mirror of
https://github.com/openssl/openssl.git
synced 2025-04-06 20:20:50 +08:00
Generate new Ed488 certificates
Create a whole chain of Ed488 certificates so that we can use it at security level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the Ed488 certificate using SHA256 (128 bit, level 3). Reviewed-by: Matt Caswell <matt@openssl.org> GH: #10785
This commit is contained in:
Kurt Roeckx
parent
d819760d3d
commit
77c4d39724
10
test/certs/root-ed448-cert.pem
Normal file
10
test/certs/root-ed448-cert.pem
Normal file
@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBeDCB+aADAgECAgEBMAUGAytlcTAVMRMwEQYDVQQDDApSb290IEVkNDQ4MCAX
|
||||
DTIwMDIwOTEzMjY1NVoYDzIxMjAwMjEwMTMyNjU1WjAVMRMwEQYDVQQDDApSb290
|
||||
IEVkNDQ4MEMwBQYDK2VxAzoAbbhuwNA/rdlgdLSyTJ6WaCVNO1gzccKiKW6pCADM
|
||||
McMBCNiQqWSt4EIbHpqDc+eWoiKbG6t7tjUAo1MwUTAdBgNVHQ4EFgQUVg2aQ+yh
|
||||
VRhOuW1l19jtgxfTgj8wHwYDVR0jBBgwFoAUVg2aQ+yhVRhOuW1l19jtgxfTgj8w
|
||||
DwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCiXlZXyMubWFqLYiLXfKYrurajBMON
|
||||
lclLrYr57Syd+nAIlgXiF0rGK2PawoMPXVB3VWWSigEb54AImb6tsW42gC+zC6oq
|
||||
nkPC2FTLXPvqqgGXUpK/OfhPUP9bWw6mcJaIozlyzJD4AyebN9LDrBqCMwA=
|
||||
-----END CERTIFICATE-----
|
||||
4
test/certs/root-ed448-key.pem
Normal file
4
test/certs/root-ed448-key.pem
Normal file
@ -0,0 +1,4 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MEcCAQAwBQYDK2VxBDsEOQeryQn6L8gItRarrM0pRHxjNdtaIz3BrWU2mwhLZQaq
|
||||
8Cm6w5gP6aitAIde7Td3nQ55bIGC5roxFQ==
|
||||
-----END PRIVATE KEY-----
|
||||
@ -1,14 +1,11 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICHTCCAQWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||
IENBMCAXDTE4MDIyNzE1MDcxM1oYDzIxMTgwMjI4MTUwNzEzWjAQMQ4wDAYDVQQD
|
||||
DAVFZDQ0ODBDMAUGAytlcQM6ABBicYlhG1s3AoG5BFmY3r50lJzjQoER4zwuieEe
|
||||
QTvKxLEV06vGh79UWO6yQ5FxqmxvM1F/Xw7RAKNfMF0wHQYDVR0OBBYEFAwa1L4m
|
||||
3pwA8+IEJ7K/4izrjJIHMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJ
|
||||
MAkGA1UdEwQCMAAwEAYDVR0RBAkwB4IFRWQ0NDgwDQYJKoZIhvcNAQELBQADggEB
|
||||
AAugH2aE6VvArnOVjKBtalqtHlx+NCC3+S65sdWc9A9sNgI1ZiN7dn76TKn5d0T7
|
||||
NqV8nY1rwQg6WPGrCD6Eh63qhotytqYIxltppb4MOUJcz/Zf0ZwhB5bUfwNB//Ih
|
||||
5aZT86FpXVuyMnwUTWPcISJqpZiBv95yzZFMpniHFvecvV445ly4TFW5y6VURh40
|
||||
Tg4tMgjPTE7ADw+dX4FvnTWY3blxT1GzGxGvqWW4HgP8dOETnjmAwCzN0nUVmH9s
|
||||
7ybHORcSljcpe0XH6L/K7mbI+r8mVLsAoIzUeDwUdKKJZ2uGEtdhQDmJBp4EjOXE
|
||||
3qIn3wEQQ6ax4NIwkZihdLI=
|
||||
MIIBlTCCARWgAwIBAgIBAjAFBgMrZXEwFTETMBEGA1UEAwwKUm9vdCBFZDQ0ODAg
|
||||
Fw0yMDAyMDkxMzMwMjJaGA8yMTIwMDIxMDEzMzAyMlowEDEOMAwGA1UEAwwFZWQ0
|
||||
NDgwQzAFBgMrZXEDOgAQYnGJYRtbNwKBuQRZmN6+dJSc40KBEeM8LonhHkE7ysSx
|
||||
FdOrxoe/VFjuskORcapsbzNRf18O0QCjdDByMB0GA1UdDgQWBBQMGtS+Jt6cAPPi
|
||||
BCeyv+Is64ySBzAfBgNVHSMEGDAWgBRWDZpD7KFVGE65bWXX2O2DF9OCPzAJBgNV
|
||||
HRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBAGA1UdEQQJMAeCBWVkNDQ4MAUG
|
||||
AytlcQNzABLGZiaU6JPKa9eQ/VsE4HN9XjSogZBKIEHEWwyxrtGvjWiZ5MOnNJmQ
|
||||
7mX+Y2eJzfZ6MGHc63IlgPdIPFPzInnnAugw297kUNoLTg9SsGYeVGLbI3PNjwFL
|
||||
mQ3508f1Jobb8qZnf8YFUZrd85aurgoKAA==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@ -378,3 +378,8 @@ openssl req -new -nodes -subj "/CN=localhost" \
|
||||
|
||||
# CT entry
|
||||
./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key
|
||||
|
||||
OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
|
||||
root-ed448-key root-ed448-cert
|
||||
OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
|
||||
server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
|
||||
|
||||
@ -216,9 +216,9 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
[4-Ed448 CipherString and Signature Algorithm Selection-client]
|
||||
CipherString = aECDSA
|
||||
MaxProtocol = TLSv1.2
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
SignatureAlgorithms = ed448:ECDSA+SHA256
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-4]
|
||||
@ -421,7 +421,7 @@ CipherString = aECDSA
|
||||
Curves = X448
|
||||
MaxProtocol = TLSv1.2
|
||||
SignatureAlgorithms = ECDSA+SHA256:ed448
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-10]
|
||||
@ -1454,7 +1454,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
[44-TLS 1.3 Ed448 Signature Algorithm Selection-client]
|
||||
CipherString = DEFAULT
|
||||
SignatureAlgorithms = ed448
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-44]
|
||||
|
||||
@ -134,7 +134,8 @@ our @tests = (
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"RequestCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed448",
|
||||
@ -231,6 +232,7 @@ our @tests = (
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
# Excluding P-256 from the supported curves list means server
|
||||
# certificate should be Ed25519 and not P-256
|
||||
"Curves" => "X448"
|
||||
@ -727,6 +729,7 @@ my @tests_tls_1_3 = (
|
||||
server => $server_tls_1_3,
|
||||
client => {
|
||||
"SignatureAlgorithms" => "ed448",
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" => "Ed448",
|
||||
|
||||
@ -45,7 +45,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
|
||||
[1-SECLEVEL 3 with ED448 key-client]
|
||||
CipherString = DEFAULT
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-1]
|
||||
@ -93,7 +93,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
|
||||
|
||||
[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
|
||||
CipherString = DEFAULT
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-3]
|
||||
|
||||
@ -27,7 +27,7 @@ our @tests_ec = (
|
||||
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
|
||||
"Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"PrivateKey" => test_pem("server-ed448-key.pem") },
|
||||
client => { },
|
||||
client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
|
||||
test => { "ExpectedResult" => "Success" },
|
||||
},
|
||||
{
|
||||
@ -49,7 +49,7 @@ our @tests_tls1_2 = (
|
||||
"Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2" },
|
||||
client => { },
|
||||
client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
|
||||
test => { "ExpectedResult" => "Success" },
|
||||
},
|
||||
);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user