Add build instructions for CRTs and keys using P-256

This commit is contained in:
Hanno Becker 2019-04-05 12:16:24 +01:00
parent 6617a24056
commit 4efd089ed5
2 changed files with 42 additions and 0 deletions

View file

@ -15,6 +15,7 @@ OPENSSL ?= openssl
FAKETIME ?= faketime
MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req
MBEDTLS_GEN_KEY ?= $(PWD)/../../programs/pkey/gen_key
## Build the generated test data. Note that since the final outputs
## are committed to the repository, this target should do nothing on a
@ -146,6 +147,42 @@ all_final += cli-rsa-sha256.crt.der
$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
all_final += cli-rsa.key.der
test-ca3.key.pem:
$(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
test-ca3.key.der: test-ca3.key.pem
$(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
test-ca3.csr: test-ca3.key.der
$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256
test-ca3.crt.pem: test-ca3.csr test-ca3.key.der
$(MBEDTLS_CERT_WRITE) request_file=test-ca3.csr selfsign=1 issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" is_ca=1 md=SHA256 issuer_key=test-ca3.key.der output_file=$@
test-ca3.crt.der: test-ca3.crt.pem
$(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
all_final += test-ca3.key.pem test-ca3.key.der test-ca3.csr test-ca3.crt.pem test-ca3.crt.der
cli3.key.pem:
$(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
cli3.key.der: cli3.key.pem
$(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
cli3.csr: cli3.key.der
$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CRT2 Secp256r1, O=MbedTLS, C=UK" md=SHA256
cli3.crt.pem: cli3.csr test-ca3.key.der
$(MBEDTLS_CERT_WRITE) request_file=cli3.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@
cli3.crt.der: cli3.crt.pem
$(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
all_final += cli3.key.pem cli3.key.der cli3.csr cli3.crt.pem cli3.crt.der
server11.key.pem:
$(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
server11.key.der: server11.key.pem
$(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
server11.csr: server11.key.der
$(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=localhost, O=MbedTLS, C=UK" md=SHA256
server11.crt.pem: server11.csr test-ca3.key.der
$(MBEDTLS_CERT_WRITE) request_file=server11.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@
server11.crt.der: server11.crt.pem
$(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
all_final += server11.key.pem server11.key.der server11.csr server11.crt.pem server11.crt.der
test_ca_int_rsa1 = test-int-ca.crt
server7.csr: server7.key

View file

@ -11,6 +11,8 @@ There are two main CAs for use as trusted roots:
- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
uses an EC key with NIST P-384 (aka secp384r1)
variants used to test the keyUsage extension
- test-ca3.crt aka "CN=TestCASecp256r1, O=MbedTLS, C=UK"
uses an EC key with NIST P-256 (aka secp256r1)
The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
Two intermediate CAs are signed by them:
@ -40,6 +42,7 @@ Short information fields:
- name or pattern
- issuing CA: 1 -> test-ca.crt
2 -> test-ca2.crt
3 -> test-ca3.crt
I1 -> test-int-ca.crt
I2 -> test-int-ca2.crt
I3 -> test-int-ca3.crt
@ -57,6 +60,7 @@ List of certificates:
- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
- cli2.crt: 2 E: basic
- cli3.crt: 3 E, secp256r1 curve
- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
the RSA test CA.
- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
@ -102,6 +106,7 @@ List of certificates:
_int3_int-ca2.crt: S10 + I3 + I2
_int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
_int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
- server11.crt: 3 E, secp256r1 curve
Certificate revocation lists
----------------------------