mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 06:05:28 +00:00
Add Readme about X.509 test files
This commit is contained in:
parent
8c9223df84
commit
4be3449dbc
85
tests/data_files/Readme-x509.txt
Normal file
85
tests/data_files/Readme-x509.txt
Normal file
|
@ -0,0 +1,85 @@
|
|||
This documents the X.509 CAs, certificates, and CRLS used for testing.
|
||||
|
||||
Certification authorities
|
||||
-------------------------
|
||||
|
||||
There are two main CAs for use as trusted roots:
|
||||
- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
|
||||
uses a RSA-2048 key
|
||||
- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
|
||||
uses an EC key with NIST P-384 (aka secp384r1)
|
||||
variants used to test the keyUsage extension
|
||||
The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
|
||||
|
||||
Two intermediate CAs are signed by them:
|
||||
- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
|
||||
uses RSA-4096, signed by test-ca2
|
||||
- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
|
||||
uses an EC key with NIST P-256, signed by test-ca
|
||||
|
||||
Finally, other CAs for specific purposes:
|
||||
- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
|
||||
enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string.
|
||||
- test-ca-v1.crt: v1 "CA", signs
|
||||
server1-v1.crt: v1 "intermediate CA", signs
|
||||
server2-v1*.crt: EE cert (without of with chain in same file)
|
||||
|
||||
End-entity certificates
|
||||
-----------------------
|
||||
|
||||
Short information fields:
|
||||
|
||||
- name or pattern
|
||||
- issuing CA: 1 -> test-ca.crt
|
||||
2 -> test-ca2.crt
|
||||
I1 -> test-int-ca.crt
|
||||
I2 -> test-int-ca2.crt
|
||||
O -> other
|
||||
- key type: R -> RSA, E -> EC
|
||||
- C -> there is a CRL revoking this cert (see below)
|
||||
- L -> CN=localhost (useful for local test servers)
|
||||
- P1, P2 if the file include parent (resp. parent + grandparent)
|
||||
- free-form comments
|
||||
|
||||
List of certificates:
|
||||
|
||||
- cert_example_multi*.crt: 1/O R: subjectAltName
|
||||
- cert_example_wildcard.crt: 1 R: wildcard in subject's CN
|
||||
- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
|
||||
- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
|
||||
- cli2.crt: 2 E: basic
|
||||
- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
|
||||
- server1*.crt: 1* R C*: misc *(server1-v1 see test-ca-v1.crt above)
|
||||
*CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
|
||||
- server2-v1*.crt: O R: see test-ca-v1.crt above
|
||||
- server2*.crt: 1 R L: misc
|
||||
- server3.crt: 1 E L: EC cert signed by RSA CA
|
||||
- server4.crt: 2 R L: RSA cert signed by EC CA
|
||||
- server5*.crt: 2* E L: misc *(except server5-selfsigned)
|
||||
-sha*: hashes
|
||||
-eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
|
||||
-ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
|
||||
- server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
|
||||
- server6.crt, server6.pem: 2 E L C: revoked
|
||||
- server7*.crt: I1 E L P1*: EC signed by RSA signed by EC *(except 7.crt)
|
||||
*_space: with PEM error(s)
|
||||
- server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
|
||||
- server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
|
||||
*CRL for: 9.crt, -badsign, -with-ca (P1)
|
||||
|
||||
Certificate revocation lists
|
||||
----------------------------
|
||||
|
||||
Signing CA in parentheses (same meaning as certificates).
|
||||
|
||||
- crl-ec-sha*: (2) server6.crt
|
||||
- crl-future.pem: (2) server6.crt + unkown
|
||||
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
|
||||
- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
|
||||
- crl_md*.pem: crl_sha*.pem: (1) same as crl.pem
|
||||
- crt_cat_*.pem: (1+2) concatenations in various orders:
|
||||
ec = crl-ec-sha256.pem, ecfut = crl-future.pem
|
||||
rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
|
||||
|
||||
Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
|
||||
crl-rsa-pss* would revoke server6.crt if signed by CA 2
|
|
@ -1,13 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB3TCCAZSgAwIBAgIBGDAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
|
||||
VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJTU0wgVGVzdCBFQyBDQTAeFw0x
|
||||
MzA4MDgxNjQ0MTBaFw0yMzA4MDYxNjQ0MTBaMDQxCzAJBgNVBAYTAk5MMREwDwYD
|
||||
VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI
|
||||
KoZIzj0DAQEDMgAEE2sIbSZOSEinZM3q2MMOy8egM8Y9BAcsuwxO9UpS1B8nT9u1
|
||||
1bvjTh5VQAgJAU+Oo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFDYreWnU1s1J
|
||||
AG49ALPOQliFaJahMG4GA1UdIwRnMGWAFNCkRpkIZ/H0utlW6GcwC/zvJRZjoUKk
|
||||
QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv
|
||||
bGFyU1NMIFRlc3QgRUMgQ0GCCQClZwiM/hcKsjAJBgcqhkjOPQQBAzgAMDUCGQDq
|
||||
PIUaCr8u28R7V0G/TEOklXgPawdiY4ICGDzmBegZHs7BcNwENa1fn4JYUdTPqKwl
|
||||
LA==
|
||||
-----END CERTIFICATE-----
|
Loading…
Reference in a new issue