Add build instructions for CRTs and keys using P-256

tests/data_files/Makefile

@@ -15,6 +15,7 @@ OPENSSL ?= openssl
 FAKETIME ?= faketime
 MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
 MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req
+MBEDTLS_GEN_KEY ?= $(PWD)/../../programs/pkey/gen_key
 
 ## Build the generated test data. Note that since the final outputs
 ## are committed to the repository, this target should do nothing on a
@@ -146,6 +147,42 @@ all_final += cli-rsa-sha256.crt.der
 	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
 all_final += cli-rsa.key.der
 
+test-ca3.key.pem:
+	$(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
+test-ca3.key.der: test-ca3.key.pem
+	$(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
+test-ca3.csr: test-ca3.key.der
+	$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256
+test-ca3.crt.pem: test-ca3.csr test-ca3.key.der
+	$(MBEDTLS_CERT_WRITE) request_file=test-ca3.csr selfsign=1 issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" is_ca=1 md=SHA256 issuer_key=test-ca3.key.der output_file=$@
+test-ca3.crt.der: test-ca3.crt.pem
+	$(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
+all_final += test-ca3.key.pem test-ca3.key.der test-ca3.csr test-ca3.crt.pem test-ca3.crt.der
+
+cli3.key.pem:
+	$(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
+cli3.key.der: cli3.key.pem
+	$(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
+cli3.csr: cli3.key.der
+	$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CRT2 Secp256r1, O=MbedTLS, C=UK" md=SHA256
+cli3.crt.pem: cli3.csr test-ca3.key.der
+	$(MBEDTLS_CERT_WRITE) request_file=cli3.csr  issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@
+cli3.crt.der: cli3.crt.pem
+	$(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
+all_final += cli3.key.pem cli3.key.der cli3.csr cli3.crt.pem cli3.crt.der
+
+server11.key.pem:
+	$(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
+server11.key.der: server11.key.pem
+	$(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
+server11.csr: server11.key.der
+	$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=localhost, O=MbedTLS, C=UK" md=SHA256
+server11.crt.pem: server11.csr test-ca3.key.der
+	$(MBEDTLS_CERT_WRITE) request_file=server11.csr  issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@
+server11.crt.der: server11.crt.pem
+	$(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
+all_final += server11.key.pem server11.key.der server11.csr server11.crt.pem server11.crt.der
+
 test_ca_int_rsa1 = test-int-ca.crt
 
 server7.csr: server7.key

tests/data_files/Readme-x509.txt

@@ -11,6 +11,8 @@ There are two main CAs for use as trusted roots:
 - test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
   uses an EC key with NIST P-384 (aka secp384r1)
   variants used to test the keyUsage extension
+- test-ca3.crt aka "CN=TestCASecp256r1, O=MbedTLS, C=UK"
+  uses an EC key with NIST P-256 (aka secp256r1)
 The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
 
 Two intermediate CAs are signed by them:
@@ -40,6 +42,7 @@ Short information fields:
 - name or pattern
 - issuing CA:   1   -> test-ca.crt
                 2   -> test-ca2.crt
+                3   -> test-ca3.crt
                 I1  -> test-int-ca.crt
                 I2  -> test-int-ca2.crt
                 I3  -> test-int-ca3.crt
@@ -57,6 +60,7 @@ List of certificates:
 - cert_md*.crt, cert_sha*.crt: 1 R: signature hash
 - cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
 - cli2.crt: 2 E: basic
+- cli3.crt: 3 E, secp256r1 curve
 - cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
   the RSA test CA.
 - enco-cert-utf8str.pem: see enco-ca-prstr.pem above
@@ -102,6 +106,7 @@ List of certificates:
     _int3_int-ca2.crt: S10 + I3 + I2
     _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
     _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
+ - server11.crt: 3 E, secp256r1 curve
 
 Certificate revocation lists
 ----------------------------