mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
92c03668c0
The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171)
165 lines
4.9 KiB
INI
165 lines
4.9 KiB
INI
|
|
#
|
|
# This config is used by the Time Stamp Authority tests.
|
|
#
|
|
|
|
# Comment out the next line to ignore configuration errors
|
|
config_diagnostics = 1
|
|
|
|
# Extra OBJECT IDENTIFIER info:
|
|
oid_section = new_oids
|
|
|
|
TSDNSECT = ts_cert_dn
|
|
INDEX = 1
|
|
|
|
[ new_oids ]
|
|
|
|
# Policies used by the TSA tests.
|
|
tsa_policy1 = 1.2.3.4.1
|
|
tsa_policy2 = 1.2.3.4.5.6
|
|
tsa_policy3 = 1.2.3.4.5.7
|
|
|
|
#----------------------------------------------------------------------
|
|
[ ca ]
|
|
default_ca = CA_default # The default ca section
|
|
|
|
[ CA_default ]
|
|
|
|
dir = ./demoCA
|
|
certs = $dir/certs # Where the issued certs are kept
|
|
database = $dir/index.txt # database index file.
|
|
new_certs_dir = $dir/newcerts # default place for new certs.
|
|
|
|
certificate = $dir/cacert.pem # The CA certificate
|
|
serial = $dir/serial # The current serial number
|
|
private_key = $dir/private/cakey.pem# The private key
|
|
|
|
default_days = 365 # how long to certify for
|
|
default_md = sha256 # which md to use.
|
|
preserve = no # keep passed DN ordering
|
|
|
|
policy = policy_match
|
|
|
|
# For the CA policy
|
|
[ policy_match ]
|
|
countryName = supplied
|
|
stateOrProvinceName = supplied
|
|
organizationName = supplied
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
#----------------------------------------------------------------------
|
|
[ req ]
|
|
default_md = sha1
|
|
distinguished_name = $ENV::TSDNSECT
|
|
encrypt_rsa_key = no
|
|
prompt = no
|
|
# attributes = req_attributes
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
|
|
string_mask = nombstr
|
|
|
|
[ ts_ca_dn ]
|
|
countryName = HU
|
|
stateOrProvinceName = Budapest
|
|
localityName = Budapest
|
|
organizationName = Gov-CA Ltd.
|
|
commonName = ca1
|
|
|
|
[ ts_cert_dn ]
|
|
countryName = HU
|
|
stateOrProvinceName = Budapest
|
|
localityName = Buda
|
|
organizationName = Hun-TSA Ltd.
|
|
commonName = tsa$ENV::INDEX
|
|
|
|
[ tsa_cert ]
|
|
|
|
# TSA server cert is not a CA cert.
|
|
basicConstraints=CA:FALSE
|
|
|
|
# The following key usage flags are needed for TSA server certificates.
|
|
keyUsage = nonRepudiation, digitalSignature
|
|
extendedKeyUsage = critical,timeStamping
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer:always
|
|
|
|
[ non_tsa_cert ]
|
|
|
|
# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
|
|
basicConstraints=CA:FALSE
|
|
|
|
# The following key usage flags are needed for TSA server certificates.
|
|
keyUsage = nonRepudiation, digitalSignature
|
|
# timeStamping is not supported by this certificate
|
|
# extendedKeyUsage = critical,timeStamping
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer:always
|
|
|
|
[ v3_req ]
|
|
|
|
# Extensions to add to a certificate request
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature
|
|
|
|
[ v3_ca ]
|
|
|
|
# Extensions for a typical CA
|
|
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid:always,issuer:always
|
|
basicConstraints = critical,CA:true
|
|
keyUsage = cRLSign, keyCertSign
|
|
|
|
#----------------------------------------------------------------------
|
|
[ tsa ]
|
|
|
|
default_tsa = tsa_config1 # the default TSA section
|
|
|
|
[ tsa_config1 ]
|
|
|
|
# These are used by the TSA reply generation only.
|
|
dir = . # TSA root directory
|
|
serial = $dir/tsa_serial # The current serial number (mandatory)
|
|
signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
|
|
# (optional)
|
|
certs = $dir/tsaca.pem # Certificate chain to include in reply
|
|
# (optional)
|
|
signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
|
|
signer_digest = sha256 # Signing digest to use. (Optional)
|
|
default_policy = tsa_policy1 # Policy if request did not specify it
|
|
# (optional)
|
|
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
|
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
|
|
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
|
ordering = yes # Is ordering defined for timestamps?
|
|
# (optional, default: no)
|
|
tsa_name = yes # Must the TSA name be included in the reply?
|
|
# (optional, default: no)
|
|
ess_cert_id_chain = yes # Must the ESS cert id chain be included?
|
|
# (optional, default: no)
|
|
ess_cert_id_alg = sha256 # algorithm to compute certificate
|
|
# identifier (optional, default: sha1)
|
|
|
|
[ tsa_config2 ]
|
|
|
|
# This configuration uses a certificate which doesn't have timeStamping usage.
|
|
# These are used by the TSA reply generation only.
|
|
dir = . # TSA root directory
|
|
serial = $dir/tsa_serial # The current serial number (mandatory)
|
|
signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
|
|
# (optional)
|
|
certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
|
|
# (optional)
|
|
signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
|
|
signer_digest = sha256 # Signing digest to use. (Optional)
|
|
default_policy = tsa_policy1 # Policy if request did not specify it
|
|
# (optional)
|
|
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
|
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
|