLWFkZHIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC95FGAg3RLyh4FdVogSewbUMq4PMoqougt0FA1+hmsrMMsgw3OVpvG +7bSHzZj85TTYR0TNqv3w6y3OCUhaKYoVUjQ6aLQC6KdSS/3rjS2Og7SDSjIKJYWk +ksnxY4XiPu+ZlRa5JLdW2GUH4wtaU5nnMALI/JY+jhnaegdpiN+JDEEfyvkYm1CI +kZqmBZFt7Ij6bzftuOKanPpXUAZ5se9/7N3UuP7MM5zOnfw+ogZRuYC98oKP4gsx +LjrBiOMdO8IblZIIb9KSR6vYcAkzZw1wQ+ZCoA6kCSYVDYbjptcHisFeH101kHnZ +T1CTI8Ucquc2fjTQH/EEY0qjJNJhstATAgMBAAGgTDBKBgkqhkiG9w0BCQ4xPTA7 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMCEGA1UdEQQaMBiHBH8AAAGHEAAAAAAA +AAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggEBADlAkM7Vt3acIbgx9uz/nzEU +biTUETzQnCU/mJZU+F8nuZtIlH9TAej4oT0J1uBuneGdkgGSm3lONUNxYJ7Uz8dm +wyudv4cpvtacAzPqZNb0aapX3qD9/lUbXfReoOUmt+asdmF2ncmn3l465ercxtUg +zhbU5uQUEk7C7f4OZQ3b08yG+tblFhpO7Xm4JD6nJk9iQ6gB4WBUDSr7mdm7PMmV +T8xesD7lDZVjSdXql9p/6YxJJR3360jycLXeTQbom6gfvsfQcs91yfGHRel2yoDx +ZBcmjfkYK7mwagpB/QCsZDuC4cxZyFM7lV/ukIysviW7WzrtT9mvfTEcTqmPsPU= +-----END CERTIFICATE REQUEST----- diff --git a/src/lib/asiolink/tests/ca/kea-server.crt b/src/lib/asiolink/tests/ca/kea-server.crt new file mode 100644 index 0000000000..5650a800f4 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID+TCCAeGgAwIBAgIBFDANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzER +MA8GA1UECgwISVNDIEluYy4xDzANBgNVBAMMBmtlYS1jYTAeFw0yMDA2MTExNDIy +MjJaFw0zMDA2MDkxNDIyMjJaMDUxCzAJBgNVBAYTAlVTMREwDwYDVQQKDAhJU0Mg +SW5jLjETMBEGA1UEAwwKa2VhLXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAL3kUYCDdEvKHgV1WiBJ7BtQyrg8yiqi6C3QUDX6GayswyyDDc5W +m8bttIfNmPzlNNhHRM2q/fDrLc4JSFopihVSNDpotALop1JL/euNLY6DtINKMgol +haSSyfFjheI+75mVFrkkt1bYZQfjC1pTmecwAsj8lj6OGdp6B2mI34kMQR/K+Rib +UIiRmqYFkW3siPpvN+244pqc+ldQBnmx73/s3dS4/swznM6d/D6iBlG5gL3ygo/i +CzEuOsGI4x07whuVkghv0pJHq9hwCTNnDXBD5kKgDqQJJhUNhuOm1weKwV4fXTWQ +edlPUJMjxRyq5zZ+NNAf8QRjSqMk0mGy0BMCAwEAAaMYMBYwFAYDVR0RBA0wC4IJ +bG9jYWxob3N0MA0GCSqGSIb3DQEBBQUAA4ICAQBpY9QcRjaHaBrkDdNUpGTTmyRq +XtHekmVmevS2lsYEHUw++4yId52r6O9G5gLJFXjFcF4cNxbsww7fYI3WfXHhJGfc +dw1JF+ivTb0QKg9XoJ4X2htEzaIdj5qxp63sEMQaTLHbfdVQvVH/ebD/MW0k0IC8 +YblLQB+rP8+wPPr4V7GAgxcRVKLh0U2Dq76W7dpLkmIqiR7KqaeUFJqxW3bLh+WH +M6jkosqKbJkYippBsZFtH0t8ybUCNWVGW2PBDEjNizKlwDhyjR6X4cMWA6UKXHGr ++NX0OUkRdsTknXMj+PoeMROPmjmUnIEA/rn4jl4xL4q9cBjoAfg8MupckMHrLjT8 ++nfMtW3ZJgbQbpngbQk1coSzcmgI8f19p0OhCd3TMxjlEWBIIvyYnbbDiKeTq2nt +MDRXOuTMyc5JpAaR94ZDTNst+r0ObKlkFW9054MfJCB9Ywwikycu7BPoWwnaV/lZ +uaUme7UExcsbIEmc4KmHScYMYUcvyNn8aLQFMES8RCUdr80ax0mHPpkeiyGQ/Upy +QwGx9OWzSd2ICzovO8WFScduy5rFVf4xVgakcth7A3encrdJ1hq+9PXwBm5bBc+4 +vaHi4AvNEtz8dEL03BE+OoUGm/AViEkYKwFM7nrrCS7c+rffvB9TnjP8Jfq8leeB +7orY713/oEM6JhcfvQ== +-----END CERTIFICATE----- diff --git a/src/lib/asiolink/tests/ca/kea-server.csr b/src/lib/asiolink/tests/ca/kea-server.csr new file mode 100644 index 0000000000..458b369c7d --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICuTCCAaECAQAwNTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCElTQyBJbmMuMRMw +EQYDVQQDDAprZWEtc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAveRRgIN0S8oeBXVaIEnsG1DKuDzKKqLoLdBQNfoZrKzDLIMNzlabxu20h82Y +/OU02EdEzar98OstzglIWimKFVI0Omi0AuinUkv9640tjoO0g0oyCiWFpJLJ8WOF +4j7vmZUWuSS3VthlB+MLWlOZ5zACyPyWPo4Z2noHaYjfiQxBH8r5GJtQiJGapgWR +beyI+m837bjimpz6V1AGebHvf+zd1Lj+zDOczp38PqIGUbmAvfKCj+ILMS46wYjj +HTvCG5WSCG/Skker2HAJM2cNcEPmQqAOpAkmFQ2G46bXB4rBXh9dNZB52U9QkyPF +HKrnNn400B/xBGNKoyTSYbLQEwIDAQABoD8wPQYJKoZIhvcNAQkOMTAwLjAJBgNV +HRMEAjAAMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZI +hvcNAQELBQADggEBAECqICoEZb0XeGwoBedtG2Exb4RUeoTAfL24q5a8cOtv0+Mw +i7y9LNihtRqP2kzhoZ7IhzSUZGVuh4BIUywpJHuWfM9b+fe+hxSGdqCeULKS3InK +4RWRh9jr12L7hEKfAG7VtL03/+Lm5DHLr47X6RkeZ5GwP29qqLwJcrK9qeFi26Bs +TrEafPInhF7PgyFjH2YVZVotNaOFMRvwEQwAMtuF7SAqRHr+8VHXP3yi9UjHvxRs +BpbVD6fEWNkLLJhoSqERgjWnsFlU3O+kj9R+iKA+6arxr4d+HS+dyYitFtVJaR6C +0+De9msTbJmn+2mu4zQ09Sdf0pN5lb/I3pgcbLU= +-----END CERTIFICATE REQUEST----- diff --git a/src/lib/asiolink/tests/ca/kea-server.key b/src/lib/asiolink/tests/ca/kea-server.key new file mode 100644 index 0000000000..9f0a30e129 --- /dev/null +++ b/src/lib/asiolink/tests/ca/kea-server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAveRRgIN0S8oeBXVaIEnsG1DKuDzKKqLoLdBQNfoZrKzDLIMN +zlabxu20h82Y/OU02EdEzar98OstzglIWimKFVI0Omi0AuinUkv9640tjoO0g0oy +CiWFpJLJ8WOF4j7vmZUWuSS3VthlB+MLWlOZ5zACyPyWPo4Z2noHaYjfiQxBH8r5 +GJtQiJGapgWRbeyI+m837bjimpz6V1AGebHvf+zd1Lj+zDOczp38PqIGUbmAvfKC +j+ILMS46wYjjHTvCG5WSCG/Skker2HAJM2cNcEPmQqAOpAkmFQ2G46bXB4rBXh9d +NZB52U9QkyPFHKrnNn400B/xBGNKoyTSYbLQEwIDAQABAoIBAHYZ4nbDSzk346QR +cJRUZXw3q10ascICv9R+kuR/QCic6mZsu9FxHEGE5ZrwzA29oDhDWw9vIbENE9fo +/g7VdwP7tG//XrXQbQBKMwqlK4hPcZ2WL7kPzSamBOMUutgTvIEQsKlFpKFmxK87 +DnyHMlkPCyxlrCwLxRiUfLeuYRiiau/3mAHUneJiYTL+pqQVkeznSkWq1cYp9A7n +Gy4+3lxzyj3ru///S28V4UShh53PgPD5ghWKPqLJYbS6Zc1T8c0mtg/cbwZBUyuX +W8AkT/ifYuJEBn3oQWluI2acwV7Yy+onRgFOsfZwUiX1oQ7keNh7D5+5XJ6CpZxK +xtIpw0ECgYEA8wW6O07AQfA0dNNyMbHijfVabpeG1FKfqZeIhAnbYLwU1DJiipHl +fyNDo7wM0AM27puohMAjo16ZfacUseruIiUSvv8bcWQE9g3XN7RGqpfJHHPlRI2V +WT0iHEkjkMOkq4viufWcxGz/nw4BZERBnYmAOANmbwXX7ZnVbCnrjEUCgYEAyAhD +PPNUTQGTcME98lVPohHvtekuaqA415otCtHA330I4mG8I3XGYbYymXYnmbIzy0KH ++ZjMZdTXiWmqPYIh0P7ZOeXKXNe8ZTedCwfX+1wGpjk01KCIzpdoS8X5WeN23/1t +hoF+HTKdhRBQte68WFD36Dtb0r1Hwe+IKC8h7HcCgYB0i0mdSY3v0UcGw6Re6qTw +WTqOEMLLLfh9tzrzv1pikLAYdzVEqOT7TKkSa4tlcjU0xpdRWmd84FARrz/Adx7O +ZyMPT34UqderPEX648yD4RjEOVw4vQFjc2rZT8XrlbdxwTrw3TXaCT+pQmkucYFa +EGfZ9N953L6Jpp1wKsZYVQKBgEwaiKpZ0YryvIu7mbvnJUL+G/tT2isLBlVQ/S4O +m5jr00N997xuBKoMTbgBMhPRrs74Yw9dSPa9QbuwDesU5ZTEQRU8Df/AvJatz/vw +YgXp/0Wioiz7XtFq3W1mxvWiCwoxO0hfYAHvzepgSLTPPa1EMO2UF91X0kNAxMa1 +F+0FAoGAAIcCoN3PazFWSsNMO4EfZf4VUgnTg9Dh3mMH8M3hEGybISSVKz5NILBC +OKRKNLPLuj4TwTcurelNjMOUvkd/+yQgu1B9ImNuHdSvJjS9TzWCgZ26Q16woMzv +yKeky514sst/1LtWuwiitmGS0rpKf3vIlkqcUE9WcLd3Hy/PxKg= +-----END RSA PRIVATE KEY----- diff --git a/src/lib/asiolink/tests/ca/nginx+auth.conf b/src/lib/asiolink/tests/ca/nginx+auth.conf new file mode 100644 index 0000000000..e13c161548 --- /dev/null +++ b/src/lib/asiolink/tests/ca/nginx+auth.conf @@ -0,0 +1,32 @@ +events { +} + +http { + # HTTPS server + server { + # Use default HTTPS port. + listen 443 ssl; + # Set server name. + server_name kea.example.org; + + # Server certificate and key. + ssl_certificate kea-server.crt; + ssl_certificate_key kea-server.key; + + # Certificate Authority. Client certificate must be signed by the CA. + ssl_client_certificate kea-ca.crt; + + # Enable verification of the client certificate. + ssl_verify_client on; + + error_log /tmp/ngix-log debug; + + # For the URL https://kea.example.org forward the + # requests to http://127.0.0.1:8000. + # kea-shell defaults to / but --path can be used to set another value + # for instance kea-shell --path kea which will matches location /kea + location / { + proxy_pass http://127.0.0.1:8000; + } + } +} diff --git a/src/lib/asiolink/tests/ca/nginx.conf b/src/lib/asiolink/tests/ca/nginx.conf new file mode 100644 index 0000000000..86fb6d88c0 --- /dev/null +++ b/src/lib/asiolink/tests/ca/nginx.conf @@ -0,0 +1,32 @@ +events { +} + +http { + # HTTPS server + server { + # Use default HTTPS port. + listen 443 ssl; + # Set server name. + server_name kea.example.org; + + # Server certificate and key. + ssl_certificate kea-server.crt; + ssl_certificate_key kea-server.key; + + # Certificate Authority. Client certificate must be signed by the CA. + ssl_client_certificate kea-ca.crt; + + # Enable verification of the client certificate. + ssl_verify_client off; + + error_log /tmp/ngix-log debug; + + # For the URL https://kea.example.org forward the + # requests to http://127.0.0.1:8000. + # kea-shell defaults to / but --path can be used to set another value + # for instance kea-shell --path kea which will matches location /kea + location / { + proxy_pass http://127.0.0.1:8000; + } + } +} diff --git a/src/lib/asiolink/tests/ca/server-addr-conf.cnf b/src/lib/asiolink/tests/ca/server-addr-conf.cnf new file mode 100644 index 0000000000..025d1c3ef1 --- /dev/null +++ b/src/lib/asiolink/tests/ca/server-addr-conf.cnf @@ -0,0 +1,355 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_name + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) + +[ alt_name ] +IP.1 = 127.0.0.1 +IP.2 = ::1 diff --git a/src/lib/asiolink/tests/ca/server-conf.cnf b/src/lib/asiolink/tests/ca/server-conf.cnf new file mode 100644 index 0000000000..3479efd309 --- /dev/null +++ b/src/lib/asiolink/tests/ca/server-conf.cnf @@ -0,0 +1,354 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_name + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) + +[ alt_name ] +DNS.1 = localhost