From 84adefa331c4159d432d22840663c38f155cd4c1 Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Fri, 20 Nov 2009 14:54:40 +0000 Subject: The R13B03 release. --- lib/public_key/AUTHORS | 5 + lib/public_key/Makefile | 39 + lib/public_key/asn1/DSS.asn1 | 20 + lib/public_key/asn1/Makefile | 113 +++ lib/public_key/asn1/OTP-PKIX.asn1 | 709 +++++++++++++++ lib/public_key/asn1/OTP-PUB-KEY.asn1config | 2 + lib/public_key/asn1/OTP-PUB-KEY.set.asn | 7 + lib/public_key/asn1/PKCS-1.asn1 | 116 +++ lib/public_key/asn1/PKIX1Algorithms88.asn1 | 235 +++++ lib/public_key/asn1/PKIX1Explicit88.asn1 | 619 +++++++++++++ lib/public_key/asn1/PKIX1Implicit88.asn1 | 349 ++++++++ lib/public_key/asn1/PKIXAttributeCertificate.asn1 | 189 ++++ lib/public_key/asn1/README | 51 ++ lib/public_key/doc/html/.gitignore | 0 lib/public_key/doc/man3/.gitignore | 0 lib/public_key/doc/pdf/.gitignore | 0 lib/public_key/doc/src/Makefile | 227 +++++ lib/public_key/doc/src/book.xml | 51 ++ lib/public_key/doc/src/cert_records.xml | 612 +++++++++++++ lib/public_key/doc/src/fascicules.xml | 19 + lib/public_key/doc/src/introduction.xml | 52 ++ lib/public_key/doc/src/make.dep | 21 + lib/public_key/doc/src/note.gif | Bin 0 -> 1539 bytes lib/public_key/doc/src/notes.xml | 120 +++ lib/public_key/doc/src/part.xml | 42 + lib/public_key/doc/src/part_notes.xml | 38 + lib/public_key/doc/src/public_key.xml | 317 +++++++ lib/public_key/doc/src/public_key_records.xml | 99 +++ lib/public_key/doc/src/ref_man.xml | 43 + lib/public_key/ebin/.gitignore | 0 lib/public_key/include/public_key.hrl | 62 ++ lib/public_key/info | 2 + lib/public_key/src/Makefile | 112 +++ lib/public_key/src/pubkey_cert.erl | 988 +++++++++++++++++++++ lib/public_key/src/pubkey_cert_records.erl | 538 +++++++++++ lib/public_key/src/pubkey_crypto.erl | 137 +++ lib/public_key/src/pubkey_pem.erl | 192 ++++ lib/public_key/src/public_key.app.src | 16 + lib/public_key/src/public_key.appup.src | 6 + lib/public_key/src/public_key.erl | 411 +++++++++ lib/public_key/test/Makefile | 83 ++ lib/public_key/test/pkits_SUITE.erl | 604 +++++++++++++ .../pkits/certs/TrustAnchorRootCertificate.crt | Bin 0 -> 572 bytes .../smime-pem/AllCertificatesAnyPolicyTest11.pem | 108 +++ .../smime-pem/AllCertificatesNoPoliciesTest2.pem | 107 +++ .../AllCertificatesSamePoliciesTest10.pem | 108 +++ .../AllCertificatesSamePoliciesTest13.pem | 110 +++ .../smime-pem/AllCertificatesSamePolicyTest1.pem | 118 +++ .../pkits/smime-pem/AnyPolicyTest14.pem | 108 +++ .../pkits/smime-pem/CPSPointerQualifierTest20.pem | 120 +++ .../pkits/smime-pem/DifferentPoliciesTest12.pem | 108 +++ .../pkits/smime-pem/DifferentPoliciesTest3.pem | 170 ++++ .../pkits/smime-pem/DifferentPoliciesTest4.pem | 170 ++++ .../pkits/smime-pem/DifferentPoliciesTest5.pem | 170 ++++ .../pkits/smime-pem/DifferentPoliciesTest7.pem | 211 +++++ .../pkits/smime-pem/DifferentPoliciesTest8.pem | 210 +++++ .../pkits/smime-pem/DifferentPoliciesTest9.pem | 263 ++++++ .../smime-pem/InvalidBadCRLIssuerNameTest5.pem | 108 +++ .../smime-pem/InvalidBadCRLSignatureTest4.pem | 108 +++ .../InvalidBasicSelfIssuedCRLSigningKeyTest7.pem | 175 ++++ .../InvalidBasicSelfIssuedCRLSigningKeyTest8.pem | 175 ++++ .../InvalidBasicSelfIssuedNewWithOldTest5.pem | 175 ++++ .../InvalidBasicSelfIssuedOldWithNewTest2.pem | 134 +++ .../pkits/smime-pem/InvalidCASignatureTest2.pem | 108 +++ .../pkits/smime-pem/InvalidCAnotAfterDateTest5.pem | 108 +++ .../smime-pem/InvalidCAnotBeforeDateTest1.pem | 108 +++ .../smime-pem/InvalidDNSnameConstraintsTest31.pem | 110 +++ .../smime-pem/InvalidDNSnameConstraintsTest33.pem | 110 +++ .../smime-pem/InvalidDNSnameConstraintsTest38.pem | 110 +++ .../InvalidDNandRFC822nameConstraintsTest28.pem | 167 ++++ .../InvalidDNandRFC822nameConstraintsTest29.pem | 167 ++++ .../smime-pem/InvalidDNnameConstraintsTest10.pem | 113 +++ .../smime-pem/InvalidDNnameConstraintsTest12.pem | 166 ++++ .../smime-pem/InvalidDNnameConstraintsTest13.pem | 166 ++++ .../smime-pem/InvalidDNnameConstraintsTest15.pem | 164 ++++ .../smime-pem/InvalidDNnameConstraintsTest16.pem | 164 ++++ .../smime-pem/InvalidDNnameConstraintsTest17.pem | 163 ++++ .../smime-pem/InvalidDNnameConstraintsTest2.pem | 111 +++ .../smime-pem/InvalidDNnameConstraintsTest3.pem | 114 +++ .../smime-pem/InvalidDNnameConstraintsTest7.pem | 111 +++ .../smime-pem/InvalidDNnameConstraintsTest8.pem | 112 +++ .../smime-pem/InvalidDNnameConstraintsTest9.pem | 112 +++ .../pkits/smime-pem/InvalidDSASignatureTest6.pem | 104 +++ .../pkits/smime-pem/InvalidEESignatureTest3.pem | 118 +++ .../pkits/smime-pem/InvalidEEnotAfterDateTest6.pem | 119 +++ .../smime-pem/InvalidEEnotBeforeDateTest2.pem | 119 +++ .../smime-pem/InvalidIDPwithindirectCRLTest23.pem | 116 +++ .../smime-pem/InvalidIDPwithindirectCRLTest26.pem | 137 +++ .../smime-pem/InvalidLongSerialNumberTest18.pem | 115 +++ .../smime-pem/InvalidMappingFromanyPolicyTest7.pem | 109 +++ .../smime-pem/InvalidMappingToanyPolicyTest8.pem | 109 +++ .../InvalidMissingbasicConstraintsTest1.pem | 108 +++ .../pkits/smime-pem/InvalidNameChainingEETest1.pem | 119 +++ .../smime-pem/InvalidNameChainingOrderTest2.pem | 113 +++ .../InvalidNegativeSerialNumberTest15.pem | 114 +++ .../smime-pem/InvalidOldCRLnextUpdateTest11.pem | 108 +++ .../pkits/smime-pem/InvalidPolicyMappingTest10.pem | 172 ++++ .../pkits/smime-pem/InvalidPolicyMappingTest2.pem | 109 +++ .../pkits/smime-pem/InvalidPolicyMappingTest4.pem | 214 +++++ .../InvalidRFC822nameConstraintsTest22.pem | 110 +++ .../InvalidRFC822nameConstraintsTest24.pem | 111 +++ .../InvalidRFC822nameConstraintsTest26.pem | 110 +++ .../InvalidRequireExplicitPolicyTest3.pem | 262 ++++++ .../InvalidRequireExplicitPolicyTest5.pem | 266 ++++++ .../pkits/smime-pem/InvalidRevokedCATest2.pem | 170 ++++ .../pkits/smime-pem/InvalidRevokedEETest3.pem | 119 +++ .../InvalidSelfIssuedDNnameConstraintsTest20.pem | 110 +++ .../InvalidSelfIssuedinhibitAnyPolicyTest10.pem | 178 ++++ .../InvalidSelfIssuedinhibitAnyPolicyTest8.pem | 230 +++++ ...InvalidSelfIssuedinhibitPolicyMappingTest10.pem | 200 +++++ ...InvalidSelfIssuedinhibitPolicyMappingTest11.pem | 200 +++++ .../InvalidSelfIssuedinhibitPolicyMappingTest8.pem | 233 +++++ .../InvalidSelfIssuedinhibitPolicyMappingTest9.pem | 233 +++++ .../InvalidSelfIssuedpathLenConstraintTest16.pem | 179 ++++ ...InvalidSelfIssuedrequireExplicitPolicyTest7.pem | 178 ++++ ...InvalidSelfIssuedrequireExplicitPolicyTest8.pem | 197 ++++ .../InvalidSeparateCertificateandCRLKeysTest20.pem | 134 +++ .../InvalidSeparateCertificateandCRLKeysTest21.pem | 129 +++ .../smime-pem/InvalidURInameConstraintsTest35.pem | 110 +++ .../smime-pem/InvalidURInameConstraintsTest37.pem | 110 +++ .../InvalidUnknownCRLEntryExtensionTest8.pem | 118 +++ .../smime-pem/InvalidUnknownCRLExtensionTest10.pem | 117 +++ .../smime-pem/InvalidUnknownCRLExtensionTest9.pem | 117 +++ ...lidUnknownCriticalCertificateExtensionTest2.pem | 58 ++ .../pkits/smime-pem/InvalidWrongCRLTest6.pem | 108 +++ .../pkits/smime-pem/InvalidcAFalseTest2.pem | 109 +++ .../pkits/smime-pem/InvalidcAFalseTest3.pem | 109 +++ .../pkits/smime-pem/InvalidcRLIssuerTest27.pem | 140 +++ .../pkits/smime-pem/InvalidcRLIssuerTest31.pem | 226 +++++ .../pkits/smime-pem/InvalidcRLIssuerTest32.pem | 226 +++++ .../pkits/smime-pem/InvalidcRLIssuerTest34.pem | 205 +++++ .../pkits/smime-pem/InvalidcRLIssuerTest35.pem | 207 +++++ .../InvaliddeltaCRLIndicatorNoBaseTest1.pem | 111 +++ .../pkits/smime-pem/InvaliddeltaCRLTest10.pem | 150 ++++ .../pkits/smime-pem/InvaliddeltaCRLTest3.pem | 190 ++++ .../pkits/smime-pem/InvaliddeltaCRLTest4.pem | 190 ++++ .../pkits/smime-pem/InvaliddeltaCRLTest6.pem | 190 ++++ .../pkits/smime-pem/InvaliddeltaCRLTest9.pem | 162 ++++ .../smime-pem/InvaliddistributionPointTest2.pem | 123 +++ .../smime-pem/InvaliddistributionPointTest3.pem | 123 +++ .../smime-pem/InvaliddistributionPointTest6.pem | 118 +++ .../smime-pem/InvaliddistributionPointTest8.pem | 119 +++ .../smime-pem/InvaliddistributionPointTest9.pem | 117 +++ .../smime-pem/InvalidinhibitAnyPolicyTest1.pem | 108 +++ .../smime-pem/InvalidinhibitAnyPolicyTest4.pem | 159 ++++ .../smime-pem/InvalidinhibitAnyPolicyTest5.pem | 210 +++++ .../smime-pem/InvalidinhibitAnyPolicyTest6.pem | 159 ++++ .../smime-pem/InvalidinhibitPolicyMappingTest1.pem | 161 ++++ .../smime-pem/InvalidinhibitPolicyMappingTest3.pem | 216 +++++ .../smime-pem/InvalidinhibitPolicyMappingTest5.pem | 264 ++++++ .../smime-pem/InvalidinhibitPolicyMappingTest6.pem | 217 +++++ .../InvalidkeyUsageCriticalcRLSignFalseTest4.pem | 110 +++ ...nvalidkeyUsageCriticalkeyCertSignFalseTest1.pem | 110 +++ ...InvalidkeyUsageNotCriticalcRLSignFalseTest5.pem | 110 +++ ...lidkeyUsageNotCriticalkeyCertSignFalseTest2.pem | 110 +++ .../InvalidonlyContainsAttributeCertsTest14.pem | 112 +++ .../InvalidonlyContainsCACertsCRLTest12.pem | 111 +++ .../InvalidonlyContainsUserCertsCRLTest11.pem | 112 +++ .../smime-pem/InvalidonlySomeReasonsTest15.pem | 156 ++++ .../smime-pem/InvalidonlySomeReasonsTest16.pem | 156 ++++ .../smime-pem/InvalidonlySomeReasonsTest17.pem | 146 +++ .../smime-pem/InvalidonlySomeReasonsTest20.pem | 167 ++++ .../smime-pem/InvalidonlySomeReasonsTest21.pem | 167 ++++ .../smime-pem/InvalidpathLenConstraintTest10.pem | 211 +++++ .../smime-pem/InvalidpathLenConstraintTest11.pem | 262 ++++++ .../smime-pem/InvalidpathLenConstraintTest12.pem | 263 ++++++ .../smime-pem/InvalidpathLenConstraintTest5.pem | 159 ++++ .../smime-pem/InvalidpathLenConstraintTest6.pem | 160 ++++ .../smime-pem/InvalidpathLenConstraintTest9.pem | 210 +++++ .../Invalidpre2000CRLnextUpdateTest12.pem | 108 +++ .../Invalidpre2000UTCEEnotAfterDateTest7.pem | 119 +++ .../pkits/smime-pem/MissingCRLTest1.pem | 76 ++ .../pkits/smime-pem/OverlappingPoliciesTest6.pem | 214 +++++ .../pkits/smime-pem/UserNoticeQualifierTest15.pem | 59 ++ .../pkits/smime-pem/UserNoticeQualifierTest16.pem | 124 +++ .../pkits/smime-pem/UserNoticeQualifierTest17.pem | 121 +++ .../pkits/smime-pem/UserNoticeQualifierTest18.pem | 115 +++ .../pkits/smime-pem/UserNoticeQualifierTest19.pem | 64 ++ .../ValidBasicSelfIssuedCRLSigningKeyTest6.pem | 175 ++++ .../ValidBasicSelfIssuedNewWithOldTest3.pem | 175 ++++ .../ValidBasicSelfIssuedNewWithOldTest4.pem | 175 ++++ .../ValidBasicSelfIssuedOldWithNewTest1.pem | 134 +++ .../smime-pem/ValidDNSnameConstraintsTest30.pem | 110 +++ .../smime-pem/ValidDNSnameConstraintsTest32.pem | 110 +++ .../ValidDNandRFC822nameConstraintsTest27.pem | 167 ++++ .../smime-pem/ValidDNnameConstraintsTest1.pem | 111 +++ .../smime-pem/ValidDNnameConstraintsTest11.pem | 113 +++ .../smime-pem/ValidDNnameConstraintsTest14.pem | 165 ++++ .../smime-pem/ValidDNnameConstraintsTest18.pem | 162 ++++ .../smime-pem/ValidDNnameConstraintsTest4.pem | 112 +++ .../smime-pem/ValidDNnameConstraintsTest5.pem | 115 +++ .../smime-pem/ValidDNnameConstraintsTest6.pem | 111 +++ .../ValidDSAParameterInheritanceTest5.pem | 141 +++ .../pkits/smime-pem/ValidDSASignaturesTest4.pem | 104 +++ .../ValidGeneralizedTimeCRLnextUpdateTest13.pem | 110 +++ .../ValidGeneralizedTimenotAfterDateTest8.pem | 119 +++ .../ValidGeneralizedTimenotBeforeDateTest4.pem | 119 +++ .../smime-pem/ValidIDPwithindirectCRLTest22.pem | 116 +++ .../smime-pem/ValidIDPwithindirectCRLTest24.pem | 137 +++ .../smime-pem/ValidIDPwithindirectCRLTest25.pem | 137 +++ .../smime-pem/ValidLongSerialNumberTest16.pem | 115 +++ .../smime-pem/ValidLongSerialNumberTest17.pem | 115 +++ .../ValidNameChainingCapitalizationTest5.pem | 119 +++ .../pkits/smime-pem/ValidNameChainingUIDsTest6.pem | 108 +++ .../smime-pem/ValidNameChainingWhitespaceTest3.pem | 119 +++ .../smime-pem/ValidNameChainingWhitespaceTest4.pem | 119 +++ .../smime-pem/ValidNegativeSerialNumberTest14.pem | 114 +++ .../ValidNoissuingDistributionPointTest10.pem | 111 +++ .../pkits/smime-pem/ValidPolicyMappingTest1.pem | 109 +++ .../pkits/smime-pem/ValidPolicyMappingTest11.pem | 172 ++++ .../pkits/smime-pem/ValidPolicyMappingTest12.pem | 118 +++ .../pkits/smime-pem/ValidPolicyMappingTest13.pem | 117 +++ .../pkits/smime-pem/ValidPolicyMappingTest14.pem | 117 +++ .../pkits/smime-pem/ValidPolicyMappingTest3.pem | 214 +++++ .../pkits/smime-pem/ValidPolicyMappingTest5.pem | 163 ++++ .../pkits/smime-pem/ValidPolicyMappingTest6.pem | 163 ++++ .../pkits/smime-pem/ValidPolicyMappingTest9.pem | 109 +++ .../ValidRFC3280MandatoryAttributeTypesTest7.pem | 113 +++ .../ValidRFC3280OptionalAttributeTypesTest8.pem | 114 +++ .../smime-pem/ValidRFC822nameConstraintsTest21.pem | 110 +++ .../smime-pem/ValidRFC822nameConstraintsTest23.pem | 110 +++ .../smime-pem/ValidRFC822nameConstraintsTest25.pem | 110 +++ .../smime-pem/ValidRequireExplicitPolicyTest1.pem | 264 ++++++ .../smime-pem/ValidRequireExplicitPolicyTest2.pem | 262 ++++++ .../smime-pem/ValidRequireExplicitPolicyTest4.pem | 262 ++++++ ...lloverfromPrintableStringtoUTF8StringTest10.pem | 110 +++ .../ValidSelfIssuedDNnameConstraintsTest19.pem | 130 +++ .../ValidSelfIssuedinhibitAnyPolicyTest7.pem | 178 ++++ .../ValidSelfIssuedinhibitAnyPolicyTest9.pem | 197 ++++ .../ValidSelfIssuedinhibitPolicyMappingTest7.pem | 180 ++++ .../ValidSelfIssuedpathLenConstraintTest15.pem | 127 +++ .../ValidSelfIssuedpathLenConstraintTest17.pem | 197 ++++ .../ValidSelfIssuedrequireExplicitPolicyTest6.pem | 127 +++ .../ValidSeparateCertificateandCRLKeysTest19.pem | 134 +++ .../pkits/smime-pem/ValidSignaturesTest1.pem | 118 +++ .../pkits/smime-pem/ValidTwoCRLsTest7.pem | 146 +++ .../smime-pem/ValidURInameConstraintsTest34.pem | 111 +++ .../smime-pem/ValidURInameConstraintsTest36.pem | 111 +++ .../ValidUTF8StringCaseInsensitiveMatchTest11.pem | 110 +++ .../smime-pem/ValidUTF8StringEncodedNamesTest9.pem | 108 +++ ...UnknownNotCriticalCertificateExtensionTest1.pem | 58 ++ .../ValidbasicConstraintsNotCriticalTest4.pem | 110 +++ .../pkits/smime-pem/ValidcRLIssuerTest28.pem | 178 ++++ .../pkits/smime-pem/ValidcRLIssuerTest29.pem | 176 ++++ .../pkits/smime-pem/ValidcRLIssuerTest30.pem | 143 +++ .../pkits/smime-pem/ValidcRLIssuerTest33.pem | 226 +++++ .../pkits/smime-pem/ValiddeltaCRLTest2.pem | 190 ++++ .../pkits/smime-pem/ValiddeltaCRLTest5.pem | 190 ++++ .../pkits/smime-pem/ValiddeltaCRLTest7.pem | 190 ++++ .../pkits/smime-pem/ValiddeltaCRLTest8.pem | 162 ++++ .../smime-pem/ValiddistributionPointTest1.pem | 123 +++ .../smime-pem/ValiddistributionPointTest4.pem | 121 +++ .../smime-pem/ValiddistributionPointTest5.pem | 118 +++ .../smime-pem/ValiddistributionPointTest7.pem | 120 +++ .../pkits/smime-pem/ValidinhibitAnyPolicyTest2.pem | 108 +++ .../smime-pem/ValidinhibitPolicyMappingTest2.pem | 162 ++++ .../smime-pem/ValidinhibitPolicyMappingTest4.pem | 216 +++++ .../smime-pem/ValidkeyUsageNotCriticalTest3.pem | 108 +++ .../ValidonlyContainsCACertsCRLTest13.pem | 112 +++ .../pkits/smime-pem/ValidonlySomeReasonsTest18.pem | 167 ++++ .../pkits/smime-pem/ValidonlySomeReasonsTest19.pem | 167 ++++ .../smime-pem/ValidpathLenConstraintTest13.pem | 262 ++++++ .../smime-pem/ValidpathLenConstraintTest14.pem | 263 ++++++ .../smime-pem/ValidpathLenConstraintTest7.pem | 108 +++ .../smime-pem/ValidpathLenConstraintTest8.pem | 108 +++ .../Validpre2000UTCnotBeforeDateTest3.pem | 119 +++ .../pkits_SUITE_data/pkits/smime-pem/certs.pem | 118 +++ .../pkits/smime-pem/inhibitAnyPolicyTest3.pem | 159 ++++ lib/public_key/test/public_key.spec | 2 + lib/public_key/test/public_key_SUITE.erl | 260 ++++++ .../test/public_key_SUITE_data/cacerts.pem | 43 + .../test/public_key_SUITE_data/client_cert.pem | 22 + .../test/public_key_SUITE_data/client_key.pem | 15 + lib/public_key/test/public_key_SUITE_data/dh.pem | 4 + lib/public_key/test/public_key_SUITE_data/dsa.pem | 12 + lib/public_key/test/public_key_SUITE_data/req.pem | 12 + lib/public_key/test/public_key_SUITE_data/rsa.pem | 16 + .../test/public_key_SUITE_data/server_cert.pem | 22 + .../test/public_key_SUITE_data/server_key.pem | 15 + lib/public_key/vsn.mk | 6 + 280 files changed, 40277 insertions(+) create mode 100644 lib/public_key/AUTHORS create mode 100644 lib/public_key/Makefile create mode 100755 lib/public_key/asn1/DSS.asn1 create mode 100644 lib/public_key/asn1/Makefile create mode 100644 lib/public_key/asn1/OTP-PKIX.asn1 create mode 100644 lib/public_key/asn1/OTP-PUB-KEY.asn1config create mode 100644 lib/public_key/asn1/OTP-PUB-KEY.set.asn create mode 100755 lib/public_key/asn1/PKCS-1.asn1 create mode 100644 lib/public_key/asn1/PKIX1Algorithms88.asn1 create mode 100644 lib/public_key/asn1/PKIX1Explicit88.asn1 create mode 100644 lib/public_key/asn1/PKIX1Implicit88.asn1 create mode 100644 lib/public_key/asn1/PKIXAttributeCertificate.asn1 create mode 100644 lib/public_key/asn1/README create mode 100644 lib/public_key/doc/html/.gitignore create mode 100644 lib/public_key/doc/man3/.gitignore create mode 100644 lib/public_key/doc/pdf/.gitignore create mode 100644 lib/public_key/doc/src/Makefile create mode 100644 lib/public_key/doc/src/book.xml create mode 100644 lib/public_key/doc/src/cert_records.xml create mode 100644 lib/public_key/doc/src/fascicules.xml create mode 100644 lib/public_key/doc/src/introduction.xml create mode 100644 lib/public_key/doc/src/make.dep create mode 100644 lib/public_key/doc/src/note.gif create mode 100644 lib/public_key/doc/src/notes.xml create mode 100644 lib/public_key/doc/src/part.xml create mode 100644 lib/public_key/doc/src/part_notes.xml create mode 100644 lib/public_key/doc/src/public_key.xml create mode 100644 lib/public_key/doc/src/public_key_records.xml create mode 100644 lib/public_key/doc/src/ref_man.xml create mode 100644 lib/public_key/ebin/.gitignore create mode 100644 lib/public_key/include/public_key.hrl create mode 100644 lib/public_key/info create mode 100644 lib/public_key/src/Makefile create mode 100644 lib/public_key/src/pubkey_cert.erl create mode 100644 lib/public_key/src/pubkey_cert_records.erl create mode 100644 lib/public_key/src/pubkey_crypto.erl create mode 100644 lib/public_key/src/pubkey_pem.erl create mode 100644 lib/public_key/src/public_key.app.src create mode 100644 lib/public_key/src/public_key.appup.src create mode 100644 lib/public_key/src/public_key.erl create mode 100644 lib/public_key/test/Makefile create mode 100644 lib/public_key/test/pkits_SUITE.erl create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedNewWithOldTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedOldWithNewTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCASignatureTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotAfterDateTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidCAnotBeforeDateTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest31.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest33.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNSnameConstraintsTest38.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest28.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNandRFC822nameConstraintsTest29.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest12.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest13.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest15.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest16.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest17.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDNnameConstraintsTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidDSASignatureTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEESignatureTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotAfterDateTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidEEnotBeforeDateTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest23.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidIDPwithindirectCRLTest26.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidLongSerialNumberTest18.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingFromanyPolicyTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMappingToanyPolicyTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidMissingbasicConstraintsTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingEETest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNameChainingOrderTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidNegativeSerialNumberTest15.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidOldCRLnextUpdateTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidPolicyMappingTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest22.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest24.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRFC822nameConstraintsTest26.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRequireExplicitPolicyTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedCATest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidRevokedEETest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedDNnameConstraintsTest20.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitAnyPolicyTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedinhibitPolicyMappingTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedpathLenConstraintTest16.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSelfIssuedrequireExplicitPolicyTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest20.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidSeparateCertificateandCRLKeysTest21.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest35.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidURInameConstraintsTest37.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLEntryExtensionTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCRLExtensionTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidUnknownCriticalCertificateExtensionTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidWrongCRLTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcAFalseTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest27.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest31.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest32.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest34.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidcRLIssuerTest35.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLIndicatorNoBaseTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddeltaCRLTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvaliddistributionPointTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitAnyPolicyTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidinhibitPolicyMappingTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalcRLSignFalseTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageCriticalkeyCertSignFalseTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalcRLSignFalseTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidkeyUsageNotCriticalkeyCertSignFalseTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsAttributeCertsTest14.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsCACertsCRLTest12.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlyContainsUserCertsCRLTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest15.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest16.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest17.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest20.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidonlySomeReasonsTest21.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest12.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidpathLenConstraintTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000CRLnextUpdateTest12.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Invalidpre2000UTCEEnotAfterDateTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/MissingCRLTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/OverlappingPoliciesTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest15.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest16.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest17.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest18.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/UserNoticeQualifierTest19.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedCRLSigningKeyTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedNewWithOldTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidBasicSelfIssuedOldWithNewTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest30.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNSnameConstraintsTest32.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNandRFC822nameConstraintsTest27.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest14.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest18.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDNnameConstraintsTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSAParameterInheritanceTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidDSASignaturesTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimeCRLnextUpdateTest13.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotAfterDateTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidGeneralizedTimenotBeforeDateTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest22.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest24.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidIDPwithindirectCRLTest25.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest16.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidLongSerialNumberTest17.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingCapitalizationTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingUIDsTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNameChainingWhitespaceTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNegativeSerialNumberTest14.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidNoissuingDistributionPointTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest12.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest13.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest14.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidPolicyMappingTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280MandatoryAttributeTypesTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC3280OptionalAttributeTypesTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest21.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest23.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRFC822nameConstraintsTest25.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRequireExplicitPolicyTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidRolloverfromPrintableStringtoUTF8StringTest10.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedDNnameConstraintsTest19.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitAnyPolicyTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedinhibitPolicyMappingTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest15.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedpathLenConstraintTest17.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSelfIssuedrequireExplicitPolicyTest6.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSeparateCertificateandCRLKeysTest19.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidSignaturesTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidTwoCRLsTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest34.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidURInameConstraintsTest36.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringCaseInsensitiveMatchTest11.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUTF8StringEncodedNamesTest9.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidUnknownNotCriticalCertificateExtensionTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidbasicConstraintsNotCriticalTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest28.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest29.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest30.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidcRLIssuerTest33.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddeltaCRLTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest1.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest5.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValiddistributionPointTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitAnyPolicyTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest2.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidinhibitPolicyMappingTest4.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidkeyUsageNotCriticalTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlyContainsCACertsCRLTest13.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest18.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidonlySomeReasonsTest19.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest13.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest14.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest7.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/ValidpathLenConstraintTest8.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/Validpre2000UTCnotBeforeDateTest3.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/certs.pem create mode 100644 lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/inhibitAnyPolicyTest3.pem create mode 100644 lib/public_key/test/public_key.spec create mode 100644 lib/public_key/test/public_key_SUITE.erl create mode 100644 lib/public_key/test/public_key_SUITE_data/cacerts.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/client_cert.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/client_key.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/dh.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/dsa.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/req.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/rsa.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/server_cert.pem create mode 100644 lib/public_key/test/public_key_SUITE_data/server_key.pem create mode 100644 lib/public_key/vsn.mk (limited to 'lib/public_key') diff --git a/lib/public_key/AUTHORS b/lib/public_key/AUTHORS new file mode 100644 index 0000000000..bb524037cf --- /dev/null +++ b/lib/public_key/AUTHORS @@ -0,0 +1,5 @@ +Original author: +Ingela Anderton Andin + +Contributors: +Dan Gudmundsson \ No newline at end of file diff --git a/lib/public_key/Makefile b/lib/public_key/Makefile new file mode 100644 index 0000000000..c679678b60 --- /dev/null +++ b/lib/public_key/Makefile @@ -0,0 +1,39 @@ +# +# %CopyrightBegin% +# +# Copyright Ericsson AB 2008-2009. All Rights Reserved. +# +# The contents of this file are subject to the Erlang Public License, +# Version 1.1, (the "License"); you may not use this file except in +# compliance with the License. You should have received a copy of the +# Erlang Public License along with this software. If not, it can be +# retrieved online at http://www.erlang.org/. +# +# Software distributed under the License is distributed on an "AS IS" +# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +# the License for the specific language governing rights and limitations +# under the License. +# +# %CopyrightEnd% +# + +# +include $(ERL_TOP)/make/target.mk +include $(ERL_TOP)/make/$(TARGET)/otp.mk + +# ---------------------------------------------------- +# Macros +# ---------------------------------------------------- + +SUB_DIRECTORIES = asn1 src doc/src + +include vsn.mk +VSN = $(PUBLIC_KEY_VSN) + +SPECIAL_TARGETS = + +# ---------------------------------------------------- +# Default Subdir Targets +# ---------------------------------------------------- +include $(ERL_TOP)/make/otp_subdir.mk + diff --git a/lib/public_key/asn1/DSS.asn1 b/lib/public_key/asn1/DSS.asn1 new file mode 100755 index 0000000000..77aca3808b --- /dev/null +++ b/lib/public_key/asn1/DSS.asn1 @@ -0,0 +1,20 @@ +DSS DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL +-- All types and values defined in this module are exported for use +-- in other ASN.1 modules. + +DSAPrivateKey ::= SEQUENCE { + version INTEGER, + p INTEGER, -- p + q INTEGER, -- q + g INTEGER, -- q + y INTEGER, -- y + x INTEGER -- x +} + +END + + diff --git a/lib/public_key/asn1/Makefile b/lib/public_key/asn1/Makefile new file mode 100644 index 0000000000..fbea701be9 --- /dev/null +++ b/lib/public_key/asn1/Makefile @@ -0,0 +1,113 @@ +# +# %CopyrightBegin% +# +# Copyright Ericsson AB 2008-2009. All Rights Reserved. +# +# The contents of this file are subject to the Erlang Public License, +# Version 1.1, (the "License"); you may not use this file except in +# compliance with the License. You should have received a copy of the +# Erlang Public License along with this software. If not, it can be +# retrieved online at http://www.erlang.org/. +# +# Software distributed under the License is distributed on an "AS IS" +# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +# the License for the specific language governing rights and limitations +# under the License. +# +# %CopyrightEnd% +# + +include $(ERL_TOP)/make/target.mk +include $(ERL_TOP)/make/$(TARGET)/otp.mk + +# ---------------------------------------------------- +# Application version +# ---------------------------------------------------- +include ../vsn.mk +VSN=$(PUBLIC_KEY_VSN) + +# ---------------------------------------------------- +# Release directory specification +# ---------------------------------------------------- +RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN) + +# ---------------------------------------------------- +# Common Macros +# ---------------------------------------------------- + +.SUFFIXES: .asn1 +.PRECIOUS: %.erl + +ASN_TOP = OTP-PUB-KEY +ASN_MODULES = PKIX1Explicit88 PKIX1Implicit88 PKIX1Algorithms88 \ + PKIXAttributeCertificate OTP-PKIX +ASN_ASNS = $(ASN_MODULES:%=%.asn1) +ASN_ERLS = $(ASN_TOP).erl +ASN_HRLS = $(ASN_TOP).hrl +ASN_CONFIGS = OTP-PUB-KEY.asn1config +ASN_DBS = $(ASN_MODULES:%=%.asn1db) OTP-PUB-KEY.asn1db +ASN_TABLES = $(ASN_MODULES:%=%.table) + +GEN_MODULES = +GEN_ERLS = $(GEN_MODULES:%=%.erl) +ERL_MODULES = $(ASN_TOP) $(GEN_MODULES) + +TARGET_FILES= $(ERL_MODULES:%=$(EBIN)/%.$(EMULATOR)) + +HRL_FILES = $(ASN_HRLS:%=$(INCLUDE)/%) + +INCLUDE = ../include +EBIN = ../ebin + +# ---------------------------------------------------- +# FLAGS +# ---------------------------------------------------- +EXTRA_ERLC_FLAGS = +ERL_COMPILE_FLAGS += $(EXTRA_ERLC_FLAGS) + +ASN_FLAGS = -bber_bin +der +compact_bit_string +optimize +noobj +asn1config +inline + +# ---------------------------------------------------- +# Targets +# ---------------------------------------------------- + +debug opt: $(TARGET_FILES) $(HRL_FILES) + +clean: + -rm -f $(ASN_ERLS) $(GEN_ERLS) $(ASN_HRLS) $(HRL_FILES) $(ASN_DBS) \ + $(ASN_TABLES) $(TARGET_FILES) *.beam *~ + +docs: + +%.erl: %.set.asn + erlc $(ASN_FLAGS) $< + +$(HRL_FILES): $(ASN_HRLS) + cp -p $(ASN_HRLS) $(INCLUDE) + +# ---------------------------------------------------- +# Release Target +# ---------------------------------------------------- +include $(ERL_TOP)/make/otp_release_targets.mk + +release_spec: opt + $(INSTALL_DIR) $(RELSYSDIR)/include + $(INSTALL_DATA) $(HRL_FILES) $(RELSYSDIR)/include + $(INSTALL_DIR) $(RELSYSDIR)/asn1 + $(INSTALL_DATA) $(ASN_ASNS) $(ASN_ERLS) $(ASN_HRLS) $(ASN_CONFIGS) \ + $(GEN_ERLS) $(RELSYSDIR)/asn1 + $(INSTALL_DIR) $(RELSYSDIR)/ebin + $(INSTALL_DATA) $(TARGET_FILES) $(RELSYSDIR)/ebin + +release_docs_spec: + +# +# Dependencies + +$(EBIN)/OTP-PUB-KEY.beam: OTP-PUB-KEY.erl OTP-PUB-KEY.hrl +OTP-PUB-KEY.erl OTP-PUB-KEY.hrl: OTP-PUB-KEY.asn1db +OTP-PUB-KEY.asn1db: PKIX1Algorithms88.asn1 \ + PKIX1Explicit88.asn1 \ + PKIX1Implicit88.asn1 \ + PKIXAttributeCertificate.asn1 \ + OTP-PKIX.asn1 diff --git a/lib/public_key/asn1/OTP-PKIX.asn1 b/lib/public_key/asn1/OTP-PKIX.asn1 new file mode 100644 index 0000000000..2bcacc0990 --- /dev/null +++ b/lib/public_key/asn1/OTP-PKIX.asn1 @@ -0,0 +1,709 @@ +OTP-PKIX {iso(1) identified-organization(3) dod(6) internet(1) + private(4) enterprices(1) ericsson(193) otp(19) ssl(10) + pkix1(1)} + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL + +IMPORTS + -- Certificate (parts of) + Version, + CertificateSerialNumber, + --AlgorithmIdentifier, + Validity, + UniqueIdentifier, + + -- AttribyteTypeAndValue + Name, + AttributeType, + id-at-name, + id-at-surname, + id-at-givenName, + id-at-initials, + id-at-generationQualifier, X520name, + id-at-commonName, X520CommonName, + id-at-localityName, X520LocalityName, + id-at-stateOrProvinceName, X520StateOrProvinceName, + id-at-organizationName, X520OrganizationName, + id-at-organizationalUnitName, X520OrganizationalUnitName, + id-at-title, X520Title, + id-at-dnQualifier, X520dnQualifier, + id-at-countryName, X520countryName, + id-at-serialNumber, X520SerialNumber, + id-at-pseudonym, X520Pseudonym, + id-domainComponent, DomainComponent, + id-emailAddress, EmailAddress, + + -- Extension Attributes + common-name, CommonName, + teletex-common-name, TeletexCommonName, + teletex-personal-name, TeletexPersonalName, + pds-name, PDSName, + physical-delivery-country-name, PhysicalDeliveryCountryName, + postal-code, PostalCode, + physical-delivery-office-name, PhysicalDeliveryOfficeName, + physical-delivery-office-number, PhysicalDeliveryOfficeNumber, + extension-OR-address-components, ExtensionORAddressComponents, + physical-delivery-personal-name, PhysicalDeliveryPersonalName, + physical-delivery-organization-name, PhysicalDeliveryOrganizationName, + extension-physical-delivery-address-components, + ExtensionPhysicalDeliveryAddressComponents, + unformatted-postal-address, UnformattedPostalAddress, + street-address, StreetAddress, + post-office-box-address, PostOfficeBoxAddress, + poste-restante-address, PosteRestanteAddress, + unique-postal-name, UniquePostalName, + local-postal-attributes, LocalPostalAttributes, + extended-network-address, ExtendedNetworkAddress, + terminal-type, TerminalType, + teletex-domain-defined-attributes, TeletexDomainDefinedAttributes + + FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-explicit(18) } + + -- Extensions + id-ce-authorityKeyIdentifier, AuthorityKeyIdentifier, + id-ce-subjectKeyIdentifier, SubjectKeyIdentifier, + id-ce-keyUsage, KeyUsage, + id-ce-privateKeyUsagePeriod, PrivateKeyUsagePeriod, + id-ce-certificatePolicies, CertificatePolicies, + id-ce-policyMappings, PolicyMappings, + id-ce-subjectAltName, SubjectAltName, + id-ce-issuerAltName, IssuerAltName, + id-ce-subjectDirectoryAttributes, SubjectDirectoryAttributes, + id-ce-basicConstraints, BasicConstraints, + id-ce-nameConstraints, NameConstraints, + id-ce-policyConstraints, PolicyConstraints, + id-ce-cRLDistributionPoints, CRLDistributionPoints, + id-ce-extKeyUsage, ExtKeyUsageSyntax, + id-ce-inhibitAnyPolicy, InhibitAnyPolicy, + id-ce-freshestCRL, FreshestCRL, + id-pe-authorityInfoAccess, AuthorityInfoAccessSyntax, + id-pe-subjectInfoAccess, SubjectInfoAccessSyntax, + id-ce-cRLNumber, CRLNumber, + id-ce-issuingDistributionPoint, IssuingDistributionPoint, + id-ce-deltaCRLIndicator, BaseCRLNumber, + id-ce-cRLReasons, CRLReason, + id-ce-certificateIssuer, CertificateIssuer, + id-ce-holdInstructionCode, HoldInstructionCode, + id-ce-invalidityDate, InvalidityDate + + FROM PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-pkix1-implicit(19) } + + --Keys and Signatures + id-dsa, Dss-Parms, DSAPublicKey, + id-dsa-with-sha1, + md2WithRSAEncryption, + md5WithRSAEncryption, + sha1WithRSAEncryption, + rsaEncryption, RSAPublicKey, + dhpublicnumber, DomainParameters, DHPublicKey, + id-keyExchangeAlgorithm, KEA-Parms-Id, --KEA-PublicKey, + ecdsa-with-SHA1, + prime-field, Prime-p, + characteristic-two-field, --Characteristic-two, + gnBasis, + tpBasis, Trinomial, + ppBasis, Pentanomial, + id-ecPublicKey, EcpkParameters, ECPoint + FROM PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms(17) }; + +-- +-- Certificate +-- + +OTPCertificate ::= SEQUENCE { + tbsCertificate OTPTBSCertificate, + signatureAlgorithm SignatureAlgorithm, + signature BIT STRING } + +OTPTBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature SignatureAlgorithm, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo OTPSubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version MUST be v3 -- } + + +-- Attribute type and values +-- + +ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= CLASS { + &id AttributeType UNIQUE, + &Type } + WITH SYNTAX { + ID &id + TYPE &Type } + +OTPAttributeTypeAndValue ::= SEQUENCE { + type ATTRIBUTE-TYPE-AND-VALUE-CLASS.&id + ({SupportedAttributeTypeAndValues}), + value ATTRIBUTE-TYPE-AND-VALUE-CLASS.&Type + ({SupportedAttributeTypeAndValues}{@type}) } + +SupportedAttributeTypeAndValues ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= + { name | surname | givenName | initials | generationQualifier | + commonName | localityName | stateOrProvinceName | organizationName | + organizationalUnitName | title | dnQualifier | countryName | + serialNumber | pseudonym | domainComponent | emailAddress } + +name ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-name + TYPE X520name } + +surname ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-surname + TYPE X520name } + +givenName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-givenName + TYPE X520name } + +initials ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-initials + TYPE X520name } + +generationQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-generationQualifier + TYPE X520name } + +commonName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-commonName + TYPE X520CommonName } + +localityName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-localityName + TYPE X520LocalityName } + +stateOrProvinceName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-stateOrProvinceName + TYPE X520StateOrProvinceName } + +organizationName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-organizationName + TYPE X520OrganizationName } + +organizationalUnitName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-organizationalUnitName + TYPE X520OrganizationalUnitName } + +title ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-title + TYPE X520Title } + +dnQualifier ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-dnQualifier + TYPE X520dnQualifier } + +countryName ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-countryName + TYPE X520countryName } + +serialNumber ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-serialNumber + TYPE X520SerialNumber } + +pseudonym ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-at-pseudonym + TYPE X520Pseudonym } + +domainComponent ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-domainComponent + TYPE DomainComponent } + +emailAddress ATTRIBUTE-TYPE-AND-VALUE-CLASS ::= { + ID id-emailAddress + TYPE EmailAddress } + +-- +-- Signature and Public Key Algorithms +-- + +OTPOLDSubjectPublicKeyInfo ::= SEQUENCE { + algorithm SEQUENCE { + algo PUBLIC-KEY-ALGORITHM-CLASS.&id + ({SupportedPublicKeyAlgorithms}), + parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type + ({SupportedPublicKeyAlgorithms}{@.algo}) + OPTIONAL + }, + subjectPublicKey PUBLIC-KEY-ALGORITHM-CLASS.&PublicKeyType + ({SupportedPublicKeyAlgorithms}{@algorithm.algo}) } + +OTPSubjectPublicKeyInfo ::= SEQUENCE { + algorithm PublicKeyAlgorithm, + subjectPublicKey BIT STRING } + + +-- The following is needed for conversion of SubjectPublicKeyInfo. + +OTPSubjectPublicKeyInfo-Any ::= SEQUENCE { + algorithm PublicKeyAlgorithm, + subjectPublicKey ANY } + + +SIGNATURE-ALGORITHM-CLASS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL } + WITH SYNTAX { + ID &id + [TYPE &Type] } + +PUBLIC-KEY-ALGORITHM-CLASS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL, + &PublicKeyType OPTIONAL } + WITH SYNTAX { + ID &id + [TYPE &Type] + [PUBLIC-KEY-TYPE &PublicKeyType] } + +SignatureAlgorithm ::= SEQUENCE { + algorithm SIGNATURE-ALGORITHM-CLASS.&id + ({SupportedSignatureAlgorithms}), + parameters SIGNATURE-ALGORITHM-CLASS.&Type + ({SupportedSignatureAlgorithms}{@algorithm}) + OPTIONAL } + +SignatureAlgorithm-Any ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY OPTIONAL } + +PublicKeyAlgorithm ::= SEQUENCE { + algorithm PUBLIC-KEY-ALGORITHM-CLASS.&id + ({SupportedPublicKeyAlgorithms}), + parameters PUBLIC-KEY-ALGORITHM-CLASS.&Type + ({SupportedPublicKeyAlgorithms}{@algorithm}) + OPTIONAL } + +SupportedSignatureAlgorithms SIGNATURE-ALGORITHM-CLASS ::= { + dsa-with-sha1 | md2-with-rsa-encryption | + md5-with-rsa-encryption | sha1-with-rsa-encryption | + ecdsa-with-sha1 } + +SupportedPublicKeyAlgorithms PUBLIC-KEY-ALGORITHM-CLASS ::= { + dsa | rsa-encryption | dh | kea | ec-public-key } + + -- DSA Keys and Signatures + + -- SubjectPublicKeyInfo: + + dsa PUBLIC-KEY-ALGORITHM-CLASS ::= { + ID id-dsa + TYPE Dss-Parms -- XXX Must be OPTIONAL + PUBLIC-KEY-TYPE DSAPublicKey } + + -- Certificate.signatureAlgorithm + + dsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= { + ID id-dsa-with-sha1 + TYPE NULL } -- XXX Must be empty and not NULL + + -- + -- RSA Keys and Signatures + -- + + -- Certificate.signatureAlgorithm + + md2-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { + ID md2WithRSAEncryption + TYPE NULL } + + md5-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { + ID md5WithRSAEncryption + TYPE NULL } + + sha1-with-rsa-encryption SIGNATURE-ALGORITHM-CLASS ::= { + ID sha1WithRSAEncryption + TYPE NULL } + + -- Certificate.signature + -- See PKCS #1 (RFC 2313). XXX + + -- SubjectPublicKeyInfo: + + rsa-encryption PUBLIC-KEY-ALGORITHM-CLASS ::= { + ID rsaEncryption + TYPE NULL + PUBLIC-KEY-TYPE RSAPublicKey } + + -- + -- Diffie-Hellman Keys + -- + + -- SubjectPublicKeyInfo: + + dh PUBLIC-KEY-ALGORITHM-CLASS ::= { + ID dhpublicnumber + TYPE DomainParameters + PUBLIC-KEY-TYPE DHPublicKey } + + -- There are no Diffie-Hellman signature algorithms + + -- + -- KEA Keys + -- + + -- SubjectPublicKeyInfo: + + KEA-PublicKey ::= INTEGER + + kea PUBLIC-KEY-ALGORITHM-CLASS ::= { + ID id-keyExchangeAlgorithm + TYPE KEA-Parms-Id + PUBLIC-KEY-TYPE KEA-PublicKey } + + -- There are no KEA signature algorithms + + -- + -- Elliptic Curve Keys, Signatures, and Curves + -- + + -- Certificate.signatureAlgorithm + + ecdsa-with-sha1 SIGNATURE-ALGORITHM-CLASS ::= { + ID ecdsa-with-SHA1 + TYPE NULL } -- XXX Must be empty and not NULL + + FIELD-ID-CLASS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type } + WITH SYNTAX { + ID &id + TYPE &Type } + + OTPFieldID ::= SEQUENCE { -- Finite field + fieldType FIELD-ID-CLASS.&id({SupportedFieldIds}), + parameters FIELD-ID-CLASS.&Type({SupportedFieldIds}{@fieldType}) } + + SupportedFieldIds FIELD-ID-CLASS ::= { + field-prime-field | field-characteristic-two } + + field-prime-field FIELD-ID-CLASS ::= { + ID prime-field + TYPE Prime-p } + + CHARACTERISTIC-TWO-CLASS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type } + WITH SYNTAX { + ID &id + TYPE &Type } + + OTPCharacteristic-two ::= SEQUENCE { -- Finite field + m INTEGER, -- Field size 2^m + basis CHARACTERISTIC-TWO-CLASS.&id({SupportedCharacteristicTwos}), + parameters CHARACTERISTIC-TWO-CLASS.&Type + ({SupportedCharacteristicTwos}{@basis}) } + + SupportedCharacteristicTwos CHARACTERISTIC-TWO-CLASS ::= { + gn-basis | tp-basis | pp-basis } + + field-characteristic-two FIELD-ID-CLASS ::= { + ID characteristic-two-field + TYPE Characteristic-two } + + gn-basis CHARACTERISTIC-TWO-CLASS ::= { + ID gnBasis + TYPE NULL } + + tp-basis CHARACTERISTIC-TWO-CLASS ::= { + ID tpBasis + TYPE Trinomial } + + pp-basis CHARACTERISTIC-TWO-CLASS ::= { + ID ppBasis + TYPE Pentanomial } + + -- SubjectPublicKeyInfo.algorithm + + ec-public-key PUBLIC-KEY-ALGORITHM-CLASS ::= { + ID id-ecPublicKey + TYPE EcpkParameters + PUBLIC-KEY-TYPE ECPoint } + +-- +-- Extension Attributes +-- + +EXTENSION-ATTRIBUTE-CLASS ::= CLASS { + &id INTEGER UNIQUE, + &Type } + WITH SYNTAX { + ID &id + TYPE &Type } + +OTPExtensionAttributes ::= SET SIZE (1..MAX) OF ExtensionAttribute + +-- XXX Below we should have extension-attribute-type and extension- +-- attribute-value but Erlang ASN1 does not like it. +OTPExtensionAttribute ::= SEQUENCE { + extensionAttributeType [0] IMPLICIT EXTENSION-ATTRIBUTE-CLASS.&id + ({SupportedExtensionAttributes}), + extensionAttributeValue [1] EXTENSION-ATTRIBUTE-CLASS.&Type + ({SupportedExtensionAttributes}{@extensionAttributeType}) } + +SupportedExtensionAttributes EXTENSION-ATTRIBUTE-CLASS ::= { + x400-common-name | + x400-teletex-common-name | + x400-teletex-personal-name | + x400-pds-name | + x400-physical-delivery-country-name | + x400-postal-code | + x400-physical-delivery-office-name | + x400-physical-delivery-office-number | + x400-extension-OR-address-components | + x400-physical-delivery-personal-name | + x400-physical-delivery-organization-name | + x400-extension-physical-delivery-address-components | + x400-unformatted-postal-address | + x400-street-address | + x400-post-office-box-address | + x400-poste-restante-address | + x400-unique-postal-name | + x400-local-postal-attributes | + x400-extended-network-address | + x400-terminal-type | + x400-teletex-domain-defined-attributes } + +-- Extension types and attribute values + +x400-common-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID common-name + TYPE CommonName } + +x400-teletex-common-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID teletex-common-name + TYPE TeletexCommonName } + +x400-teletex-personal-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID teletex-personal-name + TYPE TeletexPersonalName } + +x400-pds-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID pds-name + TYPE PDSName } + +x400-physical-delivery-country-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID physical-delivery-country-name + TYPE PhysicalDeliveryCountryName } + +x400-postal-code EXTENSION-ATTRIBUTE-CLASS ::= { + ID postal-code + TYPE PostalCode } + +x400-physical-delivery-office-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID physical-delivery-office-name + TYPE PhysicalDeliveryOfficeName } + +x400-physical-delivery-office-number EXTENSION-ATTRIBUTE-CLASS ::= { + ID physical-delivery-office-number + TYPE PhysicalDeliveryOfficeNumber } + +x400-extension-OR-address-components EXTENSION-ATTRIBUTE-CLASS ::= { + ID extension-OR-address-components + TYPE ExtensionORAddressComponents } + +x400-physical-delivery-personal-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID physical-delivery-personal-name + TYPE PhysicalDeliveryPersonalName } + +x400-physical-delivery-organization-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID physical-delivery-organization-name + TYPE PhysicalDeliveryOrganizationName } + +x400-extension-physical-delivery-address-components + EXTENSION-ATTRIBUTE-CLASS ::= { + ID extension-physical-delivery-address-components + TYPE ExtensionPhysicalDeliveryAddressComponents } + +x400-unformatted-postal-address EXTENSION-ATTRIBUTE-CLASS ::= { + ID unformatted-postal-address + TYPE UnformattedPostalAddress } + +x400-street-address EXTENSION-ATTRIBUTE-CLASS ::= { + ID street-address + TYPE StreetAddress } + +x400-post-office-box-address EXTENSION-ATTRIBUTE-CLASS ::= { + ID post-office-box-address + TYPE PostOfficeBoxAddress } + +x400-poste-restante-address EXTENSION-ATTRIBUTE-CLASS ::= { + ID poste-restante-address + TYPE PosteRestanteAddress } + +x400-unique-postal-name EXTENSION-ATTRIBUTE-CLASS ::= { + ID unique-postal-name + TYPE UniquePostalName } + +x400-local-postal-attributes EXTENSION-ATTRIBUTE-CLASS ::= { + ID local-postal-attributes + TYPE LocalPostalAttributes } + +x400-extended-network-address EXTENSION-ATTRIBUTE-CLASS ::= { + ID extended-network-address + TYPE ExtendedNetworkAddress } + +x400-terminal-type EXTENSION-ATTRIBUTE-CLASS ::= { + ID terminal-type + TYPE TerminalType } + +x400-teletex-domain-defined-attributes EXTENSION-ATTRIBUTE-CLASS ::= { + ID teletex-domain-defined-attributes + TYPE TeletexDomainDefinedAttributes } + +-- Extensions + +OTPExtensions ::= SEQUENCE SIZE (1..MAX) OF Extension + +EXTENSION-CLASS ::= CLASS { + &id OBJECT IDENTIFIER UNIQUE, + &Type OPTIONAL} + WITH SYNTAX { + ID &id + [TYPE &Type] } + +OTPExtension ::= SEQUENCE { + extnID EXTENSION-CLASS.&id({SupportedExtensions}), + critical BOOLEAN DEFAULT FALSE, + extnValue EXTENSION-CLASS.&Type({SupportedExtensions}{@extnID}) } + +-- The following is needed for conversion between Extension and Extension-Cd + +ObjId ::= OBJECT IDENTIFIER +Boolean ::= BOOLEAN +Any ::= ANY + +Extension-Any ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue ANY } + +SupportedExtensions EXTENSION-CLASS ::= { authorityKeyIdentifier | + subjectKeyIdentifier | keyUsage | privateKeyUsagePeriod | + certificatePolicies | policyMappings | subjectAltName | + issuerAltName | subjectDirectoryAttributes | basicConstraints | + nameConstraints | policyConstraints | cRLDistributionPoints | + extKeyUsage | inhibitAnyPolicy | freshestCRL | authorityInfoAccess | + subjectInfoAccess | cRLNumber | issuingDistributionPoint | + deltaCRLIndicator | cRLReasons | certificateIssuer | + holdInstructionCode | invalidityDate } + +authorityKeyIdentifier EXTENSION-CLASS ::= { + ID id-ce-authorityKeyIdentifier + TYPE AuthorityKeyIdentifier } + +subjectKeyIdentifier EXTENSION-CLASS ::= { + ID id-ce-subjectKeyIdentifier + TYPE SubjectKeyIdentifier } + +keyUsage EXTENSION-CLASS ::= { + ID id-ce-keyUsage + TYPE KeyUsage } + +privateKeyUsagePeriod EXTENSION-CLASS ::= { + ID id-ce-privateKeyUsagePeriod + TYPE PrivateKeyUsagePeriod } + +certificatePolicies EXTENSION-CLASS ::= { + ID id-ce-certificatePolicies + TYPE CertificatePolicies } + +policyMappings EXTENSION-CLASS ::= { + ID id-ce-policyMappings + TYPE PolicyMappings } + +subjectAltName EXTENSION-CLASS ::= { + ID id-ce-subjectAltName + TYPE SubjectAltName } + +issuerAltName EXTENSION-CLASS ::= { + ID id-ce-issuerAltName + TYPE IssuerAltName } + +subjectDirectoryAttributes EXTENSION-CLASS ::= { + ID id-ce-subjectDirectoryAttributes + TYPE SubjectDirectoryAttributes } + +basicConstraints EXTENSION-CLASS ::= { + ID id-ce-basicConstraints + TYPE BasicConstraints } + +nameConstraints EXTENSION-CLASS ::= { + ID id-ce-nameConstraints + TYPE NameConstraints } + +policyConstraints EXTENSION-CLASS ::= { + ID id-ce-policyConstraints + TYPE PolicyConstraints } + +cRLDistributionPoints EXTENSION-CLASS ::= { + ID id-ce-cRLDistributionPoints + TYPE CRLDistributionPoints } + +extKeyUsage EXTENSION-CLASS ::= { + ID id-ce-extKeyUsage + TYPE ExtKeyUsageSyntax } + +inhibitAnyPolicy EXTENSION-CLASS ::= { + ID id-ce-inhibitAnyPolicy + TYPE InhibitAnyPolicy } + +freshestCRL EXTENSION-CLASS ::= { + ID id-ce-freshestCRL + TYPE FreshestCRL } + +authorityInfoAccess EXTENSION-CLASS ::= { + ID id-pe-authorityInfoAccess + TYPE AuthorityInfoAccessSyntax } + +subjectInfoAccess EXTENSION-CLASS ::= { + ID id-pe-subjectInfoAccess + TYPE SubjectInfoAccessSyntax } + +cRLNumber EXTENSION-CLASS ::= { + ID id-ce-cRLNumber + TYPE CRLNumber } + +issuingDistributionPoint EXTENSION-CLASS ::= { + ID id-ce-issuingDistributionPoint + TYPE IssuingDistributionPoint } + +deltaCRLIndicator EXTENSION-CLASS ::= { + ID id-ce-deltaCRLIndicator + TYPE BaseCRLNumber } + +cRLReasons EXTENSION-CLASS ::= { + ID id-ce-cRLReasons + TYPE CRLReason } + +certificateIssuer EXTENSION-CLASS ::= { + ID id-ce-certificateIssuer + TYPE CertificateIssuer } + +holdInstructionCode EXTENSION-CLASS ::= { + ID id-ce-holdInstructionCode + TYPE HoldInstructionCode } + +invalidityDate EXTENSION-CLASS ::= { + ID id-ce-invalidityDate + TYPE InvalidityDate } + +END diff --git a/lib/public_key/asn1/OTP-PUB-KEY.asn1config b/lib/public_key/asn1/OTP-PUB-KEY.asn1config new file mode 100644 index 0000000000..86f4c54748 --- /dev/null +++ b/lib/public_key/asn1/OTP-PUB-KEY.asn1config @@ -0,0 +1,2 @@ +{exclusive_decode,{'OTP-PUB-KEY', + [{decode_TBSCert_exclusive,['Certificate',[{tbsCertificate,undecoded}]]}]}}. diff --git a/lib/public_key/asn1/OTP-PUB-KEY.set.asn b/lib/public_key/asn1/OTP-PUB-KEY.set.asn new file mode 100644 index 0000000000..2f9ccd6b0e --- /dev/null +++ b/lib/public_key/asn1/OTP-PUB-KEY.set.asn @@ -0,0 +1,7 @@ +OTP-PKIX.asn1 +PKIX1Explicit88.asn1 +PKIX1Implicit88.asn1 +PKIXAttributeCertificate.asn1 +PKIX1Algorithms88.asn1 +PKCS-1.asn1 +DSS.asn1 diff --git a/lib/public_key/asn1/PKCS-1.asn1 b/lib/public_key/asn1/PKCS-1.asn1 new file mode 100755 index 0000000000..b06f5efa9d --- /dev/null +++ b/lib/public_key/asn1/PKCS-1.asn1 @@ -0,0 +1,116 @@ +PKCS-1 { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) + modules(0) pkcs-1(1) +} + +-- $Revision: 1.1 $ + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +--IMPORTS id-sha256, id-sha384, id-sha512 +-- FROM NIST-SHA2 { +-- joint-iso-itu-t(2) country(16) us(840) organization(1) +-- gov(101) csor(3) nistalgorithm(4) modules(0) sha2(1) +-- }; + +pkcs-1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 +} + +rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } + +id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 } + +id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } + +id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } + +md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } +md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } +sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } +sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } +sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } +sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } + +id-sha1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) oiw(14) secsig(3) + algorithms(2) 26 +} + +id-md2 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 +} + +id-md5 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 +} + +id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } + + +RSAPublicKey ::= SEQUENCE { + modulus INTEGER, -- n + publicExponent INTEGER -- e +} + +RSAPrivateKey ::= SEQUENCE { + version Version, + modulus INTEGER, -- n + publicExponent INTEGER, -- e + privateExponent INTEGER, -- d + prime1 INTEGER, -- p + prime2 INTEGER, -- q + exponent1 INTEGER, -- d mod (p-1) + exponent2 INTEGER, -- d mod (q-1) + coefficient INTEGER, -- (inverse of q) mod p + otherPrimeInfos OtherPrimeInfos OPTIONAL +} + +Version ::= INTEGER { two-prime(0), multi(1) } + (CONSTRAINED BY { + -- version must be multi if otherPrimeInfos present -- + }) + +OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo + +OtherPrimeInfo ::= SEQUENCE { + prime INTEGER, -- ri + exponent INTEGER, -- di + coefficient INTEGER -- ti +} + +Algorithm ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL +} + +AlgorithmNull ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters NULL +} + + +RSASSA-PSS-params ::= SEQUENCE { + hashAlgorithm [0] Algorithm, -- DEFAULT sha1, + maskGenAlgorithm [1] Algorithm, -- DEFAULT mgf1SHA1, + saltLength [2] INTEGER DEFAULT 20, + trailerField [3] TrailerField DEFAULT trailerFieldBC +} + +TrailerField ::= INTEGER { trailerFieldBC(1) } + +DigestInfo ::= SEQUENCE { + digestAlgorithm Algorithm, + digest OCTET STRING +} + +DigestInfoNull ::= SEQUENCE { + digestAlgorithm AlgorithmNull, + digest OCTET STRING +} + + +END -- PKCS1Definitions + diff --git a/lib/public_key/asn1/PKIX1Algorithms88.asn1 b/lib/public_key/asn1/PKIX1Algorithms88.asn1 new file mode 100644 index 0000000000..f895b6d0cd --- /dev/null +++ b/lib/public_key/asn1/PKIX1Algorithms88.asn1 @@ -0,0 +1,235 @@ + PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms(17) } + + DEFINITIONS EXPLICIT TAGS ::= BEGIN + + -- EXPORTS All; + + -- IMPORTS NONE; + + -- + -- One-way Hash Functions + -- md2, md5, id-sha1 see PKCS-1 + + -- + -- DSA Keys and Signatures + -- + + -- OID for DSA public key + + id-dsa OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } + + -- encoding for DSA public key + + DSAPublicKey ::= INTEGER -- public key, y + + Dss-Parms ::= SEQUENCE { + p INTEGER, + q INTEGER, + g INTEGER } + + -- OID for DSA signature generated with SHA-1 hash + + id-dsa-with-sha1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 } + + -- encoding for DSA signature generated with SHA-1 hash + + Dss-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER } + + -- + -- RSA Keys and Signatures, see PKCS-1 + -- + + -- + -- Diffie-Hellman Keys + -- + + dhpublicnumber OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-x942(10046) + number-type(2) 1 } + + -- encoding for DSA public key + + DHPublicKey ::= INTEGER -- public key, y = g^x mod p + + DomainParameters ::= SEQUENCE { + p INTEGER, -- odd prime, p=jq +1 + g INTEGER, -- generator, g + q INTEGER, -- factor of p-1 + j INTEGER OPTIONAL, -- subgroup factor, j>= 2 + validationParms ValidationParms OPTIONAL } + + ValidationParms ::= SEQUENCE { + seed BIT STRING, + pgenCounter INTEGER } + + -- + -- KEA Keys + -- + + id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= + { 2 16 840 1 101 2 1 1 22 } + + KEA-Parms-Id ::= OCTET STRING + + -- + -- Elliptic Curve Keys, Signatures, and Curves + -- + + ansi-X9-62 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) 10045 } + + FieldID ::= SEQUENCE { -- Finite field + fieldType OBJECT IDENTIFIER, + parameters ANY DEFINED BY fieldType } + + -- Arc for ECDSA signature OIDS + + id-ecSigType OBJECT IDENTIFIER ::= { ansi-X9-62 signatures(4) } + + -- OID for ECDSA signatures with SHA-1 + + ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 } + + -- OID for an elliptic curve signature + -- format for the value of an ECDSA signature value + + ECDSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER } + + -- recognized field type OIDs are defined in the following arc + + id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) } + + -- where fieldType is prime-field, the parameters are of type Prime-p + + prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } + + Prime-p ::= INTEGER -- Finite field F(p), where p is an odd prime + + -- where fieldType is characteristic-two-field, the parameters are + -- of type Characteristic-two + + characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 } + + Characteristic-two ::= SEQUENCE { + m INTEGER, -- Field size 2^m + basis OBJECT IDENTIFIER, + parameters ANY DEFINED BY basis } + + -- recognized basis type OIDs are defined in the following arc + + id-characteristic-two-basis OBJECT IDENTIFIER ::= { + characteristic-two-field basisType(3) } + + -- gnbasis is identified by OID gnBasis and indicates + -- parameters are NULL + + gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 } + + -- parameters for this basis are NULL + + -- trinomial basis is identified by OID tpBasis and indicates + -- parameters of type Pentanomial + + tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 } + + -- Trinomial basis representation of F2^m + -- Integer k for reduction polynomial xm + xk + 1 + + Trinomial ::= INTEGER + + -- for pentanomial basis is identified by OID ppBasis and indicates + -- parameters of type Pentanomial + + ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 } + + -- Pentanomial basis representation of F2^m + -- reduction polynomial integers k1, k2, k3 + -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1 + + Pentanomial ::= SEQUENCE { + k1 INTEGER, + k2 INTEGER, + k3 INTEGER } + + -- The object identifiers gnBasis, tpBasis and ppBasis name + -- three kinds of basis for characteristic-two finite fields + + FieldElement ::= OCTET STRING -- Finite field element + + ECPoint ::= OCTET STRING -- Elliptic curve point + + -- Elliptic Curve parameters may be specified explicitly, + -- specified implicitly through a "named curve", or + -- inherited from the CA + + EcpkParameters ::= CHOICE { + ecParameters ECParameters, + namedCurve OBJECT IDENTIFIER, + implicitlyCA NULL } + + ECParameters ::= SEQUENCE { -- Elliptic curve parameters + version ECPVer, + fieldID FieldID, + curve Curve, + base ECPoint, -- Base point G + order INTEGER, -- Order n of the base point + cofactor INTEGER OPTIONAL } -- The integer h = #E(Fq)/n + + ECPVer ::= INTEGER {ecpVer1(1)} + + Curve ::= SEQUENCE { + a FieldElement, -- Elliptic curve coefficient a + b FieldElement, -- Elliptic curve coefficient b + seed BIT STRING OPTIONAL } + + id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType(2) } + + id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 } + + -- Named Elliptic Curves in ANSI X9.62. + + ellipticCurve OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) } + + c-TwoCurve OBJECT IDENTIFIER ::= { + ellipticCurve characteristicTwo(0) } + + c2pnb163v1 OBJECT IDENTIFIER ::= { c-TwoCurve 1 } + c2pnb163v2 OBJECT IDENTIFIER ::= { c-TwoCurve 2 } + c2pnb163v3 OBJECT IDENTIFIER ::= { c-TwoCurve 3 } + c2pnb176w1 OBJECT IDENTIFIER ::= { c-TwoCurve 4 } + c2tnb191v1 OBJECT IDENTIFIER ::= { c-TwoCurve 5 } + c2tnb191v2 OBJECT IDENTIFIER ::= { c-TwoCurve 6 } + c2tnb191v3 OBJECT IDENTIFIER ::= { c-TwoCurve 7 } + c2onb191v4 OBJECT IDENTIFIER ::= { c-TwoCurve 8 } + c2onb191v5 OBJECT IDENTIFIER ::= { c-TwoCurve 9 } + c2pnb208w1 OBJECT IDENTIFIER ::= { c-TwoCurve 10 } + c2tnb239v1 OBJECT IDENTIFIER ::= { c-TwoCurve 11 } + c2tnb239v2 OBJECT IDENTIFIER ::= { c-TwoCurve 12 } + c2tnb239v3 OBJECT IDENTIFIER ::= { c-TwoCurve 13 } + c2onb239v4 OBJECT IDENTIFIER ::= { c-TwoCurve 14 } + c2onb239v5 OBJECT IDENTIFIER ::= { c-TwoCurve 15 } + c2pnb272w1 OBJECT IDENTIFIER ::= { c-TwoCurve 16 } + c2pnb304w1 OBJECT IDENTIFIER ::= { c-TwoCurve 17 } + c2tnb359v1 OBJECT IDENTIFIER ::= { c-TwoCurve 18 } + c2pnb368w1 OBJECT IDENTIFIER ::= { c-TwoCurve 19 } + c2tnb431r1 OBJECT IDENTIFIER ::= { c-TwoCurve 20 } + + primeCurve OBJECT IDENTIFIER ::= { ellipticCurve prime(1) } + + prime192v1 OBJECT IDENTIFIER ::= { primeCurve 1 } + prime192v2 OBJECT IDENTIFIER ::= { primeCurve 2 } + prime192v3 OBJECT IDENTIFIER ::= { primeCurve 3 } + prime239v1 OBJECT IDENTIFIER ::= { primeCurve 4 } + prime239v2 OBJECT IDENTIFIER ::= { primeCurve 5 } + prime239v3 OBJECT IDENTIFIER ::= { primeCurve 6 } + prime256v1 OBJECT IDENTIFIER ::= { primeCurve 7 } + + END diff --git a/lib/public_key/asn1/PKIX1Explicit88.asn1 b/lib/public_key/asn1/PKIX1Explicit88.asn1 new file mode 100644 index 0000000000..03e9da3e05 --- /dev/null +++ b/lib/public_key/asn1/PKIX1Explicit88.asn1 @@ -0,0 +1,619 @@ +PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +-- IMPORTS NONE -- + +-- UNIVERSAL Types defined in 1993 and 1998 ASN.1 +-- and required by this specification + +-- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING + -- UniversalString is defined in ASN.1:1993 + +-- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING + -- BMPString is the subtype of UniversalString and models + -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1 + +-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The content of this type conforms to RFC 2279. + +-- PKIX specific OIDs + +id-pkix OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) } + +-- PKIX arcs + +id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + -- arc for private certificate extensions +id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + -- arc for policy qualifier types +id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + -- arc for extended key purpose OIDS +id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + -- arc for access descriptors + +-- policyQualifierIds for Internet policy qualifiers + +id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + -- OID for CPS qualifier +id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + -- OID for user notice qualifier + +-- access descriptor definitions + +id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } +id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } +id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } +id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } + +-- attribute data types + +Attribute ::= SEQUENCE { + type AttributeType, + values SET OF AttributeValue } + -- at least one value is required + +AttributeType ::= OBJECT IDENTIFIER + +AttributeValue ::= ANY + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue } + +-- suggested naming attributes: Definition of the following +-- information object set may be augmented to meet local +-- requirements. Note that deleting members of the set may +-- prevent interoperability with conforming implementations. +-- presented in pairs: the AttributeType followed by the +-- type definition for the corresponding AttributeValue +--Arc for standard naming attributes +id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } + +-- Naming attributes of type X520name + +id-at-name AttributeType ::= { id-at 41 } +id-at-surname AttributeType ::= { id-at 4 } +id-at-givenName AttributeType ::= { id-at 42 } +id-at-initials AttributeType ::= { id-at 43 } +id-at-generationQualifier AttributeType ::= { id-at 44 } + +X520name ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-name)), + printableString PrintableString (SIZE (1..ub-name)), + universalString UniversalString (SIZE (1..ub-name)), + utf8String UTF8String (SIZE (1..ub-name)), + bmpString BMPString (SIZE (1..ub-name)) } + +-- Naming attributes of type X520CommonName + +id-at-commonName AttributeType ::= { id-at 3 } + +X520CommonName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-common-name)), + printableString PrintableString (SIZE (1..ub-common-name)), + universalString UniversalString (SIZE (1..ub-common-name)), + utf8String UTF8String (SIZE (1..ub-common-name)), + bmpString BMPString (SIZE (1..ub-common-name)) } + +-- Naming attributes of type X520LocalityName + +id-at-localityName AttributeType ::= { id-at 7 } + +X520LocalityName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-locality-name)), + printableString PrintableString (SIZE (1..ub-locality-name)), + universalString UniversalString (SIZE (1..ub-locality-name)), + utf8String UTF8String (SIZE (1..ub-locality-name)), + bmpString BMPString (SIZE (1..ub-locality-name)) } + +-- Naming attributes of type X520StateOrProvinceName + +id-at-stateOrProvinceName AttributeType ::= { id-at 8 } + +X520StateOrProvinceName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-state-name)), + printableString PrintableString (SIZE (1..ub-state-name)), + universalString UniversalString (SIZE (1..ub-state-name)), + utf8String UTF8String (SIZE (1..ub-state-name)), + bmpString BMPString (SIZE(1..ub-state-name)) } + +-- Naming attributes of type X520OrganizationName + +id-at-organizationName AttributeType ::= { id-at 10 } + +X520OrganizationName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organization-name)), + printableString PrintableString + (SIZE (1..ub-organization-name)), + universalString UniversalString + (SIZE (1..ub-organization-name)), + utf8String UTF8String + (SIZE (1..ub-organization-name)), + bmpString BMPString + (SIZE (1..ub-organization-name)) } + +-- Naming attributes of type X520OrganizationalUnitName + +id-at-organizationalUnitName AttributeType ::= { id-at 11 } + +X520OrganizationalUnitName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organizational-unit-name)), + printableString PrintableString + (SIZE (1..ub-organizational-unit-name)), + universalString UniversalString + (SIZE (1..ub-organizational-unit-name)), + utf8String UTF8String + (SIZE (1..ub-organizational-unit-name)), + bmpString BMPString + (SIZE (1..ub-organizational-unit-name)) } + +-- Naming attributes of type X520Title + +id-at-title AttributeType ::= { id-at 12 } + +X520Title ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-title)), + printableString PrintableString (SIZE (1..ub-title)), + universalString UniversalString (SIZE (1..ub-title)), + utf8String UTF8String (SIZE (1..ub-title)), + bmpString BMPString (SIZE (1..ub-title)) } + +-- Naming attributes of type X520dnQualifier + +id-at-dnQualifier AttributeType ::= { id-at 46 } + +X520dnQualifier ::= PrintableString + +-- Naming attributes of type X520countryName (digraph from IS 3166) + +id-at-countryName AttributeType ::= { id-at 6 } + +X520countryName ::= PrintableString (SIZE (2)) + +-- Naming attributes of type X520SerialNumber + +id-at-serialNumber AttributeType ::= { id-at 5 } + +X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) + +-- Naming attributes of type X520Pseudonym + +id-at-pseudonym AttributeType ::= { id-at 65 } + +X520Pseudonym ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-pseudonym)), + printableString PrintableString (SIZE (1..ub-pseudonym)), + universalString UniversalString (SIZE (1..ub-pseudonym)), + utf8String UTF8String (SIZE (1..ub-pseudonym)), + bmpString BMPString (SIZE (1..ub-pseudonym)) } + +-- Naming attributes of type DomainComponent (from RFC 2247) + +id-domainComponent AttributeType ::= + { 0 9 2342 19200300 100 1 25 } + +DomainComponent ::= IA5String + +-- Legacy attributes + +pkcs-9 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } + +id-emailAddress AttributeType ::= { pkcs-9 1 } + +EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length)) + +-- naming data types -- + +Name ::= CHOICE { -- only one possibility for now -- + rdnSequence RDNSequence } + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +DistinguishedName ::= RDNSequence + +RelativeDistinguishedName ::= + SET SIZE (1 .. MAX) OF AttributeTypeAndValue + +-- Directory string type -- + +DirectoryString ::= CHOICE { + teletexString TeletexString (SIZE (1..MAX)), + printableString PrintableString (SIZE (1..MAX)), + universalString UniversalString (SIZE (1..MAX)), + utf8String UTF8String (SIZE (1..MAX)), + bmpString BMPString (SIZE (1..MAX)) } + +-- certificate and CRL specific structures begin here + +Certificate ::= SEQUENCE { + tbsCertificate TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version MUST be v3 -- } + +Version ::= INTEGER { v1(0), v2(1), v3(2) } + +CertificateSerialNumber ::= INTEGER + +Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + +UniqueIdentifier ::= BIT STRING + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING } + +Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension + +Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue OCTET STRING } + +-- CRL structures + +CertificateList ::= SEQUENCE { + tbsCertList TBSCertList, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertList ::= SEQUENCE { + version Version OPTIONAL, + -- if present, MUST be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL + -- if present, MUST be v2 + } OPTIONAL, + crlExtensions [0] Extensions OPTIONAL } + -- if present, MUST be v2 + +-- Version, Time, CertificateSerialNumber, and Extensions were +-- defined earlier for use in the certificate structure + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL } + -- contains a value of the type + -- registered for use with the + -- algorithm object identifier value + +-- X.400 address syntax starts here + +ORAddress ::= SEQUENCE { + built-in-standard-attributes BuiltInStandardAttributes, + built-in-domain-defined-attributes + BuiltInDomainDefinedAttributes OPTIONAL, + -- see also teletex-domain-defined-attributes + extension-attributes ExtensionAttributes OPTIONAL } + +-- Built-in Standard Attributes + +BuiltInStandardAttributes ::= SEQUENCE { + country-name CountryName OPTIONAL, + administration-domain-name AdministrationDomainName OPTIONAL, + network-address [0] IMPLICIT NetworkAddress OPTIONAL, + -- see also extended-network-address + terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, + private-domain-name [2] PrivateDomainName OPTIONAL, + organization-name [3] IMPLICIT OrganizationName OPTIONAL, + -- see also teletex-organization-name + numeric-user-identifier [4] IMPLICIT NumericUserIdentifier + OPTIONAL, + personal-name [5] IMPLICIT PersonalName OPTIONAL, + -- see also teletex-personal-name + organizational-unit-names [6] IMPLICIT OrganizationalUnitNames + OPTIONAL } + -- see also teletex-organizational-unit-names + +CountryName ::= [APPLICATION 1] CHOICE { + x121-dcc-code NumericString + (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +AdministrationDomainName ::= [APPLICATION 2] CHOICE { + numeric NumericString (SIZE (0..ub-domain-name-length)), + printable PrintableString (SIZE (0..ub-domain-name-length)) } + +NetworkAddress ::= X121Address -- see also extended-network-address + +X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) + +TerminalIdentifier ::= PrintableString (SIZE +(1..ub-terminal-id-length)) + +PrivateDomainName ::= CHOICE { + numeric NumericString (SIZE (1..ub-domain-name-length)), + printable PrintableString (SIZE (1..ub-domain-name-length)) } + +OrganizationName ::= PrintableString + (SIZE (1..ub-organization-name-length)) + -- see also teletex-organization-name + +NumericUserIdentifier ::= NumericString + (SIZE (1..ub-numeric-user-id-length)) + +PersonalName ::= SET { + surname [0] IMPLICIT PrintableString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT PrintableString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT PrintableString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT PrintableString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + -- see also teletex-personal-name + +OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) + OF OrganizationalUnitName + -- see also teletex-organizational-unit-names + +OrganizationalUnitName ::= PrintableString (SIZE + (1..ub-organizational-unit-name-length)) + +-- Built-in Domain-defined Attributes + +BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF + BuiltInDomainDefinedAttribute + +BuiltInDomainDefinedAttribute ::= SEQUENCE { + type PrintableString (SIZE + (1..ub-domain-defined-attribute-type-length)), + value PrintableString (SIZE + (1..ub-domain-defined-attribute-value-length)) } + +-- Extension Attributes + +ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF + ExtensionAttribute + +ExtensionAttribute ::= SEQUENCE { + extension-attribute-type [0] IMPLICIT INTEGER + (0..ub-extension-attributes), + extension-attribute-value [1] + ANY DEFINED BY extension-attribute-type } + +-- Extension types and attribute values + +common-name INTEGER ::= 1 + +CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) + +teletex-common-name INTEGER ::= 2 + +TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) + +teletex-organization-name INTEGER ::= 3 + +TeletexOrganizationName ::= + TeletexString (SIZE (1..ub-organization-name-length)) + +teletex-personal-name INTEGER ::= 4 + +TeletexPersonalName ::= SET { + surname [0] IMPLICIT TeletexString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT TeletexString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT TeletexString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT TeletexString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + +teletex-organizational-unit-names INTEGER ::= 5 + +TeletexOrganizationalUnitNames ::= SEQUENCE SIZE + (1..ub-organizational-units) OF TeletexOrganizationalUnitName + +TeletexOrganizationalUnitName ::= TeletexString + (SIZE (1..ub-organizational-unit-name-length)) + +pds-name INTEGER ::= 7 + +PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) + +physical-delivery-country-name INTEGER ::= 8 + +PhysicalDeliveryCountryName ::= CHOICE { + x121-dcc-code NumericString (SIZE +(ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +postal-code INTEGER ::= 9 + +PostalCode ::= CHOICE { + numeric-code NumericString (SIZE (1..ub-postal-code-length)), + printable-code PrintableString (SIZE (1..ub-postal-code-length)) } + +physical-delivery-office-name INTEGER ::= 10 + +PhysicalDeliveryOfficeName ::= PDSParameter + +physical-delivery-office-number INTEGER ::= 11 + +PhysicalDeliveryOfficeNumber ::= PDSParameter + +extension-OR-address-components INTEGER ::= 12 + +ExtensionORAddressComponents ::= PDSParameter + +physical-delivery-personal-name INTEGER ::= 13 + +PhysicalDeliveryPersonalName ::= PDSParameter + +physical-delivery-organization-name INTEGER ::= 14 + +PhysicalDeliveryOrganizationName ::= PDSParameter + +extension-physical-delivery-address-components INTEGER ::= 15 + +ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter + +unformatted-postal-address INTEGER ::= 16 + +UnformattedPostalAddress ::= SET { + printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) + OF PrintableString (SIZE (1..ub-pds-parameter-length)) + OPTIONAL, + teletex-string TeletexString + (SIZE (1..ub-unformatted-address-length)) OPTIONAL } + +street-address INTEGER ::= 17 + +StreetAddress ::= PDSParameter + +post-office-box-address INTEGER ::= 18 + +PostOfficeBoxAddress ::= PDSParameter + +poste-restante-address INTEGER ::= 19 + +PosteRestanteAddress ::= PDSParameter + +unique-postal-name INTEGER ::= 20 + +UniquePostalName ::= PDSParameter + +local-postal-attributes INTEGER ::= 21 + +LocalPostalAttributes ::= PDSParameter + +PDSParameter ::= SET { + printable-string PrintableString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL } + +extended-network-address INTEGER ::= 22 + +ExtendedNetworkAddress ::= CHOICE { + e163-4-address SEQUENCE { + number [0] IMPLICIT NumericString + (SIZE (1..ub-e163-4-number-length)), + sub-address [1] IMPLICIT NumericString + (SIZE (1..ub-e163-4-sub-address-length)) + OPTIONAL }, + psap-address [0] IMPLICIT PresentationAddress } + +PresentationAddress ::= SEQUENCE { + pSelector [0] EXPLICIT OCTET STRING OPTIONAL, + sSelector [1] EXPLICIT OCTET STRING OPTIONAL, + tSelector [2] EXPLICIT OCTET STRING OPTIONAL, + nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } + +terminal-type INTEGER ::= 23 + +TerminalType ::= INTEGER { + telex (3), + teletex (4), + g3-facsimile (5), + g4-facsimile (6), + ia5-terminal (7), + videotex (8) } (0..ub-integer-options) + +-- Extension Domain-defined Attributes + +teletex-domain-defined-attributes INTEGER ::= 6 + +TeletexDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute + +TeletexDomainDefinedAttribute ::= SEQUENCE { + type TeletexString + (SIZE (1..ub-domain-defined-attribute-type-length)), + value TeletexString + (SIZE (1..ub-domain-defined-attribute-value-length)) } + +-- specifications of Upper Bounds MUST be regarded as mandatory +-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter +-- Upper Bounds + +-- Upper Bounds +ub-name INTEGER ::= 32768 +ub-common-name INTEGER ::= 64 +ub-locality-name INTEGER ::= 128 +ub-state-name INTEGER ::= 128 +ub-organization-name INTEGER ::= 64 +ub-organizational-unit-name INTEGER ::= 64 +ub-title INTEGER ::= 64 +ub-serial-number INTEGER ::= 64 +ub-match INTEGER ::= 128 +ub-emailaddress-length INTEGER ::= 255 +ub-common-name-length INTEGER ::= 64 +ub-country-name-alpha-length INTEGER ::= 2 +ub-country-name-numeric-length INTEGER ::= 3 +ub-domain-defined-attributes INTEGER ::= 4 +ub-domain-defined-attribute-type-length INTEGER ::= 8 +ub-domain-defined-attribute-value-length INTEGER ::= 128 +ub-domain-name-length INTEGER ::= 16 +ub-extension-attributes INTEGER ::= 256 +ub-e163-4-number-length INTEGER ::= 15 +ub-e163-4-sub-address-length INTEGER ::= 40 +ub-generation-qualifier-length INTEGER ::= 3 +ub-given-name-length INTEGER ::= 16 +ub-initials-length INTEGER ::= 5 +ub-integer-options INTEGER ::= 256 +ub-numeric-user-id-length INTEGER ::= 32 +ub-organization-name-length INTEGER ::= 64 +ub-organizational-unit-name-length INTEGER ::= 32 +ub-organizational-units INTEGER ::= 4 +ub-pds-name-length INTEGER ::= 16 +ub-pds-parameter-length INTEGER ::= 30 +ub-pds-physical-address-lines INTEGER ::= 6 +ub-postal-code-length INTEGER ::= 16 +ub-pseudonym INTEGER ::= 128 +ub-surname-length INTEGER ::= 40 +ub-terminal-id-length INTEGER ::= 24 +ub-unformatted-address-length INTEGER ::= 180 +ub-x121-address-length INTEGER ::= 16 + +-- Note - upper bounds on string types, such as TeletexString, are +-- measured in characters. Excepting PrintableString or IA5String, a +-- significantly greater number of octets will be required to hold +-- such a value. As a minimum, 16 octets, or twice the specified +-- upper bound, whichever is the larger, should be allowed for +-- TeletexString. For UTF8String or UniversalString at least four +-- times the upper bound should be allowed. + +END diff --git a/lib/public_key/asn1/PKIX1Implicit88.asn1 b/lib/public_key/asn1/PKIX1Implicit88.asn1 new file mode 100644 index 0000000000..ced270baf6 --- /dev/null +++ b/lib/public_key/asn1/PKIX1Implicit88.asn1 @@ -0,0 +1,349 @@ +PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } + +DEFINITIONS IMPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +IMPORTS + id-pe, id-kp, id-qt-unotice, id-qt-cps, + -- delete following line if "new" types are supported -- + -- BMPString, + -- UTF8String, end "new" types -- + ORAddress, Name, RelativeDistinguishedName, + CertificateSerialNumber, Attribute, DirectoryString + FROM PKIX1Explicit88 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit(18) }; + + +-- ISO arc for standard certificate and CRL extensions + +id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} + +-- authority key identifier OID and syntax + +id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + -- authorityCertIssuer and authorityCertSerialNumber MUST both + -- be present or both be absent + +KeyIdentifier ::= OCTET STRING + +-- subject key identifier OID and syntax + +id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + +SubjectKeyIdentifier ::= KeyIdentifier + +-- key usage extension OID and syntax + +id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + +KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) } + +-- private key usage period extension OID and syntax + +id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } + +PrivateKeyUsagePeriod ::= SEQUENCE { + notBefore [0] GeneralizedTime OPTIONAL, + notAfter [1] GeneralizedTime OPTIONAL } + -- either notBefore or notAfter MUST be present + +-- certificate policies extension OID and syntax + +id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + +anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } + +CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + +PolicyInformation ::= SEQUENCE { + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + +CertPolicyId ::= OBJECT IDENTIFIER + +PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId PolicyQualifierId, + qualifier ANY DEFINED BY policyQualifierId } + +-- Implementations that recognize additional policy qualifiers MUST +-- augment the following definition for PolicyQualifierId + +PolicyQualifierId ::= + OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + +-- CPS pointer qualifier + +CPSuri ::= IA5String + +-- user notice qualifier + +UserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + +NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + +DisplayText ::= CHOICE { + ia5String IA5String (SIZE (1..200)), + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + +-- policy mapping extension OID and syntax + +id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + +PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId } + +-- subject alternative name extension OID and syntax + +id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + +SubjectAltName ::= GeneralNames + +GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } + +-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as +-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax + +AnotherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } + +EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + +-- issuer alternative name extension OID and syntax + +id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } + +IssuerAltName ::= GeneralNames + +id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } + +SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute + +-- basic constraints extension OID and syntax + +id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + +BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } + +-- name constraints extension OID and syntax + +id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + +NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + +GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + +GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL } + +BaseDistance ::= INTEGER (0..MAX) + +-- policy constraints extension OID and syntax + +id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + +PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + +SkipCerts ::= INTEGER (0..MAX) + +-- CRL distribution points extension OID and syntax + +id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} + +CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + +DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL } + +DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + +ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) } + +-- extended key usage extension OID and syntax + +id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} + +ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + + +KeyPurposeId ::= OBJECT IDENTIFIER + +-- permit unspecified key uses + +anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } + +-- extended key purpose OIDs + +id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } +id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } +id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } +id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } +id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } +id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + +-- inhibit any policy OID and syntax + +id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } + +InhibitAnyPolicy ::= SkipCerts + +-- freshest (delta)CRL extension OID and syntax + +id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + +FreshestCRL ::= CRLDistributionPoints + +-- authority info access + +id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + +AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + +-- subject info access + +id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } + +SubjectInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +-- CRL number extension OID and syntax + +id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } + +CRLNumber ::= INTEGER (0..MAX) + +-- issuing distribution point extension OID and syntax + +id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + +IssuingDistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + onlySomeReasons [3] ReasonFlags OPTIONAL, + indirectCRL [4] BOOLEAN DEFAULT FALSE, + onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } + +id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } + +BaseCRLNumber ::= CRLNumber + +-- CRL reasons extension OID and syntax + +id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } + +CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) } + +-- certificate issuer CRL entry extension OID and syntax + +id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } + +CertificateIssuer ::= GeneralNames + +-- hold instruction extension OID and syntax + +id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } + +HoldInstructionCode ::= OBJECT IDENTIFIER + +-- ANSI x9 holdinstructions + +-- ANSI x9 arc holdinstruction arc + +holdInstruction OBJECT IDENTIFIER ::= + {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} + +-- ANSI X9 holdinstructions referenced by this standard + +id-holdinstruction-none OBJECT IDENTIFIER ::= + {holdInstruction 1} -- deprecated + +id-holdinstruction-callissuer OBJECT IDENTIFIER ::= + {holdInstruction 2} + +id-holdinstruction-reject OBJECT IDENTIFIER ::= + {holdInstruction 3} + +-- invalidity date CRL entry extension OID and syntax + +id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } + +InvalidityDate ::= GeneralizedTime + +END diff --git a/lib/public_key/asn1/PKIXAttributeCertificate.asn1 b/lib/public_key/asn1/PKIXAttributeCertificate.asn1 new file mode 100644 index 0000000000..7d93e6b37e --- /dev/null +++ b/lib/public_key/asn1/PKIXAttributeCertificate.asn1 @@ -0,0 +1,189 @@ + PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-attribute-cert(12)} + + DEFINITIONS IMPLICIT TAGS ::= + + BEGIN + + -- EXPORTS ALL -- + + IMPORTS + + -- IMPORTed module OIDs MAY change if [PKIXPROF] changes + -- PKIX Certificate Extensions + Attribute, AlgorithmIdentifier, CertificateSerialNumber, + Extensions, UniqueIdentifier, + id-pkix, id-pe, id-kp, id-ad, id-at + FROM PKIX1Explicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) + pkix(7) id-mod(0) id-pkix1-explicit-88(1)} + + GeneralName, GeneralNames, id-ce + FROM PKIX1Implicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) + pkix(7) id-mod(0) id-pkix1-implicit-88(2)} ; + + id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } + id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } + id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } + id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } + + id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } + id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } + id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } + id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } + id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } + -- { id-aca 5 } is reserved + id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } + + id-at-role OBJECT IDENTIFIER ::= { id-at 72} + id-at-clearance OBJECT IDENTIFIER ::= + { joint-iso-ccitt(2) ds(5) module(1) + selected-attribute-types(5) clearance (55) } + + -- Uncomment this if using a 1988 level ASN.1 compiler + -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + + AttributeCertificate ::= SEQUENCE { + acinfo AttributeCertificateInfo, + signatureAlgorithm AlgorithmIdentifier, + signatureValue BIT STRING + } + + AttributeCertificateInfo ::= SEQUENCE { + version AttCertVersion, -- version is v2 + holder Holder, + issuer AttCertIssuer, + signature AlgorithmIdentifier, + serialNumber CertificateSerialNumber, + attrCertValidityPeriod AttCertValidityPeriod, + attributes SEQUENCE OF Attribute, + issuerUniqueID UniqueIdentifier OPTIONAL, + extensions Extensions OPTIONAL + } + + AttCertVersion ::= INTEGER { v2(1) } + + Holder ::= SEQUENCE { + baseCertificateID [0] IssuerSerial OPTIONAL, + -- the issuer and serial number of + -- the holder's Public Key Certificate + entityName [1] GeneralNames OPTIONAL, + -- the name of the claimant or role + objectDigestInfo [2] ObjectDigestInfo OPTIONAL + -- used to directly authenticate the + -- holder, for example, an executable + } + + ObjectDigestInfo ::= SEQUENCE { + digestedObjectType ENUMERATED { + publicKey (0), + publicKeyCert (1), + otherObjectTypes (2) }, + -- otherObjectTypes MUST NOT + -- MUST NOT be used in this profile + otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, + digestAlgorithm AlgorithmIdentifier, + objectDigest BIT STRING + } + + AttCertIssuer ::= CHOICE { + v1Form GeneralNames, -- MUST NOT be used in this + -- profile + v2Form [0] V2Form -- v2 only + } + + V2Form ::= SEQUENCE { + issuerName GeneralNames OPTIONAL, + baseCertificateID [0] IssuerSerial OPTIONAL, + objectDigestInfo [1] ObjectDigestInfo OPTIONAL + -- issuerName MUST be present in this profile + -- baseCertificateID and objectDigestInfo MUST + -- NOT be present in this profile + } + + IssuerSerial ::= SEQUENCE { + issuer GeneralNames, + serial CertificateSerialNumber, + issuerUID UniqueIdentifier OPTIONAL + } + + AttCertValidityPeriod ::= SEQUENCE { + notBeforeTime GeneralizedTime, + notAfterTime GeneralizedTime + } + + Targets ::= SEQUENCE OF Target + + Target ::= CHOICE { + targetName [0] GeneralName, + targetGroup [1] GeneralName, + targetCert [2] TargetCert + } + + TargetCert ::= SEQUENCE { + targetCertificate IssuerSerial, + targetName GeneralName OPTIONAL, + certDigestInfo ObjectDigestInfo OPTIONAL + } + + IetfAttrSyntax ::= SEQUENCE { + policyAuthority[0] GeneralNames OPTIONAL, + values SEQUENCE OF CHOICE { + octets OCTET STRING, + oid OBJECT IDENTIFIER, + string UTF8String + } + } + + SvceAuthInfo ::= SEQUENCE { + service GeneralName, + ident GeneralName, + authInfo OCTET STRING OPTIONAL + } + + RoleSyntax ::= SEQUENCE { + roleAuthority [0] GeneralNames OPTIONAL, + roleName [1] GeneralName + } + + Clearance ::= SEQUENCE { + policyId [0] OBJECT IDENTIFIER, + classList [1] ClassList DEFAULT {unclassified}, + securityCategories + [2] SET OF SecurityCategory OPTIONAL + } + + ClassList ::= BIT STRING { + unmarked (0), + unclassified (1), + restricted (2), + confidential (3), + secret (4), + topSecret (5) + } + + SecurityCategory ::= SEQUENCE { + type [0] IMPLICIT OBJECT IDENTIFIER, + value [1] ANY DEFINED BY type + } + + AAControls ::= SEQUENCE { + pathLenConstraint INTEGER (0..MAX) OPTIONAL, + permittedAttrs [0] AttrSpec OPTIONAL, + excludedAttrs [1] AttrSpec OPTIONAL, + permitUnSpecified BOOLEAN DEFAULT TRUE + } + + AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER + + ACClearAttrs ::= SEQUENCE { + acIssuer GeneralName, + acSerial INTEGER, + attrs SEQUENCE OF Attribute + } + + ProxyInfo ::= SEQUENCE OF Targets + + END diff --git a/lib/public_key/asn1/README b/lib/public_key/asn1/README new file mode 100644 index 0000000000..5fb8cf9725 --- /dev/null +++ b/lib/public_key/asn1/README @@ -0,0 +1,51 @@ +The files + + PKIX1Algorithms88.asn1 + PKIX1Explicit88.asn1 + PKIX1Implicit88.asn1 + PKIXAttributeCertificate.asn1 + +are from RFCs 3279, 3280 and 3281. + +We have edited PKIX1Explicit88.asn1, PKIX1Implicit88.asn1, and +PKIXAttributeCertificate.asn1 as follows: + + +1. Removal of definition of UniversalString and BMPString: + +diff -r1.1 PKIX1Explicit88.asn1 +15c15 +< UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING +--- +> -- UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING +18c18 +< BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING +--- +> -- BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING + + +2. Removal of definition of BMPString: + +diff -r1.1 PKIX1Implicit88.asn1 +13c13,14 +< BMPString, UTF8String, -- end "new" types -- +--- +> -- BMPString, +> UTF8String, -- end "new" types -- + + +3. Addition of definition of UTF8String, and correction of a typo. + +diff -r1.1 PKIXAttributeCertificate.asn1 +46c46 +< -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING +--- +> UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING +55c55 +< version AttCertVersion -- version is v2, +--- +> version AttCertVersion, -- version is v2 + +4. Defenitions of publuic keys from PKCS-1.asn1 present in +PKIX1Algorithms88.asn1 where removed as we take them directly from +PKCS-1.asn1 \ No newline at end of file diff --git a/lib/public_key/doc/html/.gitignore b/lib/public_key/doc/html/.gitignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/lib/public_key/doc/man3/.gitignore b/lib/public_key/doc/man3/.gitignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/lib/public_key/doc/pdf/.gitignore b/lib/public_key/doc/pdf/.gitignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/lib/public_key/doc/src/Makefile b/lib/public_key/doc/src/Makefile new file mode 100644 index 0000000000..08d1396cca --- /dev/null +++ b/lib/public_key/doc/src/Makefile @@ -0,0 +1,227 @@ +# +# %CopyrightBegin% +# +# Copyright Ericsson AB 2008-2009. All Rights Reserved. +# +# The contents of this file are subject to the Erlang Public License, +# Version 1.1, (the "License"); you may not use this file except in +# compliance with the License. You should have received a copy of the +# Erlang Public License along with this software. If not, it can be +# retrieved online at http://www.erlang.org/. +# +# Software distributed under the License is distributed on an "AS IS" +# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +# the License for the specific language governing rights and limitations +# under the License. +# +# %CopyrightEnd% +# + +# +include $(ERL_TOP)/make/target.mk +include $(ERL_TOP)/make/$(TARGET)/otp.mk + +# ---------------------------------------------------- +# Application version +# ---------------------------------------------------- +include ../../vsn.mk +VSN=$(PUBLIC_KEY_VSN) +APPLICATION=public_key + +# ---------------------------------------------------- +# Include dependency +# ---------------------------------------------------- + +ifndef DOCSUPPORT +include make.dep +endif + +# ---------------------------------------------------- +# Release directory specification +# ---------------------------------------------------- +RELSYSDIR = $(RELEASE_PATH)/lib/$(APPLICATION)-$(VSN) +# ---------------------------------------------------- +# Target Specs +# ---------------------------------------------------- +XML_APPLICATION_FILES = ref_man.xml +XML_REF3_FILES = public_key.xml +XML_REF6_FILES = + +XML_PART_FILES = part.xml part_notes.xml +XML_CHAPTER_FILES = \ + introduction.xml \ + public_key_records.xml \ + cert_records.xml \ + notes.xml + +BOOK_FILES = book.xml + +GIF_FILES = note.gif + +# ---------------------------------------------------- + +TOP_HTML_FILES = + +HTML_FILES = $(XML_APPLICATION_FILES:%.xml=$(HTMLDIR)/%.html) \ + $(XML_PART_FILES:%.xml=$(HTMLDIR)/%.html) + +INFO_FILE = ../../info + +EXTRA_FILES = \ + $(DEFAULT_GIF_FILES) \ + $(DEFAULT_HTML_FILES) \ + $(XML_REF3_FILES:%.xml=$(HTMLDIR)/%.html) \ + $(XML_CHAPTER_FILES:%.xml=$(HTMLDIR)/%.html) + +MAN3_FILES = $(XML_REF3_FILES:%.xml=$(MAN3DIR)/%.3) + +ifdef DOCSUPPORT + +HTML_REF_MAN_FILE = $(HTMLDIR)/index.html + +TOP_PDF_FILE = $(PDFDIR)/$(APPLICATION)-$(VSN).pdf + +else + +TEX_FILES_BOOK = \ + $(BOOK_FILES:%.xml=%.tex) +TEX_FILES_REF_MAN = $(XML_REF3_FILES:%.xml=%.tex) \ + $(XML_APPLICATION_FILES:%.xml=%.tex) +TEX_FILES_USERS_GUIDE = \ + $(XML_PART_FILES:%.xml=%.tex) \ + $(XML_CHAPTER_FILES:%.xml=%.tex) + +TOP_PDF_FILE = public_key-$(VSN).pdf +TOP_PS_FILE = public_key-$(VSN).ps + +$(TOP_PDF_FILE): book.dvi ../../vsn.mk + $(DVI2PS) $(DVIPS_FLAGS) -f $< | $(DISTILL) $(DISTILL_FLAGS) > $@ + +$(TOP_PS_FILE): book.dvi ../../vsn.mk + $(DVI2PS) $(DVIPS_FLAGS) -f $< > $@ + +endif + +# ---------------------------------------------------- +# FLAGS +# ---------------------------------------------------- +XML_FLAGS += +DVIPS_FLAGS += + +# ---------------------------------------------------- +# Targets +# ---------------------------------------------------- +$(HTMLDIR)/%.gif: %.gif + $(INSTALL_DATA) $< $@ + +ifdef DOCSUPPORT + +docs: pdf html man + +$(TOP_PDF_FILE): $(XML_FILES) + +pdf: $(TOP_PDF_FILE) + +html: gifs $(HTML_REF_MAN_FILE) + +clean clean_docs: + rm -rf $(HTMLDIR)/* + rm -f $(MAN3DIR)/* + rm -f $(TOP_PDF_FILE) $(TOP_PDF_FILE:%.pdf=%.fo) + rm -f errs core *~ + +else + +ifeq ($(DOCTYPE),pdf) +docs: pdf +else +ifeq ($(DOCTYPE),ps) +docs: ps +else +docs: html gifs man +endif +endif + +pdf: $(TOP_PDF_FILE) + +ps: $(TOP_PS_FILE) + +html: $(HTML_FILES) + +clean clean_docs clean_tex: + rm -f $(TEX_FILES_USERS_GUIDE) $(TEX_FILES_REF_MAN) $(TEX_FILES_BOOK) + rm -f $(HTML_FILES) $(MAN3_FILES) + rm -f $(TOP_PDF_FILE) $(TOP_PS_FILE) + rm -f errs core *~ min_head.gif \ + $(LATEX_CLEAN) + +endif + +man: $(MAN3_FILES) + +gifs: $(GIF_FILES:%=$(HTMLDIR)/%) + +debug opt: + + +# ---------------------------------------------------- +# Release Target +# ---------------------------------------------------- +include $(ERL_TOP)/make/otp_release_targets.mk + +ifdef DOCSUPPORT + +release_docs_spec: docs + $(INSTALL_DIR) $(RELSYSDIR)/doc/pdf + $(INSTALL_DATA) $(TOP_PDF_FILE) $(RELSYSDIR)/doc/pdf + $(INSTALL_DIR) $(RELSYSDIR)/doc/html + $(INSTALL_DATA) $(HTMLDIR)/* \ + $(RELSYSDIR)/doc/html + $(INSTALL_DATA) $(INFO_FILE) $(RELSYSDIR) + $(INSTALL_DIR) $(RELEASE_PATH)/man/man3 + $(INSTALL_DATA) $(MAN3DIR)/* $(RELEASE_PATH)/man/man3 +else + +ifeq ($(DOCTYPE),pdf) +release_docs_spec: pdf + $(INSTALL_DIR) $(RELEASE_PATH)/pdf + $(INSTALL_DATA) $(TOP_PDF_FILE) $(RELEASE_PATH)/pdf +else +ifeq ($(DOCTYPE),ps) +release_docs_spec: ps + $(INSTALL_DIR) $(RELEASE_PATH)/ps + $(INSTALL_DATA) $(TOP_PS_FILE) $(RELEASE_PATH)/ps +else +release_docs_spec: docs + $(INSTALL_DIR) $(RELSYSDIR)/doc/html + $(INSTALL_DATA) $(GIF_FILES) $(EXTRA_FILES) $(HTML_FILES) \ + $(RELSYSDIR)/doc/html + $(INSTALL_DATA) $(INFO_FILE) $(RELSYSDIR) + $(INSTALL_DIR) $(RELEASE_PATH)/man/man3 + $(INSTALL_DATA) $(MAN3_FILES) $(RELEASE_PATH)/man/man3 +endif +endif + +endif + +release_spec: + +info: + @echo "GIF_FILES:\n$(GIF_FILES)" + @echo "" + @echo "EXTRA_FILES:\n$(EXTRA_FILES)" + @echo "" + @echo "HTML_FILES:\n$(HTML_FILES)" + @echo "" + @echo "TOP_HTML_FILES:\n$(TOP_HTML_FILES)" + @echo "" + @echo "DEFAULT_GIF_FILES:\n$(DEFAULT_GIF_FILES)" + @echo "" + @echo "DEFAULT_HTML_FILES:\n$(DEFAULT_HTML_FILES)" + @echo "" + @echo "XML_REF3_FILES:\n$(XML_REF3_FILES)" + @echo "" + @echo "XML_REF6_FILES:\n$(XML_REF6_FILES)" + @echo "" + @echo "XML_CHAPTER_FILES:\n$(XML_CHAPTER_FILES)" + @echo "" diff --git a/lib/public_key/doc/src/book.xml b/lib/public_key/doc/src/book.xml new file mode 100644 index 0000000000..d3b8c7a2c7 --- /dev/null +++ b/lib/public_key/doc/src/book.xml @@ -0,0 +1,51 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + public_key + Ingela Anderton Andin + + 2008-01-22 + + book.sgml +
+ + + public_key + + + + + + + + + + + + + + + + diff --git a/lib/public_key/doc/src/cert_records.xml b/lib/public_key/doc/src/cert_records.xml new file mode 100644 index 0000000000..8fb4ea5fd0 --- /dev/null +++ b/lib/public_key/doc/src/cert_records.xml @@ -0,0 +1,612 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + Certificate records + Ingela Anderton Andin + + + + + 2008-02-06 + A + cert_records.xml +
+ +

This chapter briefly describes erlang records derived from asn1 + specifications used to handle X509 certificates. The intent is to + describe the data types and not to specify the meaning of each + component for this we refer you to RFC 3280. +

+ +

Use the following include directive to get access to the + records and constant macros described in the following sections.

+ + -include_lib("public_key/include/public_key.hrl"). + +
+ Common Data Types + +

Common non standard erlang + data types used to described the record fields in the + below sections are defined in public key reference manual or + follows here.

+ +

time() = uct_time() | general_time()

+ +

uct_time() = {utcTime, "YYMMDDHHMMSSZ"}

+ +

general_time() = {generalTime, "YYYYMMDDHHMMSSZ"}

+ +

+ general_name() = {rfc822Name, string()} | {dNSName, string()} + | {x400Address, string()} | {directoryName, + {rdnSequence, [#AttributeTypeAndValue'{}]}} | + | {eidPartyName, special_string()} + | {eidPartyName, special_string(), special_string()} + | {uniformResourceIdentifier, string()} | {ipAddress, string()} | + {registeredId, oid()} | {otherName, term()} +

+ +

+ special_string() = + {teletexString, string()} | {printableString, string()} | + {universalString, string()} | {utf8String, string()} | + {bmpString, string()} +

+ +

+ dist_reason() = unused | keyCompromise | cACompromise | + affiliationChanged | superseded | cessationOfOperation | + certificateHold | privilegeWithdrawn | + aACompromise +

+
+ +
+ PKIX Certificates + +#'Certificate'{ + tbsCertificate, % #'TBSCertificate'{} + signatureAlgorithm, % #'AlgorithmIdentifier'{} + signature % {0, binary()} - asn1 compact bitstring + }. + +#'TBSCertificate'{ + version, % v1 | v2 | v3 + serialNumber, % integer() + signature, % #'AlgorithmIdentifier'{} + issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} + validity, % #'Validity'{} + subject, % {rdnSequence, [#AttributeTypeAndValue'{}]} + subjectPublicKeyInfo, % #'SubjectPublicKeyInfo'{} + issuerUniqueID, % binary() | asn1_novalue + subjectUniqueID, % binary() | asn1_novalue + extensions % [#'Extension'{}] + }. + +#'AlgorithmIdentifier'{ + algorithm, % oid() + parameters % asn1_der_encoded() + }. +#'SignatureAlgorithm'{ + algorithm, % id_signature_algorithm() + parameters % public_key_params() + }. + + +

id_signature_algorithm() = ?oid_name_as_erlang_atom for available +oid names see table below. Ex: ?'id-dsa-with-sha1'

+ + + OID name + + + id-dsa-with-sha1 + + + md2WithRSAEncryption + + + md5WithRSAEncryption + + + sha1WithRSAEncryption + + + ecdsa-with-SHA1 + + Signature algorithm oids +
+ + +#'AttributeTypeAndValue'{ + type, % id_attributes() + value % term() + }. + + +

id_attributes() = ?oid_name_as_erlang_atom +for available oid names see table below. Ex: ?'id-at-name'

+ + + OID name + Value type + + + id-at-name + special_string() + + + id-at-surname + special_string() + + + id-at-givenName + special_string() + + + id-at-initials + special_string() + + + id-at-generationQualifier + special_string() + + + id-at-commonName + special_string() + + + id-at-localityName + special_string() + + + id-at-stateOrProvinceName + special_string() + + + id-at-organizationName + special_string() + + + id-at-title + special_string() + + + id-at-dnQualifier + {printableString, string()} + + + id-at-countryName + {printableString, string()} + + + id-at-serialNumber + {printableString, string()} + + + id-at-pseudonym + special_string() + + Attribute oids +
+ + +#'Validity'{ + notBefore, % time() + notAfter % time() + }. + +#'SubjectPublicKeyInfo'{ + algorithm, % #AlgorithmIdentifier{} + subjectPublicKey % binary() + }. + +#'SubjectPublicKeyInfoAlgorithm'{ + algorithm, % id_public_key_algorithm() + parameters % public_key_params() + }. + + +

id_public_key_algorithm() = ?oid_name_as_erlang_atom for available +oid names see table below. Ex: ?'id-dsa'

+ + + OID name + + + rsaEncryption + + + id-dsa + + + dhpublicnumber + + + ecdsa-with-SHA1 + + + id-keyExchangeAlgorithm + + Public key algorithm oids +
+ + + +#'Extension'{ + extnID, % id_extensions() | oid() + critical, % boolean() + extnValue % asn1_der_encoded() + }. + + +

id_extensions() = ?oid_name_as_erlang_atom for +available oid names see tables. Ex: ?'id-ce-authorityKeyIdentifier'Standard Certificate Extensions, + Private Internet Extensions, CRL Extensions and + CRL Entry Extensions. +

+ +
+ +
+ + Standard certificate extensions + + + + OID name + Value type + + + id-ce-authorityKeyIdentifier + #'AuthorityKeyIdentifier'{} + + + id-ce-subjectKeyIdentifier + oid() + + + id-ce-keyUsage + [key_usage()] + + + id-ce-privateKeyUsagePeriod + #'PrivateKeyUsagePeriod'{} + + + id-ce-certificatePolicies + #'PolicyInformation'{} + + + + id-ce-policyMappings + #'PolicyMappings_SEQOF'{} + + + + id-ce-subjectAltName + general_name() + + + + id-ce-issuerAltName + general_name() + + + + id-ce-subjectDirectoryAttributes + [#'Attribute'{}] + + + + id-ce-basicConstraints + #'BasicConstraints'{} + + + id-ce-nameConstraints + #'NameConstraints'{} + + + id-ce-policyConstraints + #'PolicyConstraints'{} + + + id-ce-extKeyUsage + [id_key_purpose()] + + + + id-ce-cRLDistributionPoints + #'DistributionPoint'{} + + + + id-ce-inhibitAnyPolicy + integer() + + + + id-ce-freshestCRL + [#'DistributionPoint'{}] + + + + Standard Certificate Extensions +
+ +

+ key_usage() = digitalSignature | nonRepudiation | keyEncipherment| + dataEncipherment | keyAgreement | keyCertSign | cRLSign | encipherOnly | + decipherOnly +

+ +

id_key_purpose() = ?oid_name_as_erlang_atom for available +oid names see table below. Ex: ?'id-kp-serverAuth'

+ + + + OID name + + + id-kp-serverAuth + + + id-kp-clientAuth + + + id-kp-codeSigning + + + id-kp-emailProtection + + + id-kp-timeStamping + + + id-kp-OCSPSigning + + Key purpose oids +
+ + +#'AuthorityKeyIdentifier'{ + keyIdentifier, % oid() + authorityCertIssuer, % general_name() + authorityCertSerialNumber % integer() + }. + +#'PrivateKeyUsagePeriod'{ + notBefore, % general_time() + notAfter % general_time() + }. + +#'PolicyInformation'{ + policyIdentifier, % oid() + policyQualifiers % [#PolicyQualifierInfo{}] + }. + +#'PolicyQualifierInfo'{ + policyQualifierId, % oid() + qualifier % string() | #'UserNotice'{} + }. + +#'UserNotice'{ + noticeRef, % #'NoticeReference'{} + explicitText % string() + }. + +#'NoticeReference'{ + organization, % string() + noticeNumbers % [integer()] + }. + +#'PolicyMappings_SEQOF'{ + issuerDomainPolicy, % oid() + subjectDomainPolicy % oid() + }. + +#'Attribute'{ + type, % oid() + values % [asn1_der_encoded()] + }). + +#'BasicConstraints'{ + cA, % boolean() + pathLenConstraint % integer() + }). + +#'NameConstraints'{ + permittedSubtrees, % [#'GeneralSubtree'{}] + excludedSubtrees % [#'GeneralSubtree'{}] + }). + +#'GeneralSubtree'{ + base, % general_name() + minimum, % integer() + maximum % integer() + }). + +#'PolicyConstraints'{ + requireExplicitPolicy, % integer() + inhibitPolicyMapping % integer() + }). + +#'DistributionPoint'{ + distributionPoint, % general_name() | [#AttributeTypeAndValue{}] + reasons, % [dist_reason()] + cRLIssuer % general_name() + }). + + +
+ +
+ + Private Internet Extensions + + + + OID name + Value type + + + id-pe-authorityInfoAccess + [#'AccessDescription'{}] + + + id-pe-subjectInfoAccess + [#'AccessDescription'{}] + + Private Internet Extensions +
+ + +#'AccessDescription'{ + accessMethod, % oid() + accessLocation % general_name() + }). + + +
+ +
+ CRL and CRL Extensions Profile + + +#'CertificateList'{ + tbsCertList, % #'TBSCertList{} + signatureAlgorithm, % #'AlgorithmIdentifier'{} + signature % {0, binary()} - asn1 compact bitstring + }). + +#'TBSCertList'{ + version, % v2 (if defined) + signature, % #AlgorithmIdentifier{} + issuer, % {rdnSequence, [#AttributeTypeAndValue'{}]} + thisUpdate, % time() + nextUpdate, % time() + revokedCertificates, % [#'TBSCertList_revokedCertificates_SEQOF'{}] + crlExtensions % [#'Extension'{}] + }). + +#'TBSCertList_revokedCertificates_SEQOF'{ + userCertificate, % integer() + revocationDate, % timer() + crlEntryExtensions % [#'Extension'{}] + }). + + +
+ + CRL Extensions + + + + OID name + Value type + + + id-ce-authorityKeyIdentifier + #'AuthorityKeyIdentifier{} + + + id-ce-issuerAltName + {rdnSequence, [#AttributeTypeAndValue'{}]} + + + id-ce-cRLNumber + integer() + + + id-ce-deltaCRLIndicator + integer() + + + id-ce-issuingDistributionPoint + #'IssuingDistributionPoint'{} + + + id-ce-freshestCRL + [#'Distributionpoint'{}] + + + CRL Extensions +
+ + +#'IssuingDistributionPoint'{ + distributionPoint, % general_name() | [#AttributeTypeAndValue'{}] + onlyContainsUserCerts, % boolean() + onlyContainsCACerts, % boolean() + onlySomeReasons, % [dist_reason()] + indirectCRL, % boolean() + onlyContainsAttributeCerts % boolean() + }). + +
+ +
+ + CRL Entry Extensions + + + + OID name + Value type + + + id-ce-cRLReason + crl_reason() + + + id-ce-holdInstructionCode + oid() + + + id-ce-invalidityDate + general_time() + + + id-ce-certificateIssuer + general_name() + + CRL Entry Extensions +
+

+ crl_reason() = unspecified | keyCompromise | cACompromise | + affiliationChanged | superseded | cessationOfOperation | + certificateHold | removeFromCRL | privilegeWithdrawn | + aACompromise +

+
+ +
+ diff --git a/lib/public_key/doc/src/fascicules.xml b/lib/public_key/doc/src/fascicules.xml new file mode 100644 index 0000000000..5f41826c56 --- /dev/null +++ b/lib/public_key/doc/src/fascicules.xml @@ -0,0 +1,19 @@ + + + + + + User's Guide + + + Reference Manual + + + Release Notes + + + Off-Print + + + + diff --git a/lib/public_key/doc/src/introduction.xml b/lib/public_key/doc/src/introduction.xml new file mode 100644 index 0000000000..71488e435a --- /dev/null +++ b/lib/public_key/doc/src/introduction.xml @@ -0,0 +1,52 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + Introduction + Ingela Anderton Andin + + + + + 2008-01-22 + A + introduction.xml +
+ +
+ Purpose +

This application provides an API to public key infrastructure + from RFC 3280 (X.509 certificates) and public key formats defined + by the PKCS-standard.

+
+ +
+ Prerequisites +

It is assumed that the reader is familiar with the Erlang + programming language, concepts of OTP and has a basic understanding + of the concepts of using public keys.

+
+ + + diff --git a/lib/public_key/doc/src/make.dep b/lib/public_key/doc/src/make.dep new file mode 100644 index 0000000000..2675556f1b --- /dev/null +++ b/lib/public_key/doc/src/make.dep @@ -0,0 +1,21 @@ +# ---------------------------------------------------- +# >>>> Do not edit this file <<<< +# This file was automaticly generated by +# /home/otp/bin/docdepend +# ---------------------------------------------------- + + +# ---------------------------------------------------- +# TeX files that the DVI file depend on +# ---------------------------------------------------- + +book.dvi: book.tex cert_records.tex introduction.tex \ + part.tex public_key.tex public_key_records.tex \ + ref_man.tex + +# ---------------------------------------------------- +# Source inlined when transforming from source to LaTeX +# ---------------------------------------------------- + +book.tex: ref_man.xml + diff --git a/lib/public_key/doc/src/note.gif b/lib/public_key/doc/src/note.gif new file mode 100644 index 0000000000..6fffe30419 Binary files /dev/null and b/lib/public_key/doc/src/note.gif differ diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml new file mode 100644 index 0000000000..822f8bdb66 --- /dev/null +++ b/lib/public_key/doc/src/notes.xml @@ -0,0 +1,120 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + public_key Release Notes + Ingela Anderton Andin + Ingela Anderton Andin + + + + 2008-01-22 + A + notes.xml +
+ + +
Public_Key 0.4 + +
Improvements and New Features + + +

+ The documentation is now built with open source tools + (xsltproc and fop) that exists on most platforms. One + visible change is that the frames are removed.

+

+ Own Id: OTP-8250

+ + +
+ +
+ +
Public_Key 0.3 + +
Fixed Bugs and Malfunctions + + +

+ Unknown attributes in certificates are left encoded + instead of crashing. Patch by Will "wglozer" thanks.

+

+ Own Id: OTP-8100

+ + +
+ + +
Improvements and New Features + + +

+ Allow public_key:pem_to_der/[1,2] to take a binary as + argument in addition to a filename. Patch by Geoff Cant, + thanks.

+

+ Own Id: OTP-8142

+ + +
+ +
+ +
Public_Key 0.2 + +
Improvements and New Features + + +

+ X509 certificate handling has been extended and improved + as a result of more extensive testing of both the ssl + and public_key application. Even more extensions of the + certificate handling is yet to be implemented.

+

+ Own Id: OTP-7860

+ + +
+ +
+ +
Public_Key 0.1 + +
Improvements and New Features + + +

+ First version.

+

+ Own Id: OTP-7637

+ + +
+ +
+ + + + diff --git a/lib/public_key/doc/src/part.xml b/lib/public_key/doc/src/part.xml new file mode 100644 index 0000000000..b85fa063ce --- /dev/null +++ b/lib/public_key/doc/src/part.xml @@ -0,0 +1,42 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + public_key User's Guide + Ingela Anderton Andin + + 2008-01-22 + + part.xml +
+ +

This application provides an API to public key infrastructure + from RFC 3280 (X.509 certificates) and some public key formats defined + by the PKCS-standard.

+ + + + + + diff --git a/lib/public_key/doc/src/part_notes.xml b/lib/public_key/doc/src/part_notes.xml new file mode 100644 index 0000000000..37ca516bc8 --- /dev/null +++ b/lib/public_key/doc/src/part_notes.xml @@ -0,0 +1,38 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + public_key Release Notes + Ingela Anderton Andin + + 2008-01-22 + +
+ +

+ + + + + diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml new file mode 100644 index 0000000000..dc9a96906f --- /dev/null +++ b/lib/public_key/doc/src/public_key.xml @@ -0,0 +1,317 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + public_key + Ingela Anderton Andin + + + + +
+ public_key + API module for public key infrastructure. + +

This module provides functions to handle public key infrastructure + from RFC 3280 - X.509 certificates (will later be upgraded to RFC 5280) + and some parts of the PKCS-standard. + Currently this application is mainly used by the new + ssl implementation. The API is yet under construction + and only a few of the functions are currently documented and thereby supported. +

+ + +
+ COMMON DATA TYPES + +

All records used in this manual + + are generated from asn1 specifications + and are documented in the User's Guide. See Public key records and X.509 Certificate records. +

+ +

Use the following include directive to get access to the + records and constant macros described here and in the User's Guide.

+ + -include_lib("public_key/include/public_key.hrl"). + +

Data Types

+ +

boolean() = true | false

+ +

string = [bytes()]

+ +

asn1_der_encoded() = binary() | [bytes()]

+ +

der_bin() = binary()

+ +

oid() - a tuple of integers + as generated by the asn1 compiler.

+ +

public_key() = rsa_public_key() | dsa_public_key()

+ +

rsa_public_key() = #'RSAPublicKey'{}

+ +

rsa_private_key() = #'RSAPrivateKey'{}

+ +

dsa_public_key() = integer()

+ +

public_key_params() = dsa_key_params()

+ +

dsa_key_params() = #'Dss-Parms'{}

+ +

private_key() = rsa_private_key() | dsa_private_key()

+ +

rsa_private_key() = #'RSAPrivateKey'{}

+ +

dsa_private_key() = #'DSAPrivateKey'{}

+ +

x509_certificate() = "#Certificate{}"

+ +

x509_tbs_certificate() = #'TBSCertificate'{}

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + decode_private_key(KeyInfo) -> + decode_private_key(KeyInfo, Password) -> {ok, PrivateKey} | {error, Reason} + Decodes an asn1 der encoded private key. + + KeyInfo = {KeyType, der_bin(), ChipherInfo} + As returned from pem_to_der/1 for private keys + KeyType = rsa_private_key | dsa_private_key + ChipherInfo = opaque() | no_encryption + ChipherInfo may contain encryption parameters if the private key is password + protected, these are opaque to the user just pass the value returned by pem_to_der/1 + to this function. + Password = string() + Must be specified if CipherInfo =/= no_encryption + PrivateKey = private_key() + Reason = term() + + +

Decodes an asn1 der encoded private key.

+ + + + + pem_to_der(File) -> {ok, [Entry]} + Reads a PEM file and translates it into its asn1 der + encoded parts. + + File = path() + Password = string() + Entry = {entry_type(), der_bin(), CipherInfo} + ChipherInfo = opaque() | no_encryption + ChipherInfo may contain encryption parameters if the private key is password + protected, these will be handled by the function decode_private_key/2. + entry_type() = cert | cert_req | rsa_private_key | dsa_private_key | + dh_params + + +

Reads a PEM file and translates it into its asn1 der + encoded parts.

+ + + + + pkix_decode_cert(Cert, Type) -> {ok, DecodedCert} | {error, Reason} + Decodes an asn1 der encoded pkix certificate. + + Cert = asn1_der_encoded() + Type = plain | otp + DecodeCert = x509_certificate() + When type is specified as otp the asn1 spec OTP-PKIX.asn1 is used to decode known + extensions and enhance the signature field in + #'Certificate'{} and '#TBSCertificate'{}. This is currently used by the new ssl + implementation but not documented and supported for the public_key application. + Reason = term() + + +

Decodes an asn1 encoded pkix certificate.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/lib/public_key/doc/src/public_key_records.xml b/lib/public_key/doc/src/public_key_records.xml new file mode 100644 index 0000000000..45b7106859 --- /dev/null +++ b/lib/public_key/doc/src/public_key_records.xml @@ -0,0 +1,99 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + Public key records + Ingela Anderton Andin + + + + + 2008-02-06 + A + public_key_records.xml +
+ +

This chapter briefly describes Erlang records derived from asn1 + specifications used to handle public and private keys. The intent + is to describe the data types and not to specify the meaning of + each component for this we refer you to the relevant standards and RFCs.

+ +

Use the following include directive to get access to the + records and constant macros used in the following sections.

+ + -include_lib("public_key/include/public_key.hrl"). + +
+ RSA as defined by the PKCS-1 standard and RFC 3447. + + +#'RSAPublicKey'{ + modulus, % integer() + publicExponent % integer() + }. + +#'RSAPrivateKey'{ + version, % two-prime | multi + modulus, % integer() + publicExponent, % integer() + privateExponent, % integer() + prime1, % integer() + prime2, % integer() + exponent1, % integer() + exponent2, % integer() + coefficient, % integer() + otherPrimeInfos % [#OtherPrimeInfo{}] | asn1_NOVALUE + }. + +#'OtherPrimeInfo'{ + prime, % integer() + exponent, % integer() + coefficient % integer() + }. + + +
+ +
+ DSA as defined by Digital Signature Standard (NIST FIPS PUB 186-2) + + + +#'DSAPrivateKey',{ + version, % integer() + p, % integer() + q, % integer() + g, % integer() + y, % integer() + x % integer() + }. + +#'Dss-Parms',{ + p, % integer() + q, % integer() + g % integer() + }. + +
+ diff --git a/lib/public_key/doc/src/ref_man.xml b/lib/public_key/doc/src/ref_man.xml new file mode 100644 index 0000000000..0f11281d05 --- /dev/null +++ b/lib/public_key/doc/src/ref_man.xml @@ -0,0 +1,43 @@ + + + + +
+ + 2008 + 2008 + Ericsson AB, All Rights Reserved + + + The contents of this file are subject to the Erlang Public License, + Version 1.1, (the "License"); you may not use this file except in + compliance with the License. You should have received a copy of the + Erlang Public License along with this software. If not, it can be + retrieved online at http://www.erlang.org/. + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + The Initial Developer of the Original Code is Ericsson AB. + + + public_key Reference Manual + Ingela Anderton Andin + + 2008-01-22 + + ref_man.xml +
+ +

Provides functions to handle public key infrastructure + from RFC 3280 (X.509 certificates) and some parts of the PKCS-standard. +

+ + + + + + + diff --git a/lib/public_key/ebin/.gitignore b/lib/public_key/ebin/.gitignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl new file mode 100644 index 0000000000..fbce10f0eb --- /dev/null +++ b/lib/public_key/include/public_key.hrl @@ -0,0 +1,62 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-ifndef(public_key). +-define(public_key, true). + +-include("OTP-PUB-KEY.hrl"). + +-record('SubjectPublicKeyInfoAlgorithm', { + algorithm, + parameters = asn1_NOVALUE}). + +-record(path_validation_state, { + valid_policy_tree, + explicit_policy, + inhibit_any_policy, + policy_mapping, + cert_num, + last_cert = false, + permitted_subtrees = no_constraints, %% Name constraints + excluded_subtrees = [], %% Name constraints + working_public_key_algorithm, + working_public_key, + working_public_key_parameters, + working_issuer_name, + max_path_length, + acc_errors, %% If verify_none option is set + user_state + }). + +-record(policy_tree_node, { + valid_policy, + qualifier_set, + criticality_indicator, + expected_policy_set + }). + +-record(revoke_state, { + reasons_mask, + cert_status, + interim_reasons_mask + }). + +-endif. % -ifdef(public_key). diff --git a/lib/public_key/info b/lib/public_key/info new file mode 100644 index 0000000000..0fa0248a7f --- /dev/null +++ b/lib/public_key/info @@ -0,0 +1,2 @@ +group: comm +short: API to public key infrastructure. diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile new file mode 100644 index 0000000000..c30399f33a --- /dev/null +++ b/lib/public_key/src/Makefile @@ -0,0 +1,112 @@ +# +# %CopyrightBegin% +# +# Copyright Ericsson AB 2008-2009. All Rights Reserved. +# +# The contents of this file are subject to the Erlang Public License, +# Version 1.1, (the "License"); you may not use this file except in +# compliance with the License. You should have received a copy of the +# Erlang Public License along with this software. If not, it can be +# retrieved online at http://www.erlang.org/. +# +# Software distributed under the License is distributed on an "AS IS" +# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +# the License for the specific language governing rights and limitations +# under the License. +# +# %CopyrightEnd% +# + +# +include $(ERL_TOP)/make/target.mk +include $(ERL_TOP)/make/$(TARGET)/otp.mk + +# ---------------------------------------------------- +# Application version +# ---------------------------------------------------- +include ../vsn.mk + +VSN = $(PUBLIC_KEY_VSN) +APP_VSN = "public_key-$(VSN)" + + +# ---------------------------------------------------- +# Release directory specification +# ---------------------------------------------------- +RELSYSDIR = $(RELEASE_PATH)/lib/public_key-$(VSN) + +# ---------------------------------------------------- +# Target Specs +# ---------------------------------------------------- +MODULES = \ + public_key \ + pubkey_pem \ + pubkey_cert \ + pubkey_cert_records \ + pubkey_crypto + +HRL_FILES = $(INCLUDE)/public_key.hrl + +INTERNAL_HRL_FILES = + +ERL_FILES = $(MODULES:%=%.erl) + +TARGET_FILES= $(MODULES:%=$(EBIN)/%.$(EMULATOR)) + +APP_FILE= public_key.app +APPUP_FILE= public_key.appup + +APP_SRC= $(APP_FILE).src +APP_TARGET= $(EBIN)/$(APP_FILE) +APPUP_SRC= $(APPUP_FILE).src +APPUP_TARGET= $(EBIN)/$(APPUP_FILE) + +INCLUDE = ../include +# ---------------------------------------------------- +# INETS FLAGS +# ---------------------------------------------------- +PUB_KEY_FLAGS = + +# ---------------------------------------------------- +# FLAGS +# ---------------------------------------------------- +PUB_KEY_ERL_FLAGS += -I $(INCLUDE) -I ../asn1/ + +ERL_COMPILE_FLAGS += $(PUB_KEY_ERL_FLAGS) \ + $(PUB_KEY_FLAGS) \ + +'{parse_transform,sys_pre_attributes}' \ + +'{attribute,insert,app_vsn,$(APP_VSN)}' + +# ---------------------------------------------------- +# Targets +# ---------------------------------------------------- + +debug opt: $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) $(HRL_FILES) + +clean: + rm -f $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) + rm -f core + +docs: + +$(APP_TARGET): $(APP_SRC) ../vsn.mk + sed -e 's;%VSN%;$(VSN);' $< > $@ + +$(APPUP_TARGET): $(APPUP_SRC) ../vsn.mk + sed -e 's;%VSN%;$(VSN);' $< > $@ + +# ---------------------------------------------------- +# Release Target +# ---------------------------------------------------- +include $(ERL_TOP)/make/otp_release_targets.mk + +release_spec: opt + $(INSTALL_DIR) $(RELSYSDIR)/src + $(INSTALL_DATA) $(INTERNAL_HRL_FILES) $(ERL_FILES) $(RELSYSDIR)/src + $(INSTALL_DIR) $(RELSYSDIR)/include + $(INSTALL_DATA) $(HRL_FILES) $(RELSYSDIR)/include + $(INSTALL_DIR) $(RELSYSDIR)/ebin + $(INSTALL_DATA) $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) $(RELSYSDIR)/ebin + +release_docs_spec: + diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl new file mode 100644 index 0000000000..0ccc74799c --- /dev/null +++ b/lib/public_key/src/pubkey_cert.erl @@ -0,0 +1,988 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-module(pubkey_cert). + +-include("public_key.hrl"). + +-export([verify_signature/3, + init_validation_state/3, prepare_for_next_cert/2, + validate_time/3, validate_signature/6, + validate_issuer/4, validate_names/6, + validate_revoked_status/3, validate_extensions/4, + validate_unknown_extensions/3, + normalize_general_name/1, digest_type/1, digest/2, is_self_signed/1, + is_issuer/2, issuer_id/2, is_fixed_dh_cert/1]). + +-define(NULL, 0). + +%%==================================================================== +%% Internal application API +%%==================================================================== + +verify_signature(DerCert, Key, KeyParams) -> + {ok, OtpCert} = pubkey_cert_records:decode_cert(DerCert, otp), + verify_signature(OtpCert, DerCert, Key, KeyParams). + +init_validation_state(#'OTPCertificate'{} = OtpCert, DefaultPathLen, + Options) -> + PolicyTree = #policy_tree_node{valid_policy = ?anyPolicy, + qualifier_set = [], + criticality_indicator = false, + expected_policy_set = [?anyPolicy]}, + MaxLen = proplists:get_value(max_path_length, Options, DefaultPathLen), + ExplicitPolicy = policy_indicator(MaxLen, + proplists:get_value(explicit_policy, Options, false)), + InhibitAnyPolicy = policy_indicator(MaxLen, + proplists:get_value(inhibit_any_policy, + Options, false)), + PolicyMapping = policy_indicator(MaxLen, + proplists:get_value(policy_mapping, Options, false)), + AccErrors = proplists:get_value(acc_errors, Options, []), + State = #path_validation_state{max_path_length = MaxLen, + valid_policy_tree = PolicyTree, + explicit_policy = ExplicitPolicy, + inhibit_any_policy = InhibitAnyPolicy, + policy_mapping = PolicyMapping, + acc_errors = AccErrors, + cert_num = 0}, + prepare_for_next_cert(OtpCert, State). + +prepare_for_next_cert(OtpCert, ValidationState = #path_validation_state{ + working_public_key_algorithm = PrevAlgo, + working_public_key_parameters = + PrevParams}) -> + TBSCert = OtpCert#'OTPCertificate'.tbsCertificate, + Issuer = TBSCert#'OTPTBSCertificate'.subject, + + {Algorithm, PublicKey, PublicKeyParams0} = + public_key_info(TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo, + ValidationState), + PublicKeyParams = + case PublicKeyParams0 of + 'NULL' when Algorithm =:= PrevAlgo -> + PrevParams; + asn1_NOVALUE when Algorithm =:= PrevAlgo -> + PrevParams; + _ -> PublicKeyParams0 + end, + + ValidationState#path_validation_state{ + working_public_key_algorithm = Algorithm, + working_public_key = PublicKey, + working_public_key_parameters = PublicKeyParams, + working_issuer_name = Issuer, + cert_num = ValidationState#path_validation_state.cert_num + 1 + }. + +validate_time(OtpCert, AccErr, Verify) -> + TBSCert = OtpCert#'OTPCertificate'.tbsCertificate, + {'Validity', NotBeforeStr, NotAfterStr} + = TBSCert#'OTPTBSCertificate'.validity, + Now = calendar:datetime_to_gregorian_seconds(calendar:universal_time()), + NotBefore = time_str_2_gregorian_sec(NotBeforeStr), + NotAfter = time_str_2_gregorian_sec(NotAfterStr), + + case ((NotBefore =< Now) and (Now =< NotAfter)) of + true -> + AccErr; + false -> + not_valid({bad_cert, cert_expired}, Verify, AccErr) + end. + +validate_issuer(OtpCert, Issuer, AccErr, Verify) -> + TBSCert = OtpCert#'OTPCertificate'.tbsCertificate, + case is_issuer(Issuer, TBSCert#'OTPTBSCertificate'.issuer) of + true -> + AccErr; + _ -> + not_valid({bad_cert, invalid_issuer}, Verify, AccErr) + end. + +validate_signature(OtpCert, DerCert, Key, KeyParams, + AccErr, Verify) -> + + case verify_signature(OtpCert, DerCert, Key, KeyParams) of + true -> + AccErr; + false -> + not_valid({bad_cert, invalid_signature}, Verify, AccErr) + end. + +validate_names(OtpCert, Permit, Exclude, Last, AccErr, Verify) -> + case is_self_signed(OtpCert) andalso (not Last) of + true -> + ok; + false -> + TBSCert = OtpCert#'OTPCertificate'.tbsCertificate, + Subject = TBSCert#'OTPTBSCertificate'.subject, + AltSubject = + select_extension(?'id-ce-subjectAltName', + TBSCert#'OTPTBSCertificate'.extensions), + + EmailAddress = extract_email(Subject), + Name = [{directoryName, Subject}|EmailAddress], + + AltNames = case AltSubject of + undefined -> []; + _ -> AltSubject#'Extension'.extnValue + end, + + case (is_permitted(Name, Permit) andalso + is_permitted(AltNames, Permit) andalso + (not is_excluded(Name, Exclude)) andalso + (not is_excluded(AltNames, Exclude))) of + true -> + AccErr; + false -> + not_valid({bad_cert, name_not_permitted}, + Verify, AccErr) + end + end. + + +%% See rfc3280 4.1.2.6 Subject: regarding emails. +extract_email({rdnSequence, List}) -> + extract_email2(List). +extract_email2([[#'AttributeTypeAndValue'{type=?'id-emailAddress', + value=Mail}]|_]) -> + [{rfc822Name, Mail}]; +extract_email2([_|Rest]) -> + extract_email2(Rest); +extract_email2([]) -> []. + +validate_revoked_status(_OtpCert, _Verify, AccErr) -> + %% true | + %% throw({bad_cert, cert_revoked}) + AccErr. + +validate_extensions(OtpCert, ValidationState, Verify, AccErr) -> + TBSCert = OtpCert#'OTPCertificate'.tbsCertificate, + Extensions = TBSCert#'OTPTBSCertificate'.extensions, + validate_extensions(Extensions, ValidationState, no_basic_constraint, + is_self_signed(OtpCert), [], Verify, AccErr). + +validate_unknown_extensions([], AccErr, _Verify) -> + AccErr; +validate_unknown_extensions([#'Extension'{critical = true} | _], + AccErr, Verify) -> + not_valid({bad_cert, unknown_critical_extension}, Verify, AccErr); +validate_unknown_extensions([#'Extension'{critical = false} | Rest], + AccErr, Verify) -> + validate_unknown_extensions(Rest, AccErr, Verify). + +normalize_general_name({rdnSequence, Issuer}) -> + NormIssuer = normalize_general_name(Issuer), + {rdnSequence, NormIssuer}; + +normalize_general_name(Issuer) -> + Normalize = fun([{Description, Type, {printableString, Value}}]) -> + NewValue = string:to_lower(strip_spaces(Value)), + {Description, Type, {printableString, NewValue}}; + (Atter) -> + Atter + end, + lists:sort(lists:map(Normalize, Issuer)). + +is_self_signed(#'OTPCertificate'{tbsCertificate= + #'OTPTBSCertificate'{issuer = Issuer, + subject = Subject}}) -> + is_issuer(Issuer, Subject). + +is_issuer({rdnSequence, Issuer}, {rdnSequence, Candidate}) -> + is_dir_name(Issuer, Candidate, true). + +issuer_id(Otpcert, other) -> + TBSCert = Otpcert#'OTPCertificate'.tbsCertificate, + Extensions = TBSCert#'OTPTBSCertificate'.extensions, + case select_extension(?'id-ce-authorityKeyIdentifier', Extensions) of + undefined -> + {error, issuer_not_found}; + AuthKeyExt -> + cert_auth_key_id(AuthKeyExt#'Extension'.extnValue) + end; + +issuer_id(Otpcert, self) -> + TBSCert = Otpcert#'OTPCertificate'.tbsCertificate, + Issuer = TBSCert#'OTPTBSCertificate'.issuer, + SerialNr = TBSCert#'OTPTBSCertificate'.serialNumber, + {ok, {SerialNr, normalize_general_name(Issuer)}}. + + +is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate = + #'OTPTBSCertificate'{subjectPublicKeyInfo = + SubjectPublicKeyInfo, + extensions = + Extensions}}) -> + is_fixed_dh_cert(SubjectPublicKeyInfo, Extensions). + +%%-------------------------------------------------------------------- +%%% Internal functions +%%-------------------------------------------------------------------- + +not_valid(Error, true, _) -> + throw(Error); +not_valid(Error, false, AccErrors) -> + [Error | AccErrors]. + +verify_signature(OtpCert, DerCert, Key, KeyParams) -> + %% Signature is an ASN1 compact bit string + {0, Signature} = OtpCert#'OTPCertificate'.signature, + SigAlgRec = OtpCert#'OTPCertificate'.signatureAlgorithm, + SigAlg = SigAlgRec#'SignatureAlgorithm'.algorithm, + EncTBSCert = encoded_tbs_cert(DerCert), + verify(SigAlg, EncTBSCert, Signature, Key, KeyParams). + +verify(Alg, PlainText, Signature, Key, KeyParams) -> + public_key:verify_signature(PlainText, digest_type(Alg), + Signature, Key, KeyParams). + +encoded_tbs_cert(Cert) -> + {ok, PKIXCert} = + 'OTP-PUB-KEY':decode_TBSCert_exclusive(Cert), + {'Certificate', + {'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert, + EncodedTBSCert. + +digest_type(?sha1WithRSAEncryption) -> + sha; +digest_type(?md5WithRSAEncryption) -> + md5; +digest_type(?'id-dsa-with-sha1') -> + sha. + +digest(?sha1WithRSAEncryption, Msg) -> + crypto:sha(Msg); +digest(?md5WithRSAEncryption, Msg) -> + crypto:md5(Msg); +digest(?'id-dsa-with-sha1', Msg) -> + crypto:sha(Msg). + +public_key_info(PublicKeyInfo, + #path_validation_state{working_public_key_algorithm = + WorkingAlgorithm, + working_public_key_parameters = + WorkingParams}) -> + PublicKey = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.subjectPublicKey, + AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm, + + PublicKeyParams = AlgInfo#'PublicKeyAlgorithm'.parameters, + Algorithm = AlgInfo#'PublicKeyAlgorithm'.algorithm, + + NewPublicKeyParams = + case PublicKeyParams of + 'NULL' when WorkingAlgorithm == Algorithm -> + WorkingParams; + _ -> + PublicKeyParams + end, + {Algorithm, PublicKey, NewPublicKeyParams}. + +time_str_2_gregorian_sec({utcTime, [Y1,Y2,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,Z]}) -> + case list_to_integer([Y1,Y2]) of + N when N >= 50 -> + time_str_2_gregorian_sec({generalTime, + [$1,$9,Y1,Y2,M1,M2,D1,D2, + H1,H2,M3,M4,S1,S2,Z]}); + _ -> + time_str_2_gregorian_sec({generalTime, + [$2,$0,Y1,Y2,M1,M2,D1,D2, + H1,H2,M3,M4,S1,S2,Z]}) + end; + +time_str_2_gregorian_sec({_,[Y1,Y2,Y3,Y4,M1,M2,D1,D2,H1,H2,M3,M4,S1,S2,$Z]}) -> + Year = list_to_integer([Y1, Y2, Y3, Y4]), + Month = list_to_integer([M1, M2]), + Day = list_to_integer([D1, D2]), + Hour = list_to_integer([H1, H2]), + Min = list_to_integer([M3, M4]), + Sec = list_to_integer([S1, S2]), + calendar:datetime_to_gregorian_seconds({{Year, Month, Day}, + {Hour, Min, Sec}}). + +is_dir_name([], [], _Exact) -> true; +is_dir_name([H|R1],[H|R2], Exact) -> is_dir_name(R1,R2, Exact); +is_dir_name([[{'AttributeTypeAndValue', Type, What1}]|Rest1], + [[{'AttributeTypeAndValue', Type, What2}]|Rest2],Exact) -> + case is_dir_name2(What1,What2) of + true -> is_dir_name(Rest1,Rest2,Exact); + false -> false + end; +is_dir_name([{'AttributeTypeAndValue', Type, What1}|Rest1], + [{'AttributeTypeAndValue', Type, What2}|Rest2], Exact) -> + case is_dir_name2(What1,What2) of + true -> is_dir_name(Rest1,Rest2,Exact); + false -> false + end; +is_dir_name(_,[],false) -> + true; +is_dir_name(_,_,_) -> + false. + +is_dir_name2(Value, Value) -> true; +is_dir_name2({printableString, Value1}, {printableString, Value2}) -> + string:to_lower(strip_spaces(Value1)) =:= + string:to_lower(strip_spaces(Value2)); +is_dir_name2({utf8String, Value1}, String) -> %% BUGBUG FIX UTF8 conv + is_dir_name2({printableString, binary_to_list(Value1)}, String); +is_dir_name2(String, {utf8String, Value1}) -> %% BUGBUG FIX UTF8 conv + is_dir_name2(String, {printableString, binary_to_list(Value1)}); +is_dir_name2(_, _) -> + false. + +cert_auth_key_id(#'AuthorityKeyIdentifier'{authorityCertIssuer + = asn1_NOVALUE}) -> + {error, issuer_not_found}; +cert_auth_key_id(#'AuthorityKeyIdentifier'{authorityCertIssuer = + AuthCertIssuer, + authorityCertSerialNumber = + SerialNr}) -> + {ok, {SerialNr, decode_general_name(AuthCertIssuer)}}. + +decode_general_name([{directoryName, Issuer}]) -> + normalize_general_name(Issuer). + +%% Strip all leading and trailing spaces and make +%% sure there is no double spaces in between. +strip_spaces(String) -> + NewString = + lists:foldl(fun(Char, Acc) -> Acc ++ Char ++ " " end, [], + string:tokens(String, " ")), + string:strip(NewString). + +select_extension(_, []) -> + undefined; +select_extension(Id, [#'Extension'{extnID = Id} = Extension | _]) -> + Extension; +select_extension(Id, [_ | Extensions]) -> + select_extension(Id, Extensions). + +%% No extensions present +validate_extensions(asn1_NOVALUE, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr) -> + validate_extensions([], ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + +validate_extensions([], ValidationState, basic_constraint, _SelfSigned, + UnknownExtensions, _Verify, AccErr) -> + {ValidationState, UnknownExtensions, AccErr}; +validate_extensions([], ValidationState = + #path_validation_state{max_path_length = Len, + last_cert = Last}, + no_basic_constraint, SelfSigned, UnknownExtensions, + Verify, AccErr0) -> + case Last of + true when SelfSigned -> + {ValidationState, UnknownExtensions, AccErr0}; + true -> + {ValidationState#path_validation_state{max_path_length = Len - 1}, + UnknownExtensions, AccErr0}; + %% basic_constraint must appear in certs used for digital sign + %% see 4.2.1.10 in rfc 3280 + false -> + AccErr = not_valid({bad_cert, missing_basic_constraint}, + Verify, AccErr0), + case SelfSigned of + true -> + {ValidationState, UnknownExtensions, AccErr}; + false -> + {ValidationState#path_validation_state{max_path_length = + Len - 1}, + UnknownExtensions, AccErr} + end + end; + +validate_extensions([#'Extension'{extnID = ?'id-ce-basicConstraints', + extnValue = + #'BasicConstraints'{cA = true, + pathLenConstraint = N}} | + Rest], + ValidationState = + #path_validation_state{max_path_length = Len}, _, + SelfSigned, UnknownExtensions, Verify, AccErr) -> + Length = if SelfSigned -> min(N, Len); + true -> min(N, Len-1) + end, + validate_extensions(Rest, + ValidationState#path_validation_state{max_path_length = + Length}, + basic_constraint, SelfSigned, UnknownExtensions, + Verify, AccErr); +%% The pathLenConstraint field is meaningful only if cA is set to +%% TRUE. +validate_extensions([#'Extension'{extnID = ?'id-ce-basicConstraints', + extnValue = + #'BasicConstraints'{cA = false}} | + Rest], ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr) -> + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + +%% +validate_extensions([#'Extension'{extnID = ?'id-ce-keyUsage', + extnValue = KeyUse + } | Rest], + #path_validation_state{last_cert=Last} = ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, + Verify, AccErr0) -> + case Last orelse is_valid_key_usage(KeyUse, keyCertSign) of + true -> + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, + AccErr0); + false -> + AccErr = not_valid({bad_cert, invalid_key_usage}, Verify, AccErr0), + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, + AccErr) + end; + +validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage', + extnValue = KeyUse, + critical = true} | Rest], + #path_validation_state{} = ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, Verify, + AccErr0) -> + case is_valid_extkey_usage(KeyUse) of + true -> + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, + Verify, AccErr0); + false -> + AccErr = + not_valid({bad_cert, invalid_ext_key_usage}, Verify, AccErr0), + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr) + end; + +validate_extensions([#'Extension'{extnID = ?'id-ce-subjectAltName', + extnValue = Names} | Rest], + ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr0) -> + case validate_subject_alt_names(Names) of + true when Names =/= [] -> + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, + AccErr0); + _ -> + AccErr = + not_valid({bad_cert, invalid_subject_altname}, + Verify, AccErr0), + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, + AccErr) + end; + +%% This extension SHOULD NOT be marked critical. Its value +%% does not have to be further validated at this point. +validate_extensions([#'Extension'{extnID = ?'id-ce-issuerAltName', + extnValue = _} | Rest], + ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr) -> + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + +%% This extension MUST NOT be marked critical.Its value +%% does not have to be further validated at this point. +validate_extensions([#'Extension'{extnID = Id, + extnValue = _, + critical = false} | Rest], + ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, + Verify, AccErr) + when Id == ?'id-ce-subjectKeyIdentifier'; + Id == ?'id-ce-authorityKeyIdentifier'-> + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + +validate_extensions([#'Extension'{extnID = ?'id-ce-nameConstraints', + extnValue = NameConst} | Rest], + ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, + Verify, AccErr) -> + Permitted = NameConst#'NameConstraints'.permittedSubtrees, + Excluded = NameConst#'NameConstraints'.excludedSubtrees, + + NewValidationState = add_name_constraints(Permitted, Excluded, + ValidationState), + + validate_extensions(Rest, NewValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + + +validate_extensions([#'Extension'{extnID = ?'id-ce-certificatePolicies', + critical = true} | Rest], ValidationState, + ExistBasicCon, SelfSigned, + UnknownExtensions, Verify, AccErr0) -> + %% TODO: Remove this clause when policy handling is + %% fully implemented + AccErr = + not_valid({bad_cert, unknown_critical_extension}, Verify, AccErr0), + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + +validate_extensions([#'Extension'{extnID = ?'id-ce-certificatePolicies', + extnValue = #'PolicyInformation'{ + policyIdentifier = Id, + policyQualifiers = Qualifier}} + | Rest], #path_validation_state{valid_policy_tree = Tree} + = ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, + Verify, AccErr) -> + + %% TODO: Policy imp incomplete + NewTree = process_policy_tree(Id, Qualifier, Tree), + + validate_extensions(Rest, + ValidationState#path_validation_state{ + valid_policy_tree = NewTree}, + ExistBasicCon, SelfSigned, UnknownExtensions, + Verify, AccErr); + +validate_extensions([#'Extension'{extnID = ?'id-ce-policyConstraints', + critical = true} | Rest], ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, Verify, + AccErr0) -> + %% TODO: Remove this clause when policy handling is + %% fully implemented + AccErr = + not_valid({bad_cert, unknown_critical_extension}, Verify, AccErr0), + validate_extensions(Rest, ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); +validate_extensions([#'Extension'{extnID = ?'id-ce-policyConstraints', + extnValue = #'PolicyConstraints'{ + requireExplicitPolicy = ExpPolicy, + inhibitPolicyMapping = MapPolicy}} + | Rest], ValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr) -> + + %% TODO: Policy imp incomplete + NewValidationState = add_policy_constraints(ExpPolicy, MapPolicy, + ValidationState), + + validate_extensions(Rest, NewValidationState, ExistBasicCon, + SelfSigned, UnknownExtensions, Verify, AccErr); + +validate_extensions([Extension | Rest], ValidationState, + ExistBasicCon, SelfSigned, UnknownExtensions, + Verify, AccErr) -> + validate_extensions(Rest, ValidationState, ExistBasicCon, SelfSigned, + [Extension | UnknownExtensions], Verify, AccErr). + +is_valid_key_usage(KeyUse, Use) -> + lists:member(Use, KeyUse). + +is_valid_extkey_usage(?'id-kp-clientAuth') -> + true; +is_valid_extkey_usage(?'id-kp-serverAuth') -> + true; +is_valid_extkey_usage(_) -> + false. + +validate_subject_alt_names([]) -> + true; +validate_subject_alt_names([AltName | Rest]) -> + case is_valid_subject_alt_name(AltName) of + true -> + validate_subject_alt_names(Rest); + false -> + false + end. + +is_valid_subject_alt_name({Name, Value}) when Name == rfc822Name; + Name == dNSName -> + case Value of + "" -> + false; + _ -> + true + end; + +is_valid_subject_alt_name({iPAdress, Addr}) -> + case length(Addr) of + 4 -> %ipv4 + true; + 16 -> %ipv6 + true; + _ -> + false + end; +is_valid_subject_alt_name({uniformResourceIdentifier, URI}) -> + is_valid_uri(URI); + +is_valid_subject_alt_name({directoryName, _}) -> + true; +is_valid_subject_alt_name({_, [_|_]}) -> + true; +is_valid_subject_alt_name({_, _}) -> + false. + +min(N, M) when N =< M -> + N; +min(_, M) -> + M. + +is_ip_address(Address) -> + case inet_parse:address(Address) of + {ok, _} -> + true; + _ -> + false + end. + +is_fully_qualified_name(_Name) -> + true. + +is_valid_uri(AbsURI) -> + case split_uri(AbsURI) of + incomplete -> + false; + {StrScheme, _, Host, _, _} -> + case string:to_lower(StrScheme) of + Scheme when Scheme =:= "http"; Scheme =:= "ftp" -> + is_valid_host(Host); + _ -> + false + end + end. + +is_valid_host(Host) -> + case is_ip_address(Host) of + true -> + true; + false -> + is_fully_qualified_name(Host) + end. + +%% Could have a more general split URI in stdlib? Maybe when +%% regexs are improved. Needed also in inets! +split_uri(Uri) -> + case split_uri(Uri, ":", {error, no_scheme}, 1, 1) of + {error, no_scheme} -> + incomplete; + {StrScheme, "//" ++ URIPart} -> + {Authority, PathQuery} = + split_auth_path(URIPart), + {UserInfo, HostPort} = + split_uri(Authority, "@", {"", Authority}, 1, 1), + {Host, Port} = + split_uri(HostPort, ":", {HostPort, dummy_port}, 1, 1), + {StrScheme, UserInfo, Host, Port, PathQuery} + end. + +split_auth_path(URIPart) -> + case split_uri(URIPart, "/", URIPart, 1, 0) of + Split = {_, _} -> + Split; + URIPart -> + case split_uri(URIPart, "\\?", URIPart, 1, 0) of + Split = {_, _} -> + Split; + URIPart -> + {URIPart,""} + end + end. + +split_uri(UriPart, SplitChar, NoMatchResult, SkipLeft, SkipRight) -> + case regexp:first_match(UriPart, SplitChar) of + {match, Match, _} -> + {string:substr(UriPart, 1, Match - SkipLeft), + string:substr(UriPart, Match + SkipRight, length(UriPart))}; + nomatch -> + NoMatchResult + end. + +is_rdnSeq({rdnSequence,[]}, {rdnSequence,[none]}) -> + true; +is_rdnSeq({rdnSequence,DirName}, {rdnSequence,Permitted}) -> + is_dir_name(DirName, Permitted, false). + +is_permitted(_, no_constraints) -> + true; +is_permitted(Names, Constraints) -> + is_valid_name(Names, Constraints, true). + +is_excluded([], _) -> + false; +is_excluded(Names, Constraints) -> + is_valid_name(Names, Constraints, false). + +is_valid_name([], _, Default) -> + Default; +is_valid_name([{Type, Name} | Rest], Constraints, Default) -> + case type_subtree_names(Type, Constraints) of + [_|_] = ConstraintNames -> + case match_name(Type, Name, ConstraintNames) of + Default -> + is_valid_name(Rest, Constraints, Default); + Fail -> + Fail + end; + [] -> + is_valid_name(Rest, Constraints,Default) + end. + +add_name_constraints(NewPermittedTrees, NewExcludedTrees, + #path_validation_state{ + permitted_subtrees = PermittedTrees, + excluded_subtrees = ExcludedTrees} = + ValidationState) -> + NewPermitted = subtree_intersection(NewPermittedTrees, PermittedTrees), + NewExcluded = subtree_union(NewExcludedTrees, ExcludedTrees), + ValidationState#path_validation_state{permitted_subtrees = NewPermitted, + excluded_subtrees = NewExcluded}. +subtree_union(asn1_NOVALUE, Trees) -> + Trees; +subtree_union(Trees1, Trees2) -> + Trees1 ++ Trees2. + +subtree_intersection(asn1_NOVALUE, Trees) -> + Trees; +subtree_intersection(List, no_constraints) -> + List; +subtree_intersection([Tree | Trees1], Trees2) -> + Trees = is_in_intersection(Tree, Trees2), + subtree_intersection(Trees1, Trees); +subtree_intersection([], TreesInt) -> + TreesInt. + +is_in_intersection(#'GeneralSubtree'{base = + {directoryName, {rdnSequence, Name1}}} + = Name, + [#'GeneralSubtree'{base = + {directoryName, {rdnSequence, Name2}}} + | Trees]) -> + case is_dir_name(Name1, Name2, false) of + true -> + [Name|Trees]; + false -> + [Name#'GeneralSubtree'{base = + {directoryName, {rdnSequence,[none]}}} + | Trees] + end; +is_in_intersection(#'GeneralSubtree'{base = {ipAdress, Ip}}, + Trees = [#'GeneralSubtree'{base = {ipAdress, Ip}} | _]) -> + %% BUGBUG + Trees; +is_in_intersection(#'GeneralSubtree'{base = {x400Address, OrAddr1}} = Addr, + [#'GeneralSubtree'{base = {x400Address, OrAddr2}} + | Trees]) -> + case is_or_address(OrAddr1, OrAddr2) of + true -> + [Addr|Trees]; + false -> + [#'GeneralSubtree'{base = {x400Address, ""}} | Trees] + end; + +is_in_intersection(#'GeneralSubtree'{base = {Type, Name1}} = Name, + [#'GeneralSubtree'{base = {Type, Name2}} + | Trees]) -> + case case_insensitive_match(Name1, Name2) of + true -> + [Name|Trees]; + false -> + [#'GeneralSubtree'{base = {Type, ""}} | Trees] + end; +is_in_intersection(New, []) -> + [New]; +is_in_intersection(Name, [Other | IntCandidates]) -> + [Other|is_in_intersection(Name, IntCandidates)]. + +type_subtree_names(Type, SubTrees) -> + [Name || #'GeneralSubtree'{base = {TreeType, Name}} <- SubTrees, + TreeType =:= Type]. + +match_name(rfc822Name, Name, [PermittedName | Rest]) -> + match_name(fun is_valid_host_or_domain/2, Name, PermittedName, Rest); + +match_name(directoryName, DirName, [PermittedName | Rest]) -> + match_name(fun is_rdnSeq/2, DirName, PermittedName, Rest); + +match_name(uniformResourceIdentifier, URI, [PermittedName | Rest]) -> + case split_uri(URI) of + incomplete -> + false; + {_, _, Host, _, _} -> + match_name(fun is_valid_host_or_domain/2, Host, + PermittedName, Rest) + end; + +match_name(emailAddress, Name, [PermittedName | Rest]) -> + Fun = fun(Email, PermittedEmail) -> + is_valid_email_address(Email, PermittedEmail, + string:tokens(PermittedEmail,"@")) + end, + match_name(Fun, Name, PermittedName, Rest); + +match_name(dNSName, Name, [PermittedName | Rest]) -> + Fun = fun(Domain, [$.|Domain]) -> true; + (Name1,Name2) -> + lists:suffix(string:to_lower(Name2), + string:to_lower(Name1)) + end, + match_name(Fun, Name, [$.|PermittedName], Rest); + +match_name(x400Address, OrAddress, [PermittedAddr | Rest]) -> + match_name(fun is_or_address/2, OrAddress, PermittedAddr, Rest); + +match_name(ipAdress, IP, [PermittedIP | Rest]) -> + Fun = fun([IP1, IP2, IP3, IP4], + [IP5, IP6, IP7, IP8, M1, M2, M3, M4]) -> + is_permitted_ip([IP1, IP2, IP3, IP4], + [IP5, IP6, IP7, IP8], + [M1, M2, M3, M4]); + ([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8, + IP9, IP10, IP11, IP12, IP13, IP14, IP15, IP16], + [IP17, IP18, IP19, IP20, IP21, IP22, IP23, IP24, + IP25, IP26, IP27, IP28, IP29, IP30, IP31, IP32, + M1, M2, M3, M4, M5, M6, M7, M8, + M9, M10, M11, M12, M13, M14, M15, M16]) -> + is_permitted_ip([IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8, + IP9, IP10, IP11, IP12, IP13, + IP14, IP15, IP16], + [IP17, IP18, IP19, IP20, IP21, IP22, IP23, + IP24,IP25, IP26, IP27, IP28, IP29, IP30, + IP31, IP32], + [M1, M2, M3, M4, M5, M6, M7, M8, M9, M10, + M11, M12, M13, M14, M15, M16]); + (_,_) -> + false + end, + match_name(Fun, IP, PermittedIP, Rest). + +match_name(Fun, Name, PermittedName, []) -> + Fun(Name, PermittedName); +match_name(Fun, Name, PermittedName, [Head | Tail]) -> + case Fun(Name, PermittedName) of + true -> + true; + false -> + match_name(Fun, Name, Head, Tail) + end. + +is_permitted_ip([], [], []) -> + true; +is_permitted_ip([CandidatIp | CandidatIpRest], + [PermittedIp | PermittedIpRest], [Mask | MaskRest] ) -> + case mask_cmp(CandidatIp, PermittedIp, Mask) of + true -> + is_permitted_ip(CandidatIpRest, PermittedIpRest, MaskRest); + false -> + false + end. + +mask_cmp(Canditate, Permitted, Mask) -> + (Canditate band Mask) == Permitted. + +is_valid_host_or_domain(Canditate, [$.|_] = Permitted) -> + is_suffix(Permitted, Canditate); +is_valid_host_or_domain(Canditate, Permitted) -> + case string:tokens(Canditate,"@") of + [CanditateHost] -> + case_insensitive_match(CanditateHost, Permitted); + [_, CanditateHost] -> + case_insensitive_match(CanditateHost, Permitted) + end. +is_valid_email_address(Canditate, [$.|Permitted], [_]) -> + is_suffix(Permitted, Canditate); + +is_valid_email_address(Canditate, PermittedHost, [_]) -> + [_ , CanditateHost] = string:tokens(Canditate,"@"), + case_insensitive_match(CanditateHost, PermittedHost); + +is_valid_email_address(Canditate, Permitted, [_, _]) -> + case_insensitive_match(Canditate, Permitted). + +is_suffix(Suffix, Str) -> + lists:suffix(string:to_lower(Suffix), string:to_lower(Str)). +case_insensitive_match(Str1, Str2) -> + string:to_lower(Str1) == string:to_lower(Str2). + +is_or_address(Address, Canditate) -> + %% TODO: Is case_insensitive_match sufficient? + %% study rfc2156 probably need more a complex check. + is_double_quoted(Address) andalso + is_double_quoted(Canditate) andalso + case_insensitive_match(Address, Canditate). + +is_double_quoted(["\"" | Tail]) -> + is_double_quote(lists:last(Tail)); +is_double_quoted("%22" ++ Tail) -> + case lists:reverse(Tail) of + [A, B, C | _] -> + is_double_quote([C, B, A]); + _ -> + false + end; + +is_double_quoted(_) -> + false. + +is_double_quote("%22") -> + true; +is_double_quote("\"") -> + true; +is_double_quote(_) -> + false. + +add_policy_constraints(ExpPolicy, MapPolicy, + #path_validation_state{cert_num = CertNum, + explicit_policy = CurExpPolicy, + policy_mapping = CurMapPolicy} = + ValidationState) -> + + NewExpPolicy = policy_constraint(CurExpPolicy, ExpPolicy, CertNum), + NewMapPolicy = policy_constraint(CurMapPolicy, MapPolicy, CertNum), + + ValidationState#path_validation_state{explicit_policy = NewExpPolicy, + policy_mapping = NewMapPolicy}. + +policy_constraint(Current, asn1_NOVALUE, _) -> + Current; +policy_constraint(Current, New, CertNum) -> + min(Current, New + CertNum). + +process_policy_tree(_,_, ?NULL) -> + ?NULL; +process_policy_tree(_Id, _Qualifier, Tree) -> + %% TODO real imp. + Tree. + +policy_indicator(_, true) -> + 0; +policy_indicator(N, false) -> + N + 1. + +is_fixed_dh_cert(PublicKeyInfo, Extensions) -> + AlgInfo = PublicKeyInfo#'OTPSubjectPublicKeyInfo'.algorithm, + Algorithm = AlgInfo#'PublicKeyAlgorithm'.algorithm, + + case select_extension(?'id-ce-keyUsage', Extensions) of + undefined -> + is_dh(Algorithm); + #'Extension'{extnValue=KeyUse} -> + is_dh(Algorithm) andalso is_valid_key_usage(KeyUse, keyAgreement) + end. + +is_dh(?'dhpublicnumber')-> + true; +is_dh(_) -> + false. diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl new file mode 100644 index 0000000000..36b7c47a9c --- /dev/null +++ b/lib/public_key/src/pubkey_cert_records.erl @@ -0,0 +1,538 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-module(pubkey_cert_records). + +-include("public_key.hrl"). + +-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]). + +-export([old_decode_cert/2, old_encode_cert/1]). %% Debugging and testing new code. + +%%==================================================================== +%% Internal application API +%%==================================================================== + +decode_cert(DerCert, plain) -> + 'OTP-PUB-KEY':decode('Certificate', DerCert); +decode_cert(DerCert, otp) -> + {ok, Cert} = 'OTP-PUB-KEY':decode('OTPCertificate', DerCert), + {ok, decode_all_otp(Cert)}. + +old_decode_cert(DerCert, otp) -> + {ok, Cert} = 'OTP-PUB-KEY':decode('Certificate', DerCert), + {ok, plain_to_otp(Cert)}. + +old_encode_cert(Cert) -> + PlainCert = otp_to_plain(Cert), + {ok, EncCert} = 'OTP-PUB-KEY':encode('Certificate', PlainCert), + list_to_binary(EncCert). + + +encode_cert(Cert = #'Certificate'{}) -> + {ok, EncCert} = 'OTP-PUB-KEY':encode('Certificate', Cert), + list_to_binary(EncCert); +encode_cert(C = #'OTPCertificate'{tbsCertificate = TBS = + #'OTPTBSCertificate'{ + issuer=Issuer0, + subject=Subject0, + subjectPublicKeyInfo=Spki0, + extensions=Exts0} + }) -> + Issuer = transform(Issuer0,encode), + Subject = transform(Subject0,encode), + Spki = encode_supportedPublicKey(Spki0), + Exts = encode_extensions(Exts0), + %% io:format("Extensions ~p~n",[Exts]), + Cert = C#'OTPCertificate'{tbsCertificate= + TBS#'OTPTBSCertificate'{ + issuer=Issuer, subject=Subject, + subjectPublicKeyInfo=Spki, + extensions=Exts}}, + {ok, EncCert} = 'OTP-PUB-KEY':encode('OTPCertificate', Cert), + list_to_binary(EncCert). + +encode_tbs_cert(TBS = #'OTPTBSCertificate'{ + issuer=Issuer0, + subject=Subject0, + subjectPublicKeyInfo=Spki0, + extensions=Exts0}) -> + Issuer = transform(Issuer0,encode), + Subject = transform(Subject0,encode), + Spki = encode_supportedPublicKey(Spki0), + Exts = encode_extensions(Exts0), + TBSCert = TBS#'OTPTBSCertificate'{issuer=Issuer,subject=Subject, + subjectPublicKeyInfo=Spki,extensions=Exts}, + {ok, EncTBSCert} = 'OTP-PUB-KEY':encode('OTPTBSCertificate', TBSCert), + list_to_binary(EncTBSCert). + +%%-------------------------------------------------------------------- +%%% Internal functions +%%-------------------------------------------------------------------- + +decode_all_otp(C = #'OTPCertificate'{tbsCertificate = TBS = + #'OTPTBSCertificate'{ + issuer=Issuer0, + subject=Subject0, + subjectPublicKeyInfo=Spki0, + extensions=Exts0} + }) -> + Issuer = transform(Issuer0,decode), + Subject = transform(Subject0,decode), + Spki = decode_supportedPublicKey(Spki0), + Exts = decode_extensions(Exts0), + %% io:format("Extensions ~p~n",[Exts]), + C#'OTPCertificate'{tbsCertificate= + TBS#'OTPTBSCertificate'{ + issuer=Issuer, subject=Subject, + subjectPublicKeyInfo=Spki,extensions=Exts}}. + + +%%% SubjectPublicKey +supportedPublicKeyAlgorithms(?'rsaEncryption') -> 'RSAPublicKey'; +supportedPublicKeyAlgorithms(?'id-dsa') -> 'DSAPublicKey'; +supportedPublicKeyAlgorithms(?'dhpublicnumber') -> 'DHPublicKey'; +supportedPublicKeyAlgorithms(?'id-keyExchangeAlgorithm') -> 'KEA-PublicKey'; +supportedPublicKeyAlgorithms(?'id-ecPublicKey') -> 'ECPoint'. + +decode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA = + #'PublicKeyAlgorithm'{algorithm=Algo}, + subjectPublicKey = {0,SPK0}}) -> + Type = supportedPublicKeyAlgorithms(Algo), + {ok, SPK} = 'OTP-PUB-KEY':decode(Type, SPK0), + #'OTPSubjectPublicKeyInfo'{subjectPublicKey = SPK, algorithm=PA}. + +encode_supportedPublicKey(#'OTPSubjectPublicKeyInfo'{algorithm= PA = + #'PublicKeyAlgorithm'{algorithm=Algo}, + subjectPublicKey = SPK0}) -> + Type = supportedPublicKeyAlgorithms(Algo), + {ok, SPK} = 'OTP-PUB-KEY':encode(Type, SPK0), + #'OTPSubjectPublicKeyInfo'{subjectPublicKey = {0,list_to_binary(SPK)}, algorithm=PA}. + +%%% Extensions + +extension_id(?'id-ce-authorityKeyIdentifier') -> 'AuthorityKeyIdentifier'; +extension_id(?'id-ce-subjectKeyIdentifier') -> 'SubjectKeyIdentifier'; +extension_id(?'id-ce-keyUsage') -> 'KeyUsage'; +extension_id(?'id-ce-privateKeyUsagePeriod') -> 'PrivateKeyUsagePeriod'; +extension_id(?'id-ce-certificatePolicies') -> 'CertificatePolicies'; +extension_id(?'id-ce-policyMappings') -> 'PolicyMappings'; +extension_id(?'id-ce-subjectAltName') -> 'SubjectAltName'; +extension_id(?'id-ce-issuerAltName') -> 'IssuerAltName'; +extension_id(?'id-ce-subjectDirectoryAttributes') -> 'SubjectDirectoryAttributes'; +extension_id(?'id-ce-basicConstraints' ) -> 'BasicConstraints'; +extension_id(?'id-ce-nameConstraints') -> 'NameConstraints'; +extension_id(?'id-ce-policyConstraints') -> 'PolicyConstraints'; +extension_id(?'id-ce-cRLDistributionPoints') -> 'CRLDistributionPoints'; +extension_id(?'id-ce-extKeyUsage') -> 'ExtKeyUsageSyntax'; +extension_id(?'id-ce-inhibitAnyPolicy') -> 'InhibitAnyPolicy'; +extension_id(?'id-ce-freshestCRL') -> 'FreshestCRL'; +%% Missing in public_key doc +extension_id(?'id-pe-authorityInfoAccess') -> 'AuthorityInfoAccessSyntax'; +extension_id(?'id-pe-subjectInfoAccess') -> 'SubjectInfoAccessSyntax'; +extension_id(?'id-ce-cRLNumber') -> 'CRLNumber'; +extension_id(?'id-ce-issuingDistributionPoint') -> 'IssuingDistributionPoint'; +extension_id(?'id-ce-deltaCRLIndicator') -> 'BaseCRLNumber'; +extension_id(?'id-ce-cRLReasons') -> 'CRLReason'; +extension_id(?'id-ce-certificateIssuer') -> 'CertificateIssuer'; +extension_id(?'id-ce-holdInstructionCode') -> 'HoldInstructionCode'; +extension_id(?'id-ce-invalidityDate') -> 'InvalidityDate'; +extension_id(_) -> + undefined. + + +decode_extensions(asn1_NOVALUE) -> + asn1_NOVALUE; + +decode_extensions(Exts) -> + lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) -> + case extension_id(Id) of + undefined -> Ext; + Type -> + {ok, Value} = 'OTP-PUB-KEY':decode(Type, list_to_binary(Value0)), + Ext#'Extension'{extnValue=transform(Value,decode)} + end + end, Exts). + +encode_extensions(asn1_NOVALUE) -> + asn1_NOVALUE; + +encode_extensions(Exts) -> + lists:map(fun(Ext = #'Extension'{extnID=Id, extnValue=Value0}) -> + case extension_id(Id) of + undefined -> Ext; + Type -> + Value1 = transform(Value0,encode), + {ok, Value} = 'OTP-PUB-KEY':encode(Type, Value1), + Ext#'Extension'{extnValue=list_to_binary(Value)} + end + end, Exts). + +transform(#'AttributeTypeAndValue'{type=Id,value=Value0} = ATAV, Func) -> + {ok, Value} = + case attribute_type(Id) of + Type when is_atom(Type) -> 'OTP-PUB-KEY':Func(Type, Value0); + _UnknownType -> {ok, Value0} + end, + ATAV#'AttributeTypeAndValue'{value=Value}; +transform(AKI = #'AuthorityKeyIdentifier'{authorityCertIssuer=ACI},Func) -> + AKI#'AuthorityKeyIdentifier'{authorityCertIssuer=transform(ACI,Func)}; +transform(List = [{directoryName, _}],Func) -> + [{directoryName, transform(Value,Func)} || {directoryName, Value} <- List]; +transform({directoryName, Value},Func) -> + {directoryName, transform(Value,Func)}; +transform({rdnSequence, SeqList},Func) when is_list(SeqList) -> + {rdnSequence, + lists:map(fun(Seq) -> + lists:map(fun(Element) -> transform(Element,Func) end, Seq) + end, SeqList)}; +%% transform(List = [{rdnSequence, _}|_],Func) -> +%% lists:map(fun(Element) -> transform(Element,Func) end, List); +transform(#'NameConstraints'{permittedSubtrees=Permitted, excludedSubtrees=Excluded}, Func) -> + Res = #'NameConstraints'{permittedSubtrees=transform_sub_tree(Permitted,Func), + excludedSubtrees=transform_sub_tree(Excluded,Func)}, +%% io:format("~p~n",[Res]), + Res; +transform(Other,_) -> + Other. +transform_sub_tree(asn1_NOVALUE,_) -> asn1_NOVALUE; +transform_sub_tree(TreeList,Func) -> + [Tree#'GeneralSubtree'{base=transform(Name,Func)} || + Tree = #'GeneralSubtree'{base=Name} <- TreeList]. + +attribute_type(?'id-at-name') -> 'X520name'; +attribute_type(?'id-at-surname') -> 'X520name'; +attribute_type(?'id-at-givenName') -> 'X520name'; +attribute_type(?'id-at-initials') -> 'X520name'; +attribute_type(?'id-at-generationQualifier') -> 'X520name'; +attribute_type(?'id-at-commonName') -> 'X520CommonName'; +attribute_type(?'id-at-localityName') -> 'X520LocalityName'; +attribute_type(?'id-at-stateOrProvinceName') -> 'X520StateOrProvinceName'; +attribute_type(?'id-at-organizationName') -> 'X520OrganizationName'; +attribute_type(?'id-at-organizationalUnitName') -> 'X520OrganizationalUnitName'; +attribute_type(?'id-at-title') -> 'X520Title'; +attribute_type(?'id-at-dnQualifier') -> 'X520dnQualifier'; +attribute_type(?'id-at-countryName') -> 'X520countryName'; +attribute_type(?'id-at-serialNumber') -> 'X520SerialNumber'; +attribute_type(?'id-at-pseudonym') -> 'X520Pseudonym'; +attribute_type(?'id-domainComponent') -> 'DomainComponent'; +attribute_type(?'id-emailAddress') -> 'EmailAddress'; +attribute_type(Type) -> Type. + +%%% Old code transforms + +plain_to_otp(#'Certificate'{tbsCertificate = TBSCert, + signatureAlgorithm = SigAlg, + signature = Signature} = Cert) -> + Cert#'Certificate'{tbsCertificate = plain_to_otp(TBSCert), + signatureAlgorithm = plain_to_otp(SigAlg), + signature = plain_to_otp(Signature)}; + +plain_to_otp(#'TBSCertificate'{signature = Signature, + issuer = Issuer, + subject = Subject, + subjectPublicKeyInfo = SPubKeyInfo, + extensions = Extensions} = TBSCert) -> + + TBSCert#'TBSCertificate'{signature = plain_to_otp(Signature), + issuer = plain_to_otp(Issuer), + subject = + plain_to_otp(Subject), + subjectPublicKeyInfo = + plain_to_otp(SPubKeyInfo), + extensions = + plain_to_otp_extensions(Extensions) + }; + +plain_to_otp(#'AlgorithmIdentifier'{algorithm = Algorithm, + parameters = Params}) -> + SignAlgAny = + #'SignatureAlgorithm-Any'{algorithm = Algorithm, + parameters = Params}, + {ok, AnyEnc} = 'OTP-PUB-KEY':encode('SignatureAlgorithm-Any', + SignAlgAny), + {ok, SignAlg} = 'OTP-PUB-KEY':decode('SignatureAlgorithm', + list_to_binary(AnyEnc)), + SignAlg; + +plain_to_otp({rdnSequence, SeqList}) when is_list(SeqList) -> + {rdnSequence, + lists:map(fun(Seq) -> + lists:map(fun(Element) -> + plain_to_otp(Element) + end, + Seq) + end, SeqList)}; + +plain_to_otp(#'AttributeTypeAndValue'{} = ATAV) -> + {ok, ATAVEnc} = + 'OTP-PUB-KEY':encode('AttributeTypeAndValue', ATAV), + {ok, ATAVDec} = 'OTP-PUB-KEY':decode('OTPAttributeTypeAndValue', + list_to_binary(ATAVEnc)), + #'AttributeTypeAndValue'{type = ATAVDec#'OTPAttributeTypeAndValue'.type, + value = + ATAVDec#'OTPAttributeTypeAndValue'.value}; + +plain_to_otp(#'SubjectPublicKeyInfo'{algorithm = + #'AlgorithmIdentifier'{algorithm + = Algo, + parameters = + Params}, + subjectPublicKey = PublicKey}) -> + + AnyAlgo = #'PublicKeyAlgorithm'{algorithm = Algo, + parameters = Params}, + {0, AnyKey} = PublicKey, + AnyDec = #'OTPSubjectPublicKeyInfo-Any'{algorithm = AnyAlgo, + subjectPublicKey = AnyKey}, + {ok, AnyEnc} = + 'OTP-PUB-KEY':encode('OTPSubjectPublicKeyInfo-Any', AnyDec), + {ok, InfoDec} = 'OTP-PUB-KEY':decode('OTPOLDSubjectPublicKeyInfo', + list_to_binary(AnyEnc)), + + AlgorithmDec = InfoDec#'OTPOLDSubjectPublicKeyInfo'.algorithm, + AlgoDec = AlgorithmDec#'OTPOLDSubjectPublicKeyInfo_algorithm'.algo, + NewParams = AlgorithmDec#'OTPOLDSubjectPublicKeyInfo_algorithm'.parameters, + PublicKeyDec = InfoDec#'OTPOLDSubjectPublicKeyInfo'.subjectPublicKey, + NewAlgorithmDec = + #'SubjectPublicKeyInfoAlgorithm'{algorithm = AlgoDec, + parameters = NewParams}, + #'SubjectPublicKeyInfo'{algorithm = NewAlgorithmDec, + subjectPublicKey = PublicKeyDec + }; + +plain_to_otp(#'Extension'{extnID = ExtID, + critical = Critical, + extnValue = Value}) + when ExtID == ?'id-ce-authorityKeyIdentifier'; + ExtID == ?'id-ce-subjectKeyIdentifier'; + ExtID == ?'id-ce-keyUsage'; + ExtID == ?'id-ce-privateKeyUsagePeriod'; + ExtID == ?'id-ce-certificatePolicies'; + ExtID == ?'id-ce-policyMappings'; + ExtID == ?'id-ce-subjectAltName'; + ExtID == ?'id-ce-issuerAltName'; + ExtID == ?'id-ce-subjectDirectoryAttributes'; + ExtID == ?'id-ce-basicConstraints'; + ExtID == ?'id-ce-nameConstraints'; + ExtID == ?'id-ce-policyConstraints'; + ExtID == ?'id-ce-extKeyUsage'; + ExtID == ?'id-ce-cRLDistributionPoints'; + ExtID == ?'id-ce-inhibitAnyPolicy'; + ExtID == ?'id-ce-freshestCRL' -> + ExtAny = #'Extension-Any'{extnID = ExtID, + critical = Critical, + extnValue = Value}, + {ok, AnyEnc} = 'OTP-PUB-KEY':encode('Extension-Any', ExtAny), + {ok, ExtDec} = 'OTP-PUB-KEY':decode('OTPExtension', + list_to_binary(AnyEnc)), + + ExtValue = plain_to_otp_extension_value(ExtID, + ExtDec#'OTPExtension'.extnValue), + #'Extension'{extnID = ExtID, + critical = ExtDec#'OTPExtension'.critical, + extnValue = ExtValue}; + +plain_to_otp(#'Extension'{} = Ext) -> + Ext; + +plain_to_otp(#'AuthorityKeyIdentifier'{} = Ext) -> + CertIssuer = Ext#'AuthorityKeyIdentifier'.authorityCertIssuer, + Ext#'AuthorityKeyIdentifier'{authorityCertIssuer = + plain_to_otp(CertIssuer)}; + + +plain_to_otp([{directoryName, Value}]) -> + [{directoryName, plain_to_otp(Value)}]; + +plain_to_otp(Value) -> + Value. + +otp_to_plain(#'Certificate'{tbsCertificate = TBSCert, + signatureAlgorithm = SigAlg, + signature = Signature} = Cert) -> + Cert#'Certificate'{tbsCertificate = otp_to_plain(TBSCert), + signatureAlgorithm = + otp_to_plain(SigAlg), + signature = otp_to_plain(Signature)}; + +otp_to_plain(#'TBSCertificate'{signature = Signature, + issuer = Issuer, + subject = Subject, + subjectPublicKeyInfo = SPubKeyInfo, + extensions = Extensions} = TBSCert) -> + + TBSCert#'TBSCertificate'{signature = otp_to_plain(Signature), + issuer = otp_to_plain(Issuer), + subject = + otp_to_plain(Subject), + subjectPublicKeyInfo = + otp_to_plain(SPubKeyInfo), + extensions = otp_to_plain_extensions(Extensions) + }; + +otp_to_plain(#'SignatureAlgorithm'{} = SignAlg) -> + {ok, EncSignAlg} = 'OTP-PUB-KEY':encode('SignatureAlgorithm', SignAlg), + {ok, #'SignatureAlgorithm-Any'{algorithm = Algorithm, + parameters = Params}} = + 'OTP-PUB-KEY':decode('SignatureAlgorithm-Any', + list_to_binary(EncSignAlg)), + #'AlgorithmIdentifier'{algorithm = Algorithm, + parameters = Params}; + +otp_to_plain({rdnSequence, SeqList}) when is_list(SeqList) -> + {rdnSequence, + lists:map(fun(Seq) -> + lists:map(fun(Element) -> + otp_to_plain(Element) + end, + Seq) + end, SeqList)}; + +otp_to_plain(#'AttributeTypeAndValue'{type = Type, value = Value}) -> + {ok, ATAVEnc} = + 'OTP-PUB-KEY':encode('OTPAttributeTypeAndValue', + #'OTPAttributeTypeAndValue'{type = Type, + value = Value}), + {ok, ATAVDec} = 'OTP-PUB-KEY':decode('AttributeTypeAndValue', + list_to_binary(ATAVEnc)), + ATAVDec; + +otp_to_plain(#'SubjectPublicKeyInfo'{algorithm = + #'SubjectPublicKeyInfoAlgorithm'{ + algorithm = Algo, + parameters = + Params}, + subjectPublicKey = PublicKey}) -> + + OtpAlgo = #'OTPOLDSubjectPublicKeyInfo_algorithm'{algo = Algo, + parameters = Params}, + OtpDec = #'OTPOLDSubjectPublicKeyInfo'{algorithm = OtpAlgo, + subjectPublicKey = PublicKey}, + {ok, OtpEnc} = + 'OTP-PUB-KEY':encode('OTPOLDSubjectPublicKeyInfo', OtpDec), + + {ok, AnyDec} = 'OTP-PUB-KEY':decode('OTPSubjectPublicKeyInfo-Any', + list_to_binary(OtpEnc)), + + #'OTPSubjectPublicKeyInfo-Any'{algorithm = #'PublicKeyAlgorithm'{ + algorithm = NewAlgo, + parameters = NewParams}, + subjectPublicKey = Bin} = AnyDec, + + #'SubjectPublicKeyInfo'{algorithm = + #'AlgorithmIdentifier'{ + algorithm = NewAlgo, + parameters = plain_key_params(NewParams)}, + subjectPublicKey = + {0, Bin} + }; + +otp_to_plain(#'Extension'{extnID = ExtID, + extnValue = Value} = Ext) -> + ExtValue = + otp_to_plain_extension_value(ExtID, Value), + + Ext#'Extension'{extnValue = ExtValue}; + +otp_to_plain(#'AuthorityKeyIdentifier'{} = Ext) -> + CertIssuer = Ext#'AuthorityKeyIdentifier'.authorityCertIssuer, + Ext#'AuthorityKeyIdentifier'{authorityCertIssuer = + otp_to_plain(CertIssuer)}; + +otp_to_plain([{directoryName, Value}]) -> + [{directoryName, otp_to_plain(Value)}]; + +otp_to_plain(Value) -> + Value. + +plain_key_params('NULL') -> + <<5,0>>; +plain_key_params(Value) -> + Value. + +plain_to_otp_extension_value(?'id-ce-authorityKeyIdentifier', Value) -> + plain_to_otp(Value); +plain_to_otp_extension_value(_, Value) -> + Value. + +plain_to_otp_extensions(Exts) when is_list(Exts) -> + lists:map(fun(Ext) -> plain_to_otp(Ext) end, Exts). + +otp_to_plain_extension_value(?'id-ce-authorityKeyIdentifier', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('AuthorityKeyIdentifier', + otp_to_plain(Value)), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-subjectKeyIdentifier', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('SubjectKeyIdentifier', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-keyUsage', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('KeyUsage', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-privateKeyUsagePeriod', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('PrivateKeyUsagePeriod', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-certificatePolicies', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('CertificatePolicies', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-policyMappings', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('PolicyMappings', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-subjectAltName', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('SubjectAltName', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-issuerAltName', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('IssuerAltName', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-subjectDirectoryAttributes', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('SubjectDirectoryAttributes', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-basicConstraints', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('BasicConstraints', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-nameConstraints', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('NameConstraints', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-policyConstraints', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('PolicyConstraints', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-extKeyUsage', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('ExtKeyUsage', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-cRLDistributionPoints', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('CRLDistributionPoints', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-inhibitAnyPolicy', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('InhibitAnyPolicy', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(?'id-ce-freshestCRL', Value) -> + {ok, Enc} = 'OTP-PUB-KEY':encode('FreshestCRL', Value), + otp_to_plain_extension_value_format(Enc); +otp_to_plain_extension_value(_Id, Value) -> + Value. + +otp_to_plain_extension_value_format(Value) -> + list_to_binary(Value). + +otp_to_plain_extensions(Exts) when is_list(Exts) -> + lists:map(fun(Ext) -> + otp_to_plain(Ext) + end, Exts). diff --git a/lib/public_key/src/pubkey_crypto.erl b/lib/public_key/src/pubkey_crypto.erl new file mode 100644 index 0000000000..fe4e97fcc5 --- /dev/null +++ b/lib/public_key/src/pubkey_crypto.erl @@ -0,0 +1,137 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% +%% Description: Functions that call the crypto driver. + +-module(pubkey_crypto). + +-include("public_key.hrl"). + +-export([encrypt_public/3, decrypt_private/3, + encrypt_private/3, decrypt_public/3, + sign/2, sign/3, verify/5]). + +-define(UINT32(X), X:32/unsigned-big-integer). + +%%==================================================================== +%% Internal application API +%%==================================================================== + +%%-------------------------------------------------------------------- +%% Function: encrypt(PlainText, Key, Padding) -> Encrypted +%% +%% PlainText = binary() +%% Key = rsa_public_key() | rsa_private_key() +%% Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding +%% Encrypted = binary() +%% +%% Description: Public key encrypts PlainText. +%%-------------------------------------------------------------------- +encrypt_public(PlainText, #'RSAPublicKey'{modulus=N,publicExponent=E},Padding) -> + crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],Padding); +encrypt_public(PlainText, #'RSAPrivateKey'{modulus=N,publicExponent=E},Padding) -> + crypto:rsa_public_encrypt(PlainText, [crypto:mpint(E),crypto:mpint(N)],Padding). + +encrypt_private(PlainText, #'RSAPrivateKey'{modulus = N, + publicExponent = E, + privateExponent = D}, Padding) -> + crypto:rsa_private_encrypt(PlainText, [crypto:mpint(E), + crypto:mpint(N), + crypto:mpint(D)], Padding). + +%%-------------------------------------------------------------------- +%% Function: decrypt(CipherText, Key) -> PlainText +%% +%% ChipherText = binary() +%% Key = rsa_private_key() +%% Padding = rsa_pkcs1_padding | rsa_pkcs1_oaep_padding +%% PlainText = binary() +%% +%% Description: Uses private key to decrypt public key encrypted data. +%%-------------------------------------------------------------------- +decrypt_private(CipherText, + #'RSAPrivateKey'{modulus = N,publicExponent = E,privateExponent = D}, + Padding) -> + crypto:rsa_private_decrypt(CipherText, + [crypto:mpint(E), crypto:mpint(N),crypto:mpint(D)], + Padding). +decrypt_public(CipherText, #'RSAPublicKey'{modulus = N, publicExponent = E}, Padding) -> + crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)], Padding); +decrypt_public(CipherText, #'RSAPrivateKey'{modulus = N, publicExponent = E}, Padding) -> + crypto:rsa_public_decrypt(CipherText,[crypto:mpint(E), crypto:mpint(N)], Padding). + +%%-------------------------------------------------------------------- +%% Function: sign(PlainText, Key) -> +%% sign(DigestType, PlainText, Key) -> Signature +%% +%% DigestType = sha | md5 +%% PlainText = binary() +%% Key = rsa_private_key() | dsa_private_key() +%% Signature = binary() +%% +%% Description: Signs PlainText using Key. +%%-------------------------------------------------------------------- +sign(PlainText, Digest) -> + sign(sha, PlainText, Digest). + +sign(DigestType, PlainText, #'RSAPrivateKey'{modulus = N, publicExponent = E, + privateExponent = D}) -> + crypto:rsa_sign(DigestType, sized_binary(PlainText), [crypto:mpint(E), + crypto:mpint(N), + crypto:mpint(D)]); + +sign(sha, PlainText, #'DSAPrivateKey'{p = P, q = Q, g = G, x = X}) -> + crypto:dss_sign(sized_binary(PlainText), + [crypto:mpint(P), crypto:mpint(Q), + crypto:mpint(G), crypto:mpint(X)]). + +%%-------------------------------------------------------------------- +%% Function: verify(DigestType, PlainText, Signature, Key) -> true | false +%% +%% DigestType = sha | md5 +%% PlainText = binary() +%% Signature = binary() +%% Key = rsa_public_key() | dsa_public_key() +%% +%% Description: Verifies the signature . +%%-------------------------------------------------------------------- +verify(DigestType, PlainText, Signature, + #'RSAPublicKey'{modulus = Mod, publicExponent = Exp}, _) -> + crypto:rsa_verify(DigestType, + sized_binary(PlainText), + sized_binary(Signature), + [crypto:mpint(Exp), crypto:mpint(Mod)]); + +verify(sha, PlainText, Signature, Key, #'Dss-Parms'{p = P, q = Q, g = G}) -> + crypto:dss_verify(sized_binary(PlainText), + sized_binary(Signature), + [crypto:mpint(P), crypto:mpint(Q), + crypto:mpint(G), crypto:mpint(Key)]). + +%%-------------------------------------------------------------------- +%%% Internal functions +%%-------------------------------------------------------------------- + +sized_binary(Binary) when is_binary(Binary) -> + Size = size(Binary), + <>; +sized_binary(List) -> + sized_binary(list_to_binary(List)). + diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl new file mode 100644 index 0000000000..abd46fa00e --- /dev/null +++ b/lib/public_key/src/pubkey_pem.erl @@ -0,0 +1,192 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% + +%%% Description: Reading and writing of PEM type encoded files. +%% PEM encoded files have the following structure: +%% +%% +%% -----BEGIN SOMETHING----- +%% +%% +%% ... +%% -----END SOMETHING----- +%% +%% +%% A file can contain several BEGIN/END blocks. Text lines between +%% blocks are ignored. +%% +%% The encoding is divided into lines separated by , and each line +%% is precisely 64 characters long (excluding the characters, +%% except the last line which 64 characters long or shorter. may +%% follow the last line. + +-module(pubkey_pem). + +-export([read_file/1, read_file/2, write_file/2, decode/2]). +-export([decode_key/2]). + +-define(ENCODED_LINE_LENGTH, 64). + +%%==================================================================== +%% Internal application API +%%==================================================================== +read_file(File) -> + read_file(File, no_passwd). + +read_file(File, Passwd) -> + {ok, Bin} = file:read_file(File), + decode(Bin, Passwd). + +write_file(File, Ds) -> + file:write_file(File, encode_file(Ds)). + +decode_key({_Type, Bin, not_encrypted}, _) -> + Bin; +decode_key({_Type, Bin, {Chipher,Salt}}, Password) -> + decode_key(Bin, Password, Chipher, Salt). + +decode(Bin, Passwd) -> + decode_file(split_bin(Bin), Passwd). + +%%-------------------------------------------------------------------- +%%% Internal functions +%%-------------------------------------------------------------------- + +split_bin(Bin) -> + split_bin(0, Bin). + +split_bin(N, Bin) -> + case Bin of + <> -> + [Line | split_bin(0, Rest)]; + <> -> + [Line | split_bin(0, Rest)]; + <> -> + [Line]; + _ -> + split_bin(N+1, Bin) + end. + +decode_file(Bin, Passwd) -> + decode_file(Bin, [], [Passwd]). + +decode_file([<<"-----BEGIN CERTIFICATE REQUEST-----", _/binary>>|Rest], Ens, Info) -> + decode_file2(Rest, [], Ens, cert_req, Info); +decode_file([<<"-----BEGIN CERTIFICATE-----", _/binary>>|Rest], Ens, Info) -> + decode_file2(Rest, [], Ens, cert, Info); +decode_file([<<"-----BEGIN RSA PRIVATE KEY-----", _/binary>>|Rest], Ens, Info) -> + decode_file2(Rest, [], Ens, rsa_private_key, Info); +decode_file([<<"-----BEGIN DSA PRIVATE KEY-----", _/binary>>|Rest], Ens, Info) -> + decode_file2(Rest, [], Ens, dsa_private_key, Info); +decode_file([<<"-----BEGIN DH PARAMETERS-----", _/binary>>|Rest], Ens, Info) -> + decode_file2(Rest, [], Ens, dh_params, Info); +decode_file([_|Rest], Ens, Info) -> + decode_file(Rest, Ens, Info); +decode_file([], Ens, _Info) -> + {ok, lists:reverse(Ens)}. + +decode_file2([<<"Proc-Type: 4,ENCRYPTED", _/binary>>| Rest0], RLs, Ens, Tag, Info0) -> + [InfoLine|Rest] = Rest0, + Info = dek_info(InfoLine, Info0), + decode_file2(Rest, RLs, Ens, Tag, Info); +decode_file2([<<"-----END", _/binary>>| Rest], RLs, Ens, Tag, Info0) -> + Cs = erlang:iolist_to_binary(lists:reverse(RLs)), + Bin = base64:mime_decode(Cs), + case Info0 of + [Password, Cipher, SaltHex | Info1] -> + Salt = unhex(SaltHex), + Enc = {Cipher, Salt}, + Decoded = decode_key(Bin, Password, Cipher, Salt), + decode_file(Rest, [{Tag, Decoded, Enc}| Ens], Info1); + _ -> + decode_file(Rest, [{Tag, Bin, not_encrypted}| Ens], Info0) + end; +decode_file2([L|Rest], RLs, Ens, Tag, Info0) -> + decode_file2(Rest, [L|RLs], Ens, Tag, Info0); +decode_file2([], _, Ens, _, _) -> + {ok, lists:reverse(Ens)}. + +%% TODO Support same as decode_file +encode_file(Ds) -> + lists:map( + fun({cert, Bin}) -> + %% PKIX (X.509) + ["-----BEGIN CERTIFICATE-----\n", + b64encode_and_split(Bin), + "-----END CERTIFICATE-----\n\n"]; + ({cert_req, Bin}) -> + %% PKCS#10 + ["-----BEGIN CERTIFICATE REQUEST-----\n", + b64encode_and_split(Bin), + "-----END CERTIFICATE REQUEST-----\n\n"]; + ({rsa_private_key, Bin}) -> + %% PKCS#? + ["XXX Following key assumed not encrypted\n", + "-----BEGIN RSA PRIVATE KEY-----\n", + b64encode_and_split(Bin), + "-----END RSA PRIVATE KEY-----\n\n"] + end, Ds). + +dek_info(Line0, Info) -> + Line = binary_to_list(Line0), + [_, DekInfo0] = string:tokens(Line, ": "), + DekInfo1 = string:tokens(DekInfo0, ",\n"), + Info ++ DekInfo1. + +unhex(S) -> + unhex(S, []). + +unhex("", Acc) -> + lists:reverse(Acc); +unhex([D1, D2 | Rest], Acc) -> + unhex(Rest, [erlang:list_to_integer([D1, D2], 16) | Acc]). + +decode_key(Data, no_passwd, _Alg, _Salt) -> + Data; +decode_key(Data, Password, "DES-CBC", Salt) -> + Key = password_to_key(Password, Salt, 8), + IV = Salt, + crypto:des_cbc_decrypt(Key, IV, Data); +decode_key(Data, Password, "DES-EDE3-CBC", Salt) -> + Key = password_to_key(Password, Salt, 24), + IV = Salt, + <> = Key, + crypto:des_ede3_cbc_decrypt(Key1, Key2, Key3, IV, Data). + +password_to_key(Data, Salt, KeyLen) -> + <> = + password_to_key(<<>>, Data, Salt, KeyLen, <<>>), + Key. + +password_to_key(_, _, _, Len, Acc) when Len =< 0 -> + Acc; +password_to_key(Prev, Data, Salt, Len, Acc) -> + M = crypto:md5([Prev, Data, Salt]), + password_to_key(M, Data, Salt, Len - size(M), <>). + +b64encode_and_split(Bin) -> + split_lines(base64:encode(Bin)). + +split_lines(<>) -> + [Text, $\n | split_lines(Rest)]; +split_lines(Bin) -> + [Bin, $\n]. + diff --git a/lib/public_key/src/public_key.app.src b/lib/public_key/src/public_key.app.src new file mode 100644 index 0000000000..edede7c874 --- /dev/null +++ b/lib/public_key/src/public_key.app.src @@ -0,0 +1,16 @@ +{application, public_key, + [{description, "Public key infrastructure"}, + {vsn, "%VSN%"}, + {modules, [ + public_key, + pubkey_pem, + pubkey_crypto, + pubkey_cert, + pubkey_cert_records, + 'OTP-PUB-KEY' + ]}, + {applications, [crypto, kernel, stdlib]}, + {registered, []}, + {env, []} + ] +}. \ No newline at end of file diff --git a/lib/public_key/src/public_key.appup.src b/lib/public_key/src/public_key.appup.src new file mode 100644 index 0000000000..8d33482f11 --- /dev/null +++ b/lib/public_key/src/public_key.appup.src @@ -0,0 +1,6 @@ +%% -*- erlang -*- +{"%VSN%", + [ + ], + [ + ]}. diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl new file mode 100644 index 0000000000..b0b0b7a832 --- /dev/null +++ b/lib/public_key/src/public_key.erl @@ -0,0 +1,411 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-module(public_key). + +-include("public_key.hrl"). + +-export([decode_private_key/1, decode_private_key/2, + decrypt_private/2, decrypt_private/3, encrypt_public/2, + encrypt_public/3, decrypt_public/2, decrypt_public/3, + encrypt_private/2, encrypt_private/3, + sign/2, sign/3, + verify_signature/3, verify_signature/4, verify_signature/5, + pem_to_der/1, pem_to_der/2, + pkix_decode_cert/2, pkix_encode_cert/1, + pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1, + pkix_issuer_id/2, + pkix_is_issuer/2, pkix_normalize_general_name/1, + pkix_path_validation/3 + ]). + +%%==================================================================== +%% API +%%==================================================================== + +%%-------------------------------------------------------------------- +%% Function: decode_private_key(KeyInfo [,Password]) -> +%% {ok, PrivateKey} | {error, Reason} +%% +%% KeyInfo = {Type, der_bin(), ChipherInfo} - as returned from +%% pem_to_der/[1,2] for private keys +%% Type = rsa_private_key | dsa_private_key +%% ChipherInfo = opaque() | no_encryption +%% +%% Description: Decodes an asn1 der encoded private key. +%%-------------------------------------------------------------------- +decode_private_key(KeyInfo) -> + decode_private_key(KeyInfo, no_passwd). + +decode_private_key(KeyInfo = {rsa_private_key, _, _}, Password) -> + DerEncoded = pubkey_pem:decode_key(KeyInfo, Password), + 'OTP-PUB-KEY':decode('RSAPrivateKey', DerEncoded); +decode_private_key(KeyInfo = {dsa_private_key, _, _}, Password) -> + DerEncoded = pubkey_pem:decode_key(KeyInfo, Password), + 'OTP-PUB-KEY':decode('DSAPrivateKey', DerEncoded). + +%%-------------------------------------------------------------------- +%% Function: decrypt_private(CipherText, Key) -> +%% decrypt_private(CipherText, Key, Options) -> PlainTex +%% decrypt_public(CipherText, Key) -> +%% decrypt_public(CipherText, Key, Options) -> PlainTex +%% +%% CipherText = binary() +%% Key = rsa_key() +%% PlainText = binary() +%% +%% Description: Decrypts . +%%-------------------------------------------------------------------- +decrypt_private(CipherText, Key) -> + decrypt_private(CipherText, Key, []). +decrypt_private(CipherText, Key, Options) -> + Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding), + pubkey_crypto:decrypt_private(CipherText, Key, Padding). + +decrypt_public(CipherText, Key) -> + decrypt_public(CipherText, Key, []). +decrypt_public(CipherText, Key, Options) -> + Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_padding), + pubkey_crypto:decrypt_public(CipherText, Key, Padding). + +%%-------------------------------------------------------------------- +%% Function: encrypt_public(PlainText, Key, Options) -> CipherText +%% encrypt_private(PlainText, Key, Options) -> CipherText +%% +%% PlainText = iolist() +%% Key = rsa_private_key() +%% CipherText = binary() +%% +%% Description: Encrypts +%%-------------------------------------------------------------------- +encrypt_public(PlainText, Key) -> + encrypt_public(PlainText, Key, []). +encrypt_public(PlainText, Key, Options) -> + Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_oaep_padding), + pubkey_crypto:encrypt_public(PlainText, Key, Padding). + +encrypt_private(PlainText, Key) -> + encrypt_private(PlainText, Key, []). +encrypt_private(PlainText, Key, Options) -> + Padding = proplists:get_value(rsa_pad, Options, rsa_pkcs1_oaep_padding), + pubkey_crypto:encrypt_private(PlainText, Key, Padding). + +%%-------------------------------------------------------------------- +%% Function: pem_to_der(CertSource) -> +%% pem_to_der(CertSource, Password) -> {ok, [Entry]} | +%% {error, Reason} +%% +%% CertSource = File | CertData +%% CertData = binary() +%% File = path() +%% Password = string() +%% Entry = {entry_type(), der_bin(), ChipherInfo} +%% ChipherInfo = opague() | no_encryption +%% der_bin() = binary() +%% entry_type() = cert | cert_req | rsa_private_key | dsa_private_key +%% dh_params +%% +%% Description: decode PEM binary data or a PEM file and return +%% entries as asn1 der encoded entities. Currently supported entry +%% types are certificates, certificate requests, rsa private keys and +%% dsa private keys. In the case of a key entry ChipherInfo will be +%% used by decode_private_key/2 if the key is protected by a password. +%%-------------------------------------------------------------------- +pem_to_der(CertSource) -> + pem_to_der(CertSource, no_passwd). + +pem_to_der(File, Password) when is_list(File) -> + pubkey_pem:read_file(File, Password); +pem_to_der(PemBin, Password) when is_binary(PemBin) -> + pubkey_pem:decode(PemBin, Password). + +%%-------------------------------------------------------------------- +%% Function: pkix_decode_cert(BerCert, Type) -> {ok, Cert} | {error, Reason} +%% +%% BerCert = binary() +%% Type = plain | otp +%% Cert = certificate() +%% +%% Description: Decodes an asn1 ber encoded pkix certificate. +%% otp - Uses OTP-PKIX.asn1 to decode known extensions and +%% enhance the signature field in #'Certificate'{} and '#TBSCertificate'{}. +%%-------------------------------------------------------------------- +pkix_decode_cert(BinCert, Type) -> + pubkey_cert_records:decode_cert(BinCert, Type). + +%%-------------------------------------------------------------------- +%% Function: pkix_encode_cert(Cert) -> {ok, binary()} | {error, Reason} +%% +%% Cert = #'Certificate'{} +%% +%% Description: Encodes a certificate record using asn1. +%%-------------------------------------------------------------------- +pkix_encode_cert(Cert) -> + pubkey_cert_records:encode_cert(Cert). + +%%-------------------------------------------------------------------- +%% Function: pkix_path_validation(TrustedCert, CertChain, Options) -> +%% {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} | +%% {error, Reason} +%% +%% Description: Performs a bacis path validation according to RFC 3280. +%%-------------------------------------------------------------------- +pkix_path_validation(TrustedCert, CertChain, Options) + when is_binary(TrustedCert) -> + {ok, OtpCert} = pkix_decode_cert(TrustedCert, otp), + pkix_path_validation(OtpCert, CertChain, Options); + +pkix_path_validation(#'OTPCertificate'{} = TrustedCert, CertChain, Options) + when is_list(CertChain), is_list(Options) -> + MaxPathDefault = length(CertChain), + ValidationState = pubkey_cert:init_validation_state(TrustedCert, + MaxPathDefault, + Options), + Fun = proplists:get_value(validate_extensions_fun, Options, + fun(Extensions, State, _, AccError) -> + {Extensions, State, AccError} + end), + Verify = proplists:get_value(verify, Options, true), + path_validation(CertChain, ValidationState, Fun, Verify). +%%-------------------------------------------------------------------- +%% Function: pkix_is_fixed_dh_cert(Cert) -> true | false +%% +%% Description: Checks if a Certificate is a fixed Diffie-Hellman Cert +%%-------------------------------------------------------------------- +pkix_is_fixed_dh_cert(#'OTPCertificate'{} = OTPCert) -> + pubkey_cert:is_fixed_dh_cert(OTPCert); +pkix_is_fixed_dh_cert(Cert) when is_binary(Cert) -> + {ok, OtpCert} = pkix_decode_cert(Cert, otp), + pkix_is_fixed_dh_cert(OtpCert). + +%%-------------------------------------------------------------------- +%% Function: pkix_is_self_signed(Cert) -> true | false +%% +%% Description: Checks if a Certificate is self signed. +%%-------------------------------------------------------------------- +pkix_is_self_signed(#'OTPCertificate'{} = OTPCert) -> + pubkey_cert:is_self_signed(OTPCert); +pkix_is_self_signed(Cert) when is_binary(Cert) -> + {ok, OtpCert} = pkix_decode_cert(Cert, otp), + pkix_is_self_signed(OtpCert). + +%%-------------------------------------------------------------------- +%% Function: pkix_issuer_id(Cert) -> {ok, {SerialNr, Issuer}} | {error, Reason} +%% +%% Cert = asn1_der_encoded() | 'OTPCertificate'{} +%% +%% Description: Returns the issuer id. +%%-------------------------------------------------------------------- +pkix_issuer_id(#'OTPCertificate'{} = OtpCert, self) -> + pubkey_cert:issuer_id(OtpCert, self); + +pkix_issuer_id(#'OTPCertificate'{} = OtpCert, other) -> + pubkey_cert:issuer_id(OtpCert, other); + +pkix_issuer_id(Cert, Signed) when is_binary(Cert) -> + {ok, OtpCert} = pkix_decode_cert(Cert, otp), + pkix_issuer_id(OtpCert, Signed). + +%%-------------------------------------------------------------------- +%% Function: pkix_is_issuer(Cert, IssuerCert) -> true | false +%% +%% Cert = asn1_der_encoded() | 'OTPCertificate'{} +%% IssuerCert = asn1_der_encoded() | 'OTPCertificate'{} +%% +%% Description: Checks if issued . +%%-------------------------------------------------------------------- +pkix_is_issuer(Cert, IssuerCert) when is_binary(Cert) -> + {ok, OtpCert} = pkix_decode_cert(Cert, otp), + pkix_is_issuer(OtpCert, IssuerCert); + +pkix_is_issuer(Cert, IssuerCert) when is_binary(IssuerCert) -> + {ok, OtpIssuerCert} = pkix_decode_cert(IssuerCert, otp), + pkix_is_issuer(Cert, OtpIssuerCert); + +pkix_is_issuer(#'OTPCertificate'{tbsCertificate = TBSCert}, + #'OTPCertificate'{tbsCertificate = Candidate}) -> + pubkey_cert:is_issuer(TBSCert#'OTPTBSCertificate'.issuer, + Candidate#'OTPTBSCertificate'.subject). + +%%-------------------------------------------------------------------- +%% Function: pkix_normalize_general_name(Issuer) -> +%% +%% Issuer = general_name() - see PKIX +%% +%% Description: Normalizes a general name so that it can be easily +%% compared to another genral name. +%%-------------------------------------------------------------------- +pkix_normalize_general_name(Issuer) -> + pubkey_cert:normalize_general_name(Issuer). + +%%-------------------------------------------------------------------- +%% Function:sign(Msg, Key) -> {ok, Signature} +%% sign(Msg, Key, KeyParams) -> {ok, Signature} +%% +%% Msg = binary() | #'TBSCertificate'{} +%% Key = private_key() +%% KeyParams = key_params() +%% Signature = binary() +%% +%% Description: Signs plaintext Msg or #TBSCertificate{}, in the later +%% case a der encoded "#Certificate{}" will be returned. +%%-------------------------------------------------------------------- +sign(Msg, #'RSAPrivateKey'{} = Key) when is_binary(Msg) -> + pubkey_crypto:sign(Msg, Key); + +sign(Msg, #'DSAPrivateKey'{} = Key) when is_binary(Msg) -> + pubkey_crypto:sign(Msg, Key); + +sign(#'OTPTBSCertificate'{signature = SigAlg} = TBSCert, Key) -> + Msg = pubkey_cert_records:encode_tbs_cert(TBSCert), + DigestType = pubkey_cert:digest_type(SigAlg), + Signature = pubkey_crypto:sign(DigestType, Msg, Key), + Cert = #'OTPCertificate'{tbsCertificate= TBSCert, + signatureAlgorithm = SigAlg, + signature = {0, Signature} + }, + pkix_encode_cert(Cert). + +sign(DigestType, Msg, Key) -> + pubkey_crypto:sign(DigestType, Msg, Key). + +%%-------------------------------------------------------------------- +%% Function: verify_signature(PlainText, DigestType, Signature, Key) -> +%% verify_signature(PlainText, DigestType, +%% Signature, Key, KeyParams) -> +%% verify_signature(DerCert, Key, KeyParams) -> +%% +%% PlainText = binary() +%% DigestType = md5 | sha +%% DerCert = asn1_der_encoded() +%% Signature = binary() +%% Key = public_key() +%% KeyParams = key_params() +%% Verified = boolean() +%% +%% Description: Verifies the signature . +%%-------------------------------------------------------------------- +verify_signature(PlainText, DigestType, Signature, #'RSAPublicKey'{} = Key) + when is_binary(PlainText), is_binary(Signature), DigestType == sha; + DigestType == md5 -> + pubkey_crypto:verify(DigestType, PlainText, Signature, Key, undefined). + +verify_signature(PlainText, DigestType, Signature, #'RSAPublicKey'{} = Key, + KeyParams) + when is_binary(PlainText), is_binary(Signature), DigestType == sha; + DigestType == md5 -> + pubkey_crypto:verify(DigestType, PlainText, Signature, Key, KeyParams); +verify_signature(PlainText, sha, Signature, Key, #'Dss-Parms'{} = KeyParams) + when is_binary(PlainText), is_binary(Signature), is_integer(Key) -> + pubkey_crypto:verify(sha, PlainText, Signature, Key, KeyParams). + +verify_signature(DerCert, Key, #'Dss-Parms'{} = KeyParams) + when is_binary(DerCert), is_integer(Key) -> + pubkey_cert:verify_signature(DerCert, Key, KeyParams); +verify_signature(DerCert, #'RSAPublicKey'{} = Key, KeyParams) + when is_binary(DerCert) -> + pubkey_cert:verify_signature(DerCert, Key, KeyParams). + +%%-------------------------------------------------------------------- +%%% Internal functions +%%-------------------------------------------------------------------- +path_validation([], #path_validation_state{working_public_key_algorithm + = Algorithm, + working_public_key = + PublicKey, + working_public_key_parameters + = PublicKeyParams, + valid_policy_tree = Tree, + acc_errors = AccErrors + }, _, _) -> + {ok, {{Algorithm, PublicKey, PublicKeyParams}, Tree, AccErrors}}; + +path_validation([DerCert | Rest], ValidationState = #path_validation_state{ + max_path_length = Len}, + Fun, Verify) when Len >= 0 -> + try validate(DerCert, + ValidationState#path_validation_state{last_cert=Rest=:=[]}, + Fun, Verify) of + #path_validation_state{} = NewValidationState -> + path_validation(Rest, NewValidationState, Fun, Verify) + catch + throw:Reason -> + {error, Reason} + end; + +path_validation(_, _, _, true) -> + {error, {bad_cert, max_path_length_reached}}; + +path_validation(_, #path_validation_state{working_public_key_algorithm + = Algorithm, + working_public_key = + PublicKey, + working_public_key_parameters + = PublicKeyParams, + valid_policy_tree = Tree, + acc_errors = AccErrors + }, _, false) -> + {ok, {{Algorithm, PublicKey, PublicKeyParams}, Tree, + [{bad_cert, max_path_length_reached}|AccErrors]}}. + +validate(DerCert, #path_validation_state{working_issuer_name = Issuer, + working_public_key = Key, + working_public_key_parameters = + KeyParams, + permitted_subtrees = Permit, + excluded_subtrees = Exclude, + last_cert = Last, + user_state = UserState0, + acc_errors = AccErr0} = + ValidationState0, ValidateExtensionFun, Verify) -> + {ok, OtpCert} = pkix_decode_cert(DerCert, otp), + %% All validate functions will throw {bad_cert, Reason} if they + %% fail and Verify = true if Verify = false errors + %% will be accumulated in the validationstate + AccErr1 = pubkey_cert:validate_time(OtpCert, AccErr0, Verify), + + AccErr2 = pubkey_cert:validate_issuer(OtpCert, Issuer, AccErr1, Verify), + + AccErr3 = pubkey_cert:validate_names(OtpCert, Permit, Exclude, Last, + AccErr2, Verify), + AccErr4 = + pubkey_cert:validate_revoked_status(OtpCert, Verify, AccErr3), + + {ValidationState1, UnknownExtensions0, AccErr5} = + pubkey_cert:validate_extensions(OtpCert, ValidationState0, Verify, + AccErr4), + %% We want the key_usage extension to be checked before we validate + %% the signature. + AccErr6 = + pubkey_cert:validate_signature(OtpCert, DerCert, Key, KeyParams, + AccErr5, Verify), + + {UnknownExtensions, UserState, AccErr7} = + ValidateExtensionFun(UnknownExtensions0, UserState0, Verify, AccErr6), + + %% Check that all critical extensions have been handled + AccErr = + pubkey_cert:validate_unknown_extensions(UnknownExtensions, AccErr7, + Verify), + ValidationState = + ValidationState1#path_validation_state{user_state = UserState, + acc_errors = AccErr}, + pubkey_cert:prepare_for_next_cert(OtpCert, ValidationState). diff --git a/lib/public_key/test/Makefile b/lib/public_key/test/Makefile new file mode 100644 index 0000000000..2a4687677c --- /dev/null +++ b/lib/public_key/test/Makefile @@ -0,0 +1,83 @@ +# +# %CopyrightBegin% +# +# Copyright Ericsson AB 2008-2009. All Rights Reserved. +# +# The contents of this file are subject to the Erlang Public License, +# Version 1.1, (the "License"); you may not use this file except in +# compliance with the License. You should have received a copy of the +# Erlang Public License along with this software. If not, it can be +# retrieved online at http://www.erlang.org/. +# +# Software distributed under the License is distributed on an "AS IS" +# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +# the License for the specific language governing rights and limitations +# under the License. +# +# %CopyrightEnd% +# + +include $(ERL_TOP)/make/target.mk +include $(ERL_TOP)/make/$(TARGET)/otp.mk + + +INCLUDES= -I. -I$(ERL_TOP)/lib/test_server/include/ -I ../include \ + +# ---------------------------------------------------- +# Target Specs +# ---------------------------------------------------- + +MODULES= \ + public_key_SUITE \ + pkits_SUITE + +ERL_FILES= $(MODULES:%=%.erl) + +HRL_FILES= + +TARGET_FILES= \ + $(MODULES:%=$(EBIN)/%.$(EMULATOR)) + +SPEC_FILES = public_key.spec + +# ---------------------------------------------------- +# Release directory specification +# ---------------------------------------------------- +RELSYSDIR = $(RELEASE_PATH)/public_key_test + +# ---------------------------------------------------- +# FLAGS +# ---------------------------------------------------- +ERL_COMPILE_FLAGS += $(INCLUDES) + +EBIN = . + +# ---------------------------------------------------- +# Targets +# ---------------------------------------------------- + +tests debug opt: $(TARGET_FILES) + + +clean: + rm -f $(TARGET_FILES) + rm -f core + +docs: + +# ---------------------------------------------------- +# Release Target +# ---------------------------------------------------- +include $(ERL_TOP)/make/otp_release_targets.mk + +release_spec: opt + +release_tests_spec: opt + $(INSTALL_DIR) $(RELSYSDIR) + $(INSTALL_DATA) $(SPEC_FILES) $(ERL_FILES) $(HRL_FILES)$(RELSYSDIR) + $(INSTALL_DATA) $(TARGET_FILES) $(RELSYSDIR) + chmod -f -R u+w $(RELSYSDIR) + @tar cf - *_SUITE_data | (cd $(RELSYSDIR); tar xf -) +release_docs_spec: + + diff --git a/lib/public_key/test/pkits_SUITE.erl b/lib/public_key/test/pkits_SUITE.erl new file mode 100644 index 0000000000..5d58b39e26 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE.erl @@ -0,0 +1,604 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2008-2009. All Rights Reserved. +%% +%% The contents of this file are subject to the Erlang Public License, +%% Version 1.1, (the "License"); you may not use this file except in +%% compliance with the License. You should have received a copy of the +%% Erlang Public License along with this software. If not, it can be +%% retrieved online at http://www.erlang.org/. +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and limitations +%% under the License. +%% +%% %CopyrightEnd% +%% + + +%% Se specification here: +%% http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html + +-module(pkits_SUITE). + +-compile(export_all). + +%%-include_lib("public_key/include/public_key.hrl"). +-include("public_key.hrl"). + +-define(error(Format,Args), error(Format,Args,?FILE,?LINE)). +-define(warning(Format,Args), warning(Format,Args,?FILE,?LINE)). + +-define(CERTS, "pkits/certs"). +-define(MIME, "pkits/smime"). +-define(CONV, "pkits/smime-pem"). + +-define(NIST1, "2.16.840.1.101.3.2.1.48.1"). +-define(NIST2, "2.16.840.1.101.3.2.1.48.2"). +-define(NIST3, "2.16.840.1.101.3.2.1.48.3"). +-define(NIST4, "2.16.840.1.101.3.2.1.48.4"). +-define(NIST5, "2.16.840.1.101.3.2.1.48.5"). +-define(NIST6, "2.16.840.1.101.3.2.1.48.6"). + +%% +all(doc) -> + ["PKITS tests for RFC3280 compliance"]; +all(suite) -> + [signature_verification, + validity_periods, + verifying_name_chaining, + %% basic_certificate_revocation_tests, + verifying_paths_with_self_issued_certificates, + verifying_basic_constraints, + key_usage, +%% certificate_policies, +%% require_explicit_policy, +%% policy_mappings, +%% inhibit_policy_mapping, +%% inhibit_any_policy, + name_constraints, +%% distribution_points, +%% delta_crls, + private_certificate_extensions]. + +signature_verification(doc) -> [""]; +signature_verification(suite) -> []; +signature_verification(Config) when is_list(Config) -> + run(signature_verification()). +validity_periods(doc) -> [""]; +validity_periods(suite) -> []; +validity_periods(Config) when is_list(Config) -> + run(validity_periods()). +verifying_name_chaining(doc) -> [""]; +verifying_name_chaining(suite) -> []; +verifying_name_chaining(Config) when is_list(Config) -> + run(verifying_name_chaining()). +basic_certificate_revocation_tests(doc) -> [""]; +basic_certificate_revocation_tests(suite) -> []; +basic_certificate_revocation_tests(Config) when is_list(Config) -> + run(basic_certificate_revocation_tests()). +verifying_paths_with_self_issued_certificates(doc) -> [""]; +verifying_paths_with_self_issued_certificates(suite) -> []; +verifying_paths_with_self_issued_certificates(Config) when is_list(Config) -> + run(verifying_paths_with_self_issued_certificates()). +verifying_basic_constraints(doc) -> [""]; +verifying_basic_constraints(suite) -> []; +verifying_basic_constraints(Config) when is_list(Config) -> + run(verifying_basic_constraints()). +key_usage(doc) -> [""]; +key_usage(suite) -> []; +key_usage(Config) when is_list(Config) -> + run(key_usage()). +certificate_policies(doc) -> [""]; +certificate_policies(suite) -> []; +certificate_policies(Config) when is_list(Config) -> + run(certificate_policies()). +require_explicit_policy(doc) -> [""]; +require_explicit_policy(suite) -> []; +require_explicit_policy(Config) when is_list(Config) -> + run(require_explicit_policy()). +policy_mappings(doc) -> [""]; +policy_mappings(suite) -> []; +policy_mappings(Config) when is_list(Config) -> + run(policy_mappings()). +inhibit_policy_mapping(doc) -> [""]; +inhibit_policy_mapping(suite) -> []; +inhibit_policy_mapping(Config) when is_list(Config) -> + run(inhibit_policy_mapping()). +inhibit_any_policy(doc) -> [""]; +inhibit_any_policy(suite) -> []; +inhibit_any_policy(Config) when is_list(Config) -> + run(inhibit_any_policy()). +name_constraints(doc) -> [""]; +name_constraints(suite) -> []; +name_constraints(Config) when is_list(Config) -> + run(name_constraints()). +distribution_points(doc) -> [""]; +distribution_points(suite) -> []; +distribution_points(Config) when is_list(Config) -> + run(distribution_points()). +delta_crls(doc) -> [""]; +delta_crls(suite) -> []; +delta_crls(Config) when is_list(Config) -> + run(delta_crls()). +private_certificate_extensions(doc) -> [""]; +private_certificate_extensions(suite) -> []; +private_certificate_extensions(Config) when is_list(Config) -> + run(private_certificate_extensions()). + +run() -> + catch crypto:start(), + Tests = + [signature_verification(), + validity_periods(), + verifying_name_chaining(), + %%basic_certificate_revocation_tests(), + verifying_paths_with_self_issued_certificates(), + verifying_basic_constraints(), + key_usage(), + %%certificate_policies(), + %%require_explicit_policy(), + %%policy_mappings(), + %%inhibit_policy_mapping(), + %%inhibit_any_policy(), + name_constraints(), + %distribution_points(), + %delta_crls(), + private_certificate_extensions() + ], + run(lists:append(Tests)). + +run(Tests) -> + File = file(?CERTS,"TrustAnchorRootCertificate.crt"), + {ok, TA} = file:read_file(File), + run(Tests, TA). + +run({Chap, Test, Result}, TA) -> + CertChain = sort_chain(read_certs(Test),TA, [], false), + try public_key:pkix_path_validation(TA, CertChain, []) of + {Result, _} -> ok; + {error,Result} when Result =/= ok -> + ok; + {error,Error} when is_integer(Result) -> + ?warning(" ~p~n Got ~p expected ~p~n",[Test, Error, Result]); + {error,Error} when Result =/= ok -> + ?error(" minor ~p~n Got ~p expected ~p~n",[Test, Error, Result]); + {error, Error} -> + ?error(" ~p ~p~n Expected ~p got ~p ~n", [Chap, Test, Result, Error]), + fail; + {ok, _} when Result =/= ok -> + ?error(" ~p ~p~n Expected ~p got ~p ~n", [Chap, Test, Result, ok]), + fail + catch Type:Reason -> + Stack = erlang:get_stacktrace(), + io:format("Crash ~p:~p in ~p~n",[Type,Reason,Stack]), + io:format(" ~p ~p Expected ~p ~n", [Chap, Test, Result]), + exit(crash) + end; + +run([Test|Rest],TA) -> + run(Test,TA), + run(Rest,TA); +run([],_) -> ok. + + +read_certs(Test) -> + File = test_file(Test), + %% io:format("Read ~p ",[File]), + {ok, Ders} = public_key:pem_to_der(File), + %% io:format("Ders ~p ~n",[length(Ders)]), + [Cert || {cert,Cert,not_encrypted} <- Ders]. + +test_file(Test) -> + file(?CONV, lists:append(string:tokens(Test, " -")) ++ ".pem"). + +file(Sub,File) -> + TestDir = case get(datadir) of + undefined -> "./pkits_SUITE_data"; + Dir when is_list(Dir) -> + Dir + end, + AbsFile = filename:join([TestDir,Sub,File]), + case filelib:is_file(AbsFile) of + true -> ok; + false -> + ?error("Couldn't read data from ~p ~n",[AbsFile]) + end, + AbsFile. + +sort_chain([First|Certs], TA, Try, Found) -> + case public_key:pkix_is_issuer(First,TA) of + true -> + [First|sort_chain(Certs,First,Try,true)]; + false -> + sort_chain(Certs,TA,[First|Try],Found) + end; +sort_chain([], _, [],_) -> []; +sort_chain([], Valid, Check, true) -> + sort_chain(lists:reverse(Check), Valid, [], false); +sort_chain([], _Valid, Check, false) -> + Check. + +signature_verification() -> + %% "4.1", "Signature Verification" , + [{ "4.1.1", "Valid Signatures Test1", ok}, + { "4.1.2", "Invalid CA Signature Test2", {bad_cert,invalid_signature}}, + { "4.1.3", "Invalid EE Signature Test3", {bad_cert,invalid_signature}}, + { "4.1.4", "Valid DSA Signatures Test4", ok}, + { "4.1.5", "Valid DSA Parameter Inheritance Test5", ok}, + { "4.1.6", "Invalid DSA Signature Test6", {bad_cert,invalid_signature}}]. +validity_periods() -> + %% { "4.2", "Validity Periods" }, + [{ "4.2.1", "Invalid CA notBefore Date Test1", {bad_cert, cert_expired}}, + { "4.2.2", "Invalid EE notBefore Date Test2", {bad_cert, cert_expired}}, + { "4.2.3", "Valid pre2000 UTC notBefore Date Test3", ok}, + { "4.2.4", "Valid GeneralizedTime notBefore Date Test4", ok}, + { "4.2.5", "Invalid CA notAfter Date Test5", {bad_cert, cert_expired}}, + { "4.2.6", "Invalid EE notAfter Date Test6", {bad_cert, cert_expired}}, + { "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", {bad_cert, cert_expired}}, + { "4.2.8", "Valid GeneralizedTime notAfter Date Test8", ok}]. +verifying_name_chaining() -> + %%{ "4.3", "Verifying Name Chaining" }, + [{ "4.3.1", "Invalid Name Chaining EE Test1", {bad_cert, invalid_issuer}}, + { "4.3.2", "Invalid Name Chaining Order Test2", {bad_cert, invalid_issuer}}, + { "4.3.3", "Valid Name Chaining Whitespace Test3", ok}, + { "4.3.4", "Valid Name Chaining Whitespace Test4", ok}, + { "4.3.5", "Valid Name Chaining Capitalization Test5", ok}, + { "4.3.6", "Valid Name Chaining UIDs Test6", ok}, + { "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", ok}, + { "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", ok}, + { "4.3.9", "Valid UTF8String Encoded Names Test9", ok}, + { "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", ok}, + { "4.3.11", "Valid UTF8String Case Insensitive Match Test11", ok}]. +basic_certificate_revocation_tests() -> + %%{ "4.4", "Basic Certificate Revocation Tests" }, + [{ "4.4.1", "Missing CRL Test1", 3 }, + { "4.4.2", "Invalid Revoked CA Test2", 23 }, + { "4.4.3", "Invalid Revoked EE Test3", 23 }, + { "4.4.4", "Invalid Bad CRL Signature Test4", 8 }, + { "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 }, + { "4.4.6", "Invalid Wrong CRL Test6", 3 }, + { "4.4.7", "Valid Two CRLs Test7", ok}, + + %% The test document suggests these should return certificate revoked... + %% Subsquent discussion has concluded they should not due to unhandle + %% critical CRL extensions. + { "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 }, + { "4.4.9", "Invalid Unknown CRL Extension Test9", 36 }, + + { "4.4.10", "Invalid Unknown CRL Extension Test10", 36 }, + { "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 }, + { "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 }, + { "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", ok}, + { "4.4.14", "Valid Negative Serial Number Test14", ok}, + { "4.4.15", "Invalid Negative Serial Number Test15", 23 }, + { "4.4.16", "Valid Long Serial Number Test16", ok}, + { "4.4.17", "Valid Long Serial Number Test17", ok}, + { "4.4.18", "Invalid Long Serial Number Test18", 23 }, + { "4.4.19", "Valid Separate Certificate and CRL Keys Test19", ok}, + { "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 }, + + %% CRL path is revoked so get a CRL path validation error + { "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 }]. +verifying_paths_with_self_issued_certificates() -> + %%{ "4.5", "Verifying Paths with Self-Issued Certificates" }, + [{ "4.5.1", "Valid Basic Self-Issued Old With New Test1", ok}, + %%{ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 }, + %%{ "4.5.3", "Valid Basic Self-Issued New With Old Test3", ok}, + %%{ "4.5.4", "Valid Basic Self-Issued New With Old Test4", ok}, + { "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 }, + %%{ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", ok}, + { "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 }, + { "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", {bad_cert,invalid_key_usage} }]. +verifying_basic_constraints() -> + [%%{ "4.6", "Verifying Basic Constraints" }, + { "4.6.1", "Invalid Missing basicConstraints Test1", + {bad_cert, missing_basic_constraint} }, + { "4.6.2", "Invalid cA False Test2", {bad_cert, missing_basic_constraint}}, + { "4.6.3", "Invalid cA False Test3", {bad_cert, missing_basic_constraint}}, + { "4.6.4", "Valid basicConstraints Not Critical Test4", ok}, + { "4.6.5", "Invalid pathLenConstraint Test5", {bad_cert, max_path_length_reached}}, + { "4.6.6", "Invalid pathLenConstraint Test6", {bad_cert, max_path_length_reached}}, + { "4.6.7", "Valid pathLenConstraint Test7", ok}, + { "4.6.8", "Valid pathLenConstraint Test8", ok}, + { "4.6.9", "Invalid pathLenConstraint Test9", {bad_cert, max_path_length_reached}}, + { "4.6.10", "Invalid pathLenConstraint Test10", {bad_cert, max_path_length_reached}}, + { "4.6.11", "Invalid pathLenConstraint Test11", {bad_cert, max_path_length_reached}}, + { "4.6.12", "Invalid pathLenConstraint Test12", {bad_cert, max_path_length_reached}}, + { "4.6.13", "Valid pathLenConstraint Test13", ok}, + { "4.6.14", "Valid pathLenConstraint Test14", ok}, + { "4.6.15", "Valid Self-Issued pathLenConstraint Test15", ok}, + { "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", {bad_cert, max_path_length_reached}}, + { "4.6.17", "Valid Self-Issued pathLenConstraint Test17", ok}]. +key_usage() -> + %%{ "4.7", "Key Usage" }, + [{ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", {bad_cert,invalid_key_usage} }, + { "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", {bad_cert,invalid_key_usage} }, + { "4.7.3", "Valid keyUsage Not Critical Test3", ok} + %%,{ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 } + %%,{ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 } + ]. + +%% Certificate policy tests need special handling. They can have several +%% sub tests and we need to check the outputs are correct. + +certificate_policies() -> + %%{ "4.8", "Certificate Policies" }, + [{"4.8.1.1", "All Certificates Same Policy Test1", "-policy anyPolicy -explicit_policy", "True", ?NIST1, ?NIST1, 0}, + {"4.8.1.2", "All Certificates Same Policy Test1", "-policy ?NIST1 -explicit_policy", "True", ?NIST1, ?NIST1, 0}, + {"4.8.1.3", "All Certificates Same Policy Test1", "-policy ?NIST2 -explicit_policy", "True", ?NIST1, "", 43}, + {"4.8.1.4", "All Certificates Same Policy Test1", "-policy ?NIST1 -policy ?NIST2 -explicit_policy", "True", ?NIST1, ?NIST1, 0}, + {"4.8.2.1", "All Certificates No Policies Test2", "-policy anyPolicy", "False", "", "", 0}, + {"4.8.2.2", "All Certificates No Policies Test2", "-policy anyPolicy -explicit_policy", "True", "", "", 43}, + {"4.8.3.1", "Different Policies Test3", "-policy anyPolicy", "False", "", "", 0}, + {"4.8.3.2", "Different Policies Test3", "-policy anyPolicy -explicit_policy", "True", "", "", 43}, + {"4.8.3.3", "Different Policies Test3", "-policy ?NIST1 -policy ?NIST2 -explicit_policy", "True", "", "", 43}, + {"4.8.4", "Different Policies Test4", "-policy anyPolicy", "True", "", "", 43}, + {"4.8.5", "Different Policies Test5", "-policy anyPolicy", "True", "", "", 43}, + {"4.8.6.1", "Overlapping Policies Test6", "-policy anyPolicy", "True", ?NIST1, ?NIST1, 0}, + {"4.8.6.2", "Overlapping Policies Test6", "-policy ?NIST1", "True", ?NIST1, ?NIST1, 0}, + {"4.8.6.3", "Overlapping Policies Test6", "-policy ?NIST2", "True", ?NIST1, "", 43}, + {"4.8.7", "Different Policies Test7", "-policy anyPolicy", "True", "", "", 43}, + {"4.8.8", "Different Policies Test8", "-policy anyPolicy", "True", "", "", 43}, + {"4.8.9", "Different Policies Test9", "-policy anyPolicy", "True", "", "", 43}, + {"4.8.10.1", "All Certificates Same Policies Test10", "-policy ?NIST1", "True", "?NIST1:?NIST2", "?NIST1", 0}, + {"4.8.10.2", "All Certificates Same Policies Test10", "-policy ?NIST2", "True", "?NIST1:?NIST2", "?NIST2", 0}, + {"4.8.10.3", "All Certificates Same Policies Test10", "-policy anyPolicy", "True", "?NIST1:?NIST2", "?NIST1:?NIST2", 0}, + {"4.8.11.1", "All Certificates AnyPolicy Test11", "-policy anyPolicy", "True", "$apolicy", "$apolicy", 0}, + {"4.8.11.2", "All Certificates AnyPolicy Test11", "-policy ?NIST1", "True", "$apolicy", "?NIST1", 0}, + {"4.8.12", "Different Policies Test12", "-policy anyPolicy", "True", "", "", 43}, + {"4.8.13.1", "All Certificates Same Policies Test13", "-policy ?NIST1", "True", "?NIST1:?NIST2:?NIST3", "?NIST1", 0}, + {"4.8.13.2", "All Certificates Same Policies Test13", "-policy ?NIST2", "True", "?NIST1:?NIST2:?NIST3", "?NIST2", 0}, + {"4.8.13.3", "All Certificates Same Policies Test13", "-policy ?NIST3", "True", "?NIST1:?NIST2:?NIST3", "?NIST3", 0}, + {"4.8.14.1", "AnyPolicy Test14", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0}, + {"4.8.14.2", "AnyPolicy Test14", "-policy ?NIST2", "True", "?NIST1", "", 43}, + {"4.8.15", "User Notice Qualifier Test15", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0}, + {"4.8.16", "User Notice Qualifier Test16", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0}, + {"4.8.17", "User Notice Qualifier Test17", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0}, + {"4.8.18.1", "User Notice Qualifier Test18", "-policy ?NIST1", "True", "?NIST1:?NIST2", "?NIST1", 0}, + {"4.8.18.2", "User Notice Qualifier Test18", "-policy ?NIST2", "True", "?NIST1:?NIST2", "?NIST2", 0}, + {"4.8.19", "User Notice Qualifier Test19", "-policy anyPolicy", "False", "?NIST1", "?NIST1", 0}, + {"4.8.20", "CPS Pointer Qualifier Test20", "-policy anyPolicy -explicit_policy", "True", "?NIST1", "?NIST1", 0}]. +require_explicit_policy() -> + %%{ "4.9", "Require Explicit Policy" }, + [{"4.9.1", "Valid RequireExplicitPolicy Test1", "-policy anyPolicy", "False", "", "", 0}, + {"4.9.2", "Valid RequireExplicitPolicy Test2", "-policy anyPolicy", "False", "", "", 0}, + {"4.9.3", "Invalid RequireExplicitPolicy Test3", "-policy anyPolicy", "True", "", "", 43}, + {"4.9.4", "Valid RequireExplicitPolicy Test4", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + {"4.9.5", "Invalid RequireExplicitPolicy Test5", "-policy anyPolicy", "True", "", "", 43}, + {"4.9.6", "Valid Self-Issued requireExplicitPolicy Test6", "-policy anyPolicy", "False", "", "", 0}, + {"4.9.7", "Invalid Self-Issued requireExplicitPolicy Test7", "-policy anyPolicy", "True", "", "", 43}, + {"4.9.8", "Invalid Self-Issued requireExplicitPolicy Test8", "-policy anyPolicy", "True", "", "", 43}]. +policy_mappings() -> + %%{ "4.10", "Policy Mappings" }, + [{"4.10.1.1", "Valid Policy Mapping Test1", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0}, + {"4.10.1.2", "Valid Policy Mapping Test1", "-policy ?NIST2", "True", "?NIST1", "", 43}, + {"4.10.1.3", "Valid Policy Mapping Test1", "-policy anyPolicy -inhibit_map", "True", "", "", 43}, + {"4.10.2.1", "Invalid Policy Mapping Test2", "-policy anyPolicy", "True", "", "", 43}, + {"4.10.2.2", "Invalid Policy Mapping Test2", "-policy anyPolicy -inhibit_map", "True", "", "", 43}, + {"4.10.3.1", "Valid Policy Mapping Test3", "-policy ?NIST1", "True", "?NIST2", "", 43}, + {"4.10.3.2", "Valid Policy Mapping Test3", "-policy ?NIST2", "True", "?NIST2", "?NIST2", 0}, + {"4.10.4", "Invalid Policy Mapping Test4", "-policy anyPolicy", "True", "", "", 43}, + {"4.10.5.1", "Valid Policy Mapping Test5", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0}, + {"4.10.5.2", "Valid Policy Mapping Test5", "-policy ?NIST6", "True", "?NIST1", "", 43}, + {"4.10.6.1", "Valid Policy Mapping Test6", "-policy ?NIST1", "True", "?NIST1", "?NIST1", 0}, + {"4.10.6.2", "Valid Policy Mapping Test6", "-policy ?NIST6", "True", "?NIST1", "", 43}, + { "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 }, + { "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 }, + {"4.10.9", "Valid Policy Mapping Test9", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + {"4.10.10", "Invalid Policy Mapping Test10", "-policy anyPolicy", "True", "", "", 43}, + {"4.10.11", "Valid Policy Mapping Test11", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + + %% TODO: check notice display + {"4.10.12.1", "Valid Policy Mapping Test12", "-policy ?NIST1", "True", "?NIST1:?NIST2", "?NIST1", 0}, + + %% TODO: check notice display + {"4.10.12.2", "Valid Policy Mapping Test12", "-policy ?NIST2", "True", "?NIST1:?NIST2", "?NIST2", 0}, + {"4.10.13", "Valid Policy Mapping Test13", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + + %% TODO: check notice display + {"4.10.14", "Valid Policy Mapping Test14", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}]. + +inhibit_policy_mapping() -> + %%{ "4.11", "Inhibit Policy Mapping" }, + [{"4.11.1", "Invalid inhibitPolicyMapping Test1", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.2", "Valid inhibitPolicyMapping Test2", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + {"4.11.3", "Invalid inhibitPolicyMapping Test3", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.4", "Valid inhibitPolicyMapping Test4", "-policy anyPolicy", "True", "?NIST2", "?NIST2", 0}, + {"4.11.5", "Invalid inhibitPolicyMapping Test5", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.6", "Invalid inhibitPolicyMapping Test6", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.7", "Valid Self-Issued inhibitPolicyMapping Test7", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + {"4.11.8", "Invalid Self-Issued inhibitPolicyMapping Test8", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.9", "Invalid Self-Issued inhibitPolicyMapping Test9", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.10", "Invalid Self-Issued inhibitPolicyMapping Test10", "-policy anyPolicy", "True", "", "", 43}, + {"4.11.11", "Invalid Self-Issued inhibitPolicyMapping Test11", "-policy anyPolicy", "True", "", "", 43}]. +inhibit_any_policy() -> + %%{ "4.12", "Inhibit Any Policy" }, + [{"4.12.1", "Invalid inhibitAnyPolicy Test1", "-policy anyPolicy", "True", "", "", 43}, + {"4.12.2", "Valid inhibitAnyPolicy Test2", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + {"4.12.3.1", "inhibitAnyPolicy Test3", "-policy anyPolicy", "True", "?NIST1", "?NIST1", 0}, + {"4.12.3.2", "inhibitAnyPolicy Test3", "-policy anyPolicy -inhibit_any", "True", "", "", 43}, + {"4.12.4", "Invalid inhibitAnyPolicy Test4", "-policy anyPolicy", "True", "", "", 43}, + {"4.12.5", "Invalid inhibitAnyPolicy Test5", "-policy anyPolicy", "True", "", "", 43}, + {"4.12.6", "Invalid inhibitAnyPolicy Test6", "-policy anyPolicy", "True", "", "", 43}, + {"4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", ok}, + {"4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 }, + {"4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", ok}, + {"4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 }]. + +name_constraints() -> + %%{ "4.13", "Name Constraints" }, + [{ "4.13.1", "Valid DN nameConstraints Test1", ok}, + { "4.13.2", "Invalid DN nameConstraints Test2", {bad_cert, name_not_permitted}}, + { "4.13.3", "Invalid DN nameConstraints Test3", {bad_cert, name_not_permitted}}, + { "4.13.4", "Valid DN nameConstraints Test4", ok}, + { "4.13.5", "Valid DN nameConstraints Test5", ok}, + { "4.13.6", "Valid DN nameConstraints Test6", ok}, + { "4.13.7", "Invalid DN nameConstraints Test7", {bad_cert, name_not_permitted}}, + { "4.13.8", "Invalid DN nameConstraints Test8", {bad_cert, name_not_permitted}}, + { "4.13.9", "Invalid DN nameConstraints Test9", {bad_cert, name_not_permitted}}, + { "4.13.10", "Invalid DN nameConstraints Test10", {bad_cert, name_not_permitted}}, + { "4.13.11", "Valid DN nameConstraints Test11", ok}, + { "4.13.12", "Invalid DN nameConstraints Test12", {bad_cert, name_not_permitted}}, + { "4.13.13", "Invalid DN nameConstraints Test13", {bad_cert, name_not_permitted}}, + { "4.13.14", "Valid DN nameConstraints Test14", ok}, + { "4.13.15", "Invalid DN nameConstraints Test15", {bad_cert, name_not_permitted}}, + { "4.13.16", "Invalid DN nameConstraints Test16", {bad_cert, name_not_permitted}}, + { "4.13.17", "Invalid DN nameConstraints Test17", {bad_cert, name_not_permitted}}, + { "4.13.18", "Valid DN nameConstraints Test18", ok}, + { "4.13.19", "Valid Self-Issued DN nameConstraints Test19", ok}, + { "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", {bad_cert, name_not_permitted} }, + { "4.13.21", "Valid RFC822 nameConstraints Test21", ok}, + { "4.13.22", "Invalid RFC822 nameConstraints Test22", {bad_cert, name_not_permitted} }, + { "4.13.23", "Valid RFC822 nameConstraints Test23", ok}, + { "4.13.24", "Invalid RFC822 nameConstraints Test24", {bad_cert, name_not_permitted} }, + { "4.13.25", "Valid RFC822 nameConstraints Test25", ok}, + { "4.13.26", "Invalid RFC822 nameConstraints Test26", {bad_cert, name_not_permitted}}, + { "4.13.27", "Valid DN and RFC822 nameConstraints Test27", ok}, + { "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", {bad_cert, name_not_permitted} }, + { "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", {bad_cert, name_not_permitted} }, + { "4.13.30", "Valid DNS nameConstraints Test30", ok}, + { "4.13.31", "Invalid DNS nameConstraints Test31", {bad_cert, name_not_permitted} }, + { "4.13.32", "Valid DNS nameConstraints Test32", ok}, + { "4.13.33", "Invalid DNS nameConstraints Test33", {bad_cert, name_not_permitted}}, + { "4.13.34", "Valid URI nameConstraints Test34", ok}, + { "4.13.35", "Invalid URI nameConstraints Test35", {bad_cert, name_not_permitted} }, + { "4.13.36", "Valid URI nameConstraints Test36", ok}, + { "4.13.37", "Invalid URI nameConstraints Test37", {bad_cert, name_not_permitted}}, + { "4.13.38", "Invalid DNS nameConstraints Test38", {bad_cert, name_not_permitted} }]. +distribution_points() -> + %%{ "4.14", "Distribution Points" }, + [{ "4.14.1", "Valid distributionPoint Test1", ok}, + { "4.14.2", "Invalid distributionPoint Test2", 23 }, + { "4.14.3", "Invalid distributionPoint Test3", 44 }, + { "4.14.4", "Valid distributionPoint Test4", ok}, + { "4.14.5", "Valid distributionPoint Test5", ok}, + { "4.14.6", "Invalid distributionPoint Test6", 23 }, + { "4.14.7", "Valid distributionPoint Test7", ok}, + { "4.14.8", "Invalid distributionPoint Test8", 44 }, + { "4.14.9", "Invalid distributionPoint Test9", 44 }, + { "4.14.10", "Valid No issuingDistributionPoint Test10", ok}, + { "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 }, + { "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 }, + { "4.14.13", "Valid onlyContainsCACerts CRL Test13", ok}, + { "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 }, + { "4.14.15", "Invalid onlySomeReasons Test15", 23 }, + { "4.14.16", "Invalid onlySomeReasons Test16", 23 }, + { "4.14.17", "Invalid onlySomeReasons Test17", 3 }, + { "4.14.18", "Valid onlySomeReasons Test18", ok}, + { "4.14.19", "Valid onlySomeReasons Test19", ok}, + { "4.14.20", "Invalid onlySomeReasons Test20", 23 }, + { "4.14.21", "Invalid onlySomeReasons Test21", 23 }, + { "4.14.22", "Valid IDP with indirectCRL Test22", ok}, + { "4.14.23", "Invalid IDP with indirectCRL Test23", 23 }, + { "4.14.24", "Valid IDP with indirectCRL Test24", ok}, + { "4.14.25", "Valid IDP with indirectCRL Test25", ok}, + { "4.14.26", "Invalid IDP with indirectCRL Test26", 44 }, + { "4.14.27", "Invalid cRLIssuer Test27", 3 }, + { "4.14.28", "Valid cRLIssuer Test28", ok}, + { "4.14.29", "Valid cRLIssuer Test29", ok}, + + %% Although this test is valid it has a circular dependency. As a result + %% an attempt is made to reursively checks a CRL path and rejected due to + %% a CRL path validation error. PKITS notes suggest this test does not + %% need to be run due to this issue. + { "4.14.30", "Valid cRLIssuer Test30", 54 }, + { "4.14.31", "Invalid cRLIssuer Test31", 23 }, + { "4.14.32", "Invalid cRLIssuer Test32", 23 }, + { "4.14.33", "Valid cRLIssuer Test33", ok}, + { "4.14.34", "Invalid cRLIssuer Test34", 23 }, + { "4.14.35", "Invalid cRLIssuer Test35", 44 }]. +delta_crls() -> + %%{ "4.15", "Delta-CRLs" }, + [{ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 }, + { "4.15.2", "Valid delta-CRL Test2", ok}, + { "4.15.3", "Invalid delta-CRL Test3", 23 }, + { "4.15.4", "Invalid delta-CRL Test4", 23 }, + { "4.15.5", "Valid delta-CRL Test5", ok}, + { "4.15.6", "Invalid delta-CRL Test6", 23 }, + { "4.15.7", "Valid delta-CRL Test7", ok}, + { "4.15.8", "Valid delta-CRL Test8", ok}, + { "4.15.9", "Invalid delta-CRL Test9", 23 }, + { "4.15.10", "Invalid delta-CRL Test10", 12 }]. +private_certificate_extensions() -> + %%{ "4.16", "Private Certificate Extensions" }, + [{ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", ok}, + { "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", + {bad_cert,unknown_critical_extension}}]. + + +convert() -> + Tests = [signature_verification(), + validity_periods(), + verifying_name_chaining(), + basic_certificate_revocation_tests(), + verifying_paths_with_self_issued_certificates(), + verifying_basic_constraints(), + key_usage(), + certificate_policies(), + require_explicit_policy(), + policy_mappings(), + inhibit_policy_mapping(), + inhibit_any_policy(), + name_constraints(), + distribution_points(), + delta_crls(), + private_certificate_extensions()], + [convert(Test) || Test <- lists:flatten(Tests)]. + +convert({_,Test,_}) -> + convert1(Test); +convert({_,Test,_,_,_,_,_}) -> + convert1(Test). + +convert1(Test) -> + FName = lists:append(string:tokens(Test, " -")), + File = filename:join(?MIME, "Signed" ++ FName ++ ".eml"), + io:format("Convert ~p~n",[File]), + {ok, Mail} = file:read_file(File), + Base64 = skip_lines(Mail), + %%io:format("~s",[Base64]), + Tmp = base64:mime_decode(Base64), + file:write_file("pkits/smime-pem/tmp-pkcs7.der", Tmp), + Cmd = "openssl pkcs7 -inform der -in pkits/smime-pem/tmp-pkcs7.der" + " -print_certs -out pkits/smime-pem/" ++ FName ++ ".pem", + case os:cmd(Cmd) of + "" -> ok; + Err -> + io:format("~s",[Err]), + erlang:error(bad_cmd) + end. + +skip_lines(<<"\r\n\r\n", Rest/binary>>) -> Rest; +skip_lines(<<"\n\n", Rest/binary>>) -> Rest; +skip_lines(<<_:8, Rest/binary>>) -> + skip_lines(Rest). + +init_per_testcase(_Func, Config) -> + Datadir = proplists:get_value(data_dir, Config), + put(datadir, Datadir), + Config. + +fin_per_testcase(_Func, Config) -> + %% Nodes = select_nodes(all, Config, ?FILE, ?LINE), + %% rpc:multicall(Nodes, mnesia, lkill, []), + Config. + +init_per_suite(Config) -> + crypto:start(), + Config. + +end_per_suite(_Config) -> + crypto:stop(). + +error(Format, Args, File0, Line) -> + File = filename:basename(File0), + Pid = group_leader(), + Pid ! {failed, File, Line}, + io:format(Pid, "~s(~p): ERROR"++Format, [File,Line|Args]). + +warning(Format, Args, File0, Line) -> + File = filename:basename(File0), + io:format("~s(~p): Warning "++Format, [File,Line|Args]). diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt b/lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt new file mode 100644 index 0000000000..21f520ee56 Binary files /dev/null and b/lib/public_key/test/pkits_SUITE_data/pkits/certs/TrustAnchorRootCertificate.crt differ diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem new file mode 100644 index 0000000000..8f00499440 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesAnyPolicyTest11.pem @@ -0,0 +1,108 @@ +subject=/C=US/O=Test Certificates/CN=anyPolicy CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICfDCCAeWgAwIBAgIBJjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMYW55UG9saWN5 +IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGOGYJ7e91FozKo0McZ6T1 +zTYa4IXfHqChuqKgri79fgKVZZsKwOyoHWJfsLn6ClknlWE9NJATHZfQp8GfLy9k +MbdXEKgZQoyWOV2Q0s37ez+I4yuR33JZpxtpKqYQW2fKdhhOdR+DcLwgWUJ4s1Gg +KCXhxYnC4nfSho/lgR3h/QIDAQABo4GFMIGCMB8GA1UdIwQYMBaAFPts1C2Bnson +ep4NsDzqmryH/0nqMB0GA1UdDgQWBBQ+s56i5EOF+2dAMYYTm8Zh7YbV4jAOBgNV +HQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMA8GA1UdEwEB/wQFMAMBAf8w +DAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQA8JxYIM/manOaFxyoO3y+p +th/jCQFiR6fDo5mhYEOjZuHDWdejSZvNtbpPfNnKmM6W/qI57hZBgVDil9P/CMSi +wYPJvKl0ofonnhhPd+uMPhJENho/NhWyc1cgruABceTtBP966dRIhejL3K7SewrT +aV+IWdHVMKREjOXtHakoKQ== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=All Certificates anyPolicy EE Certificate Test11 +issuer=/C=US/O=Test Certificates/CN=anyPolicy CA +-----BEGIN CERTIFICATE----- +MIICfzCCAeigAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBD +QTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGQxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE5MDcGA1UEAxMwQWxsIENlcnRp +ZmljYXRlcyBhbnlQb2xpY3kgRUUgQ2VydGlmaWNhdGUgVGVzdDExMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDXI8MbFkMJTmeIdP1EpYg8qYdNkQRq1yNQYMHH +9TxFgw3L7sCGGxJS6PN4SS67CdnNZKNseFT+qAIDIbBw+p6uuAB4PWZEireOFo+s +PSdbG2Os76qFi12SpIniE64W5aSMzmccMf6RqzuqUROYH8wOzk8w6y+RI2qnkqDx +0HxJrwIDAQABo2UwYzAfBgNVHSMEGDAWgBQ+s56i5EOF+2dAMYYTm8Zh7YbV4jAd +BgNVHQ4EFgQUC8LFyye3gbbbFeNrasBg1Fq10JYwDgYDVR0PAQH/BAQDAgTwMBEG +A1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQUFAAOBgQAmASNJNMm+5XfUYE/I +IhtOmsbGvCrIWyMyhcv7gosAMSsXYU+8CzWpkjP0zS42rEphyqP8zUAWjR/BqUJV +9uwenHlpNeVflKgq0UVqYeoqc+afpvgLe+2o2Fe81Uz2tQ+LjwRQCm0/dhEVeZ4B +JutCF8LtmT3hv2RlWp5v1mmG4w== +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=anyPolicy CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:3E:B3:9E:A2:E4:43:85:FB:67:40:31:86:13:9B:C6:61:ED:86:D5:E2 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 2a:c3:2d:e7:f3:91:d6:67:7b:66:88:f9:22:e8:64:c9:80:a2: + 88:bb:d7:a0:84:a3:75:ab:d5:af:72:d0:fa:1f:ed:4e:42:29: + 62:23:32:25:59:4d:a3:45:c1:bc:ae:37:c8:b2:d0:79:00:96: + 84:0d:7d:a2:f0:58:d7:c4:99:64:cc:4e:8b:5f:88:f6:6f:cf: + ee:39:54:34:8c:7b:0f:e7:43:0b:26:d8:6e:c4:f8:6a:ed:80: + 9a:47:d3:38:bb:82:9b:fe:bf:6b:01:6e:c9:e7:8f:3e:cc:b1: + 4a:a3:df:86:3a:2d:ca:62:6c:dd:27:a8:51:c2:b4:3f:c5:ba: + 90:6c +-----BEGIN X509 CRL----- +MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBDQRcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUPrOeouRD +hftnQDGGE5vGYe2G1eIwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAKsMt +5/OR1md7Zoj5IuhkyYCiiLvXoISjdavVr3LQ+h/tTkIpYiMyJVlNo0XBvK43yLLQ +eQCWhA19ovBY18SZZMxOi1+I9m/P7jlUNIx7D+dDCybYbsT4au2AmkfTOLuCm/6/ +awFuyeePPsyxSqPfhjotymJs3SeoUcK0P8W6kGw= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem new file mode 100644 index 0000000000..ea336fce35 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesNoPoliciesTest2.pem @@ -0,0 +1,107 @@ +subject=/C=US/O=Test Certificates/CN=No Policies CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICWzCCAcSgAwIBAgIBIjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEIxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEXMBUGA1UEAxMOTm8gUG9saWNp +ZXMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWH/haSHmzYQAYFLKMA +cbwROk7OaY3N6TMLQIz4yWrwGzpy+kiIDZ2xVPnyHRHp12VlAI5u78kQKAivhpNw +ovjgrUmE86zb3/OOa341tubElI6Y9G1Y1tnzPCK+hi1vjrHAHr1Glf8VOgZ9ijpU +SjXOsw5pFlz22uc7BRI7S/K1AgMBAAGjYzBhMB8GA1UdIwQYMBaAFPts1C2Bnson +ep4NsDzqmryH/0nqMB0GA1UdDgQWBBRTwRQlfeVbPleR+JYOkJ5dxiWoujAOBgNV +HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBr +G1ayCZm1VdyAqi1JuxUTt6bQcd8iNR0vvnl49QzjKgCNRqNV69RCH0U4ZST8D57t +TVN8DJITlnH+Kbid6OWcgkb+vi5C0SPLPNym18RVzKNQtR88lJCByvNbx/CprRYl +EfsMrs6FA8loVY0rVrUpEsTjVxyDh+fb8GZ3CAJIng== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=All Certificates No Policies EE Certificate Test2 +issuer=/C=US/O=Test Certificates/CN=No Policies CA +-----BEGIN CERTIFICATE----- +MIICbzCCAdigAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDk5vIFBvbGljaWVz +IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowZTELMAkGA1UEBhMC +VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTowOAYDVQQDEzFBbGwgQ2Vy +dGlmaWNhdGVzIE5vIFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3QyMIGfMA0G +CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbFHIGRAKQBl4eS/EWvFaVcb/7H30je7Yf +LmXoIYQGeWJZQfXWSsJyXyoaMhf4uLonxy8mi1Ap8vy3Fqc9b55Cm48xatNCao6D +W6YbSQu9hiSXCMxjXWnrYfi62KywO6I2y5JbT0CZ2PbQO0lFXYKPaTFDKzgf9l4x +ppvlkUQdsQIDAQABo1IwUDAfBgNVHSMEGDAWgBRTwRQlfeVbPleR+JYOkJ5dxiWo +ujAdBgNVHQ4EFgQUy5AB5Gdr2u2a+KXtJZFHFSHyopEwDgYDVR0PAQH/BAQDAgTw +MA0GCSqGSIb3DQEBBQUAA4GBAGk2l02zPeeK5Xca7UysnHmcjV08jAnZw6WqKJlS +ZK/upXnIu/i4JXjxhC/aBpFDs1foGPEPb7vPwJBq6psJ/qvrL3FxzWnmp08P4iUP +c7e9vxXYaMIQC3duKeV6SOn5VrpSPYRfchw/i70FJ+QCw9xAvNZ2X45Pzi9k9xUg +VfLw +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=No Policies CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:53:C1:14:25:7D:E5:5B:3E:57:91:F8:96:0E:90:9E:5D:C6:25:A8:BA + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 32:a4:9a:ca:5f:51:9e:91:db:fb:8a:0a:85:9b:64:c7:08:ef: + d5:17:43:34:7b:ad:53:90:4d:d1:43:10:f9:47:88:de:f3:78: + 67:2a:3a:4b:0e:5c:1a:a5:ee:19:b9:ef:f9:eb:3f:f1:39:2c: + 31:ab:e5:14:a7:90:8a:87:71:c6:78:a1:75:df:84:aa:3a:68: + 37:8a:ba:65:79:1f:31:93:8c:4e:6a:f1:1c:3b:fb:68:79:34: + 55:5b:42:55:8d:f3:2d:9f:f6:47:8d:64:6a:02:84:0b:97:aa: + 2c:c6:96:18:ed:b3:b1:a1:62:b4:73:40:83:00:1f:1e:96:ec: + d2:ff +-----BEGIN X509 CRL----- +MIIBOzCBpQIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDk5vIFBvbGljaWVzIENBFw0w +MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBRTwRQl +feVbPleR+JYOkJ5dxiWoujAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQAy +pJrKX1Gekdv7igqFm2THCO/VF0M0e61TkE3RQxD5R4je83hnKjpLDlwape4Zue/5 +6z/xOSwxq+UUp5CKh3HGeKF134SqOmg3irpleR8xk4xOavEcO/toeTRVW0JVjfMt +n/ZHjWRqAoQLl6osxpYY7bOxoWK0c0CDAB8eluzS/w== +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem new file mode 100644 index 0000000000..62412e9602 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest10.pem @@ -0,0 +1,108 @@ +subject=/C=US/O=Test Certificates/CN=Policies P12 CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICkzCCAfygAwIBAgIBJTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPUG9saWNpZXMg +UDEyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5unCMuN8PuVFWbqxO +/wnIQsciPiEo1GoKWjM6+kb9l3h6wWyWYwmst2c158qcJLY9PxaUMhqQd/SY0Tt9 +WlHXVcE8rMoWSGmFxfK33UpeCtqwz9ugPSWwZkqx2lI/0ozQXgjYb0J9/EoKw1O0 +CxxrdQdPQkyLD4Uxe87/MlpzsQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFPts1C2B +nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQA42XpgdSGuccd5/MzOQZeTBGl+TAO +BgNVHQ8BAf8EBAMCAQYwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFl +AwIBMAIwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEB +BQUAA4GBABX9GMyAC90FH8BvpnNh6SDn2MIT7iINc4/9u64d1dxEhqogqcR58khK +btHyx8YrgbCcqUNS4Xs7ckW5k2VNAd9dG0Chc0uk6rwkv+sD1/zJi8LIGd/3cFjk +biIVYqPxb7WpKqo97V+43tMFsTqJNBSh+6W14vlP55+Ep5IlxcOm +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=All Certificates Same Policies EE Certificate Test10 +issuer=/C=US/O=Test Certificates/CN=Policies P12 CA +-----BEGIN CERTIFICATE----- +MIICmjCCAgOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAx +MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMGgxCzAJBgNVBAYT +AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczE9MDsGA1UEAxM0QWxsIENl +cnRpZmljYXRlcyBTYW1lIFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3QxMDCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmrdM0DTddXChaxuvVK1/9AmbK3pj +B7nrBT7FrZ4f+6sp0e/vN7kCNEiAaRq1BDUFjyiesHIoL7gVKw96xoYTQ1qdCGZO +04GFQtVjtBx8SZCDsvjWgaXxs2BPj3ooNV199aMCiKTeNPm1TwL2zpmGRBaV5As8 +X8eCNYjiya9c6jMCAwEAAaN5MHcwHwYDVR0jBBgwFoAUAONl6YHUhrnHHefzMzkG +XkwRpfkwHQYDVR0OBBYEFMb2N25TEoHRRp8AmP8/XLXv9HDaMA4GA1UdDwEB/wQE +AwIE8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjANBgkq +hkiG9w0BAQUFAAOBgQBM+wZzcjByDVKWb9MADcwg0VTmgmhOhSmt3fqhHagC9q3G +ZY6+OWkM6gCdmw1JBr9JRTHPl1uo/W5dI4OVIupjsct4ObPWx1yn29VM30lyaYDR +iBhgjOp5tonCixdFbt7pMnviPwsIDKdQLQz0k8m7d/au9BVHVSlyDoqm0I0uSg== +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P12 CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:00:E3:65:E9:81:D4:86:B9:C7:1D:E7:F3:33:39:06:5E:4C:11:A5:F9 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + a2:21:e6:6b:0b:99:66:79:2d:86:a7:9b:cd:37:9b:4d:73:1f: + df:91:63:c4:de:55:15:53:b0:32:ac:c8:3c:bd:96:aa:ae:c9: + 4f:b2:7c:9d:40:d7:f4:5d:99:8e:fa:2b:44:2d:75:ef:01:38: + 86:c8:59:ae:e4:62:e4:83:b4:73:03:34:d1:7f:52:bc:3d:bb: + 77:7e:7c:c9:41:09:4c:08:4f:a9:7f:d9:d9:0f:bc:46:9d:05: + 70:2f:66:0b:d4:0d:80:ec:11:83:4e:1b:90:95:ad:86:02:77: + e8:19:aa:a6:48:29:a3:9f:36:c3:ec:9a:f5:a4:9a:0b:f5:11: + 1d:72 +-----BEGIN X509 CRL----- +MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAxMiBDQRcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUAONl +6YHUhrnHHefzMzkGXkwRpfkwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA +oiHmawuZZnkthqebzTebTXMf35FjxN5VFVOwMqzIPL2Wqq7JT7J8nUDX9F2Zjvor +RC117wE4hshZruRi5IO0cwM00X9SvD27d358yUEJTAhPqX/Z2Q+8Rp0FcC9mC9QN +gOwRg04bkJWthgJ36Bmqpkgpo582w+ya9aSaC/URHXI= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem new file mode 100644 index 0000000000..888f8c117a --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePoliciesTest13.pem @@ -0,0 +1,110 @@ +subject=/C=US/O=Test Certificates/CN=Policies P123 CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICojCCAgugAwIBAgIBJDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEQxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UEAxMQUG9saWNpZXMg +UDEyMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGtVArq1otVEuN/s +xR5XSOEfVzIms1FiprO4UReYXUDbKzmCYC6YypbEnOP2JpLQOPwAfVqLL8FV7xiS +o+HmK25R0aK9nQGFUPX0U9o4b5NRcWFAoYBAF2GOFBNqGF6d9wBFPlijGMT8nWr5 +ahnujYSC1Emy88N4hkp1fj4o7yMCAwEAAaOBpzCBpDAfBgNVHSMEGDAWgBT7bNQt +gZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcww +DgYDVR0PAQH/BAQDAgEGMDMGA1UdIAQsMCowDAYKYIZIAWUDAgEwATAMBgpghkgB +ZQMCATACMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTAD +gAEAMA0GCSqGSIb3DQEBBQUAA4GBAHcVVBwhebD5vRKleXMh71kleQIL8QOQFpHM +jVYS/KJiBsVUTebOeONSU0cuPmzomEkpLyYPz8cDroidExtxGEpkKgYBGi1c5ext +cDUGFsTWENTFFWjZ7xA56XUtGd8alXJfY0v6QSHqoYFosJvoqU2bjX6jqQVK5HbY +kko1SxlW +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=All Certificates Same Policies EE Certificate Test13 +issuer=/C=US/O=Test Certificates/CN=Policies P123 CA +-----BEGIN CERTIFICATE----- +MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAx +MjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBoMQswCQYDVQQG +EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxPTA7BgNVBAMTNEFsbCBD +ZXJ0aWZpY2F0ZXMgU2FtZSBQb2xpY2llcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0MTMw +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ6RCve4HAIbl7RQiw7tPY3IJ0oT +KvS2jsUu4eNuzThRoKW0cWW3N+Jk1rkqgaaebVodXrb9cuDFONWRL0X2DZazb5h/ +4FX3obShqywkydsz7vBoixmRXa/oKtIa78h5zQTSDPR0sJeWIikOUJZMIJv4CNw1 +Pwvu3Y3i9CwT6m2fAgMBAAGjgYgwgYUwHwYDVR0jBBgwFoAU0L/Nm9/xkf2Ch1oQ +z5Cvi7zyxcwwHQYDVR0OBBYEFGqUba1DKQxc60sgeqLAqyOR/22bMA4GA1UdDwEB +/wQEAwIE8DAzBgNVHSAELDAqMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjAM +BgpghkgBZQMCATADMA0GCSqGSIb3DQEBBQUAA4GBAAd1diIEB4YaH7gH6DO1vptE +G2YpbuvISfPDhWjrLI/sLSJTH3l+kC/GE4FDEHJ0Rc76la5gyUbRwX1zTZKHGyxx +NhuE3i0XkrAlR6xRUJRcb1SgD7JqMzup7ZuFP9h3+txi71G33fMStCxKGa6ijUKd +LTzImFXGxbWm6SZujuyJ +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:D0:BF:CD:9B:DF:F1:91:FD:82:87:5A:10:CF:90:AF:8B:BC:F2:C5:CC + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 81:c2:63:b3:65:bd:c4:2d:98:7c:e0:85:dd:5f:07:d7:b4:1b: + 7a:64:a7:7f:60:3d:62:3a:70:af:d5:97:23:23:9a:48:e3:b7: + 8b:c0:3d:43:c1:66:e8:24:db:ed:a9:ab:0a:70:51:d8:7d:65: + 92:ea:e9:6f:cb:96:8e:3b:cf:94:e9:9c:d2:27:54:29:8c:81: + 84:1d:a6:22:65:85:46:70:07:da:1d:e9:79:9f:e7:3c:4e:96: + 1b:11:d9:08:ec:f7:95:15:c9:db:8d:a7:17:16:3e:76:bb:41: + 98:15:94:b3:1a:19:6f:1e:dc:10:24:c8:ae:bc:38:93:c5:04: + ef:9d +-----BEGIN X509 CRL----- +MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAxMjMgQ0EX +DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNC/ +zZvf8ZH9godaEM+Qr4u88sXMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB +AIHCY7NlvcQtmHzghd1fB9e0G3pkp39gPWI6cK/VlyMjmkjjt4vAPUPBZugk2+2p +qwpwUdh9ZZLq6W/Llo47z5TpnNInVCmMgYQdpiJlhUZwB9od6Xmf5zxOlhsR2Qjs +95UVyduNpxcWPna7QZgVlLMaGW8e3BAkyK68OJPFBO+d +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem new file mode 100644 index 0000000000..de409f5895 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AllCertificatesSamePolicyTest1.pem @@ -0,0 +1,118 @@ +subject=/C=US/O=Test Certificates/CN=Valid EE Certificate Test1 +issuer=/C=US/O=Test Certificates/CN=Good CA +-----BEGIN CERTIFICATE----- +MIICajCCAdOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBOMQswCQYDVQQGEwJVUzEaMBgG +A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIzAhBgNVBAMTGlZhbGlkIEVFIENlcnRp +ZmljYXRlIFRlc3QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtpKu/a6Co +7KcKOymboEA+MmgoryXHT1dxExmQ1lO7yah2L8j8RG6ox5Tr37TV8Y21ti3MopcF +H+iXDSX31fixsYCZkcpjMI4kbjXmjGOeFKu1vnbBmcb5JBISiUeg22tIRFoJ4zTh +i3GLVecGijyOVReA5LiPymEKG7fAB3241wIDAQABo2swaTAfBgNVHSMEGDAWgBS3 +LqaCy8LIvKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUOsyUZQyFqTzB4K9RMyoUSI+e +kVswDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkq +hkiG9w0BAQUFAAOBgQCkaGfCqYi0681n9Dit36lg3U/9gTZoNqPMaAaLUQV3Crzx +x2MGInhTyKchYydbV8HD89N2jzzYq7J2KM/ZEAfjskCdsj1SiMNkbYZe3rZZOldr +PCGFgzUGTNakQxkpxU5j7plivQic/OZ7+mMTi0fnjGRi9M+aa744VmH6FgCt1w== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Good CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0 +p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2 +IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp +Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa +vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE +AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya +cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg +3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq +rA== +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Good CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7 + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 0E + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Serial Number: 0F + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90: + 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f: + 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65: + 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1: + 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e: + b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb: + 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85: + 92:cd +-----BEGIN X509 CRL----- +MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0 +NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD +VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf +BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE +MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1 +KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ== +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem new file mode 100644 index 0000000000..82576fb4a3 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/AnyPolicyTest14.pem @@ -0,0 +1,108 @@ +subject=/C=US/O=Test Certificates/CN=anyPolicy EE Certificate Test14 +issuer=/C=US/O=Test Certificates/CN=anyPolicy CA +-----BEGIN CERTIFICATE----- +MIICdDCCAd2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBD +QTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFMxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEoMCYGA1UEAxMfYW55UG9saWN5 +IEVFIENlcnRpZmljYXRlIFRlc3QxNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAosJmcfDGby4vpcrZs7/LeCfqnvDfXgZakoRonLHgudPwLK839x7AtBqsAAsx +wYNmtj+gGNu9x2hjBOrEFHjxVhCZbr+V2b3NuZ0C2p+OcSZ6nKYxxmgtP9NrTYZs +MVo8uJ/d9zDXB7/Hflbl2iOtwHe4CpWlWkAcb55leIZdFx0CAwEAAaNrMGkwHwYD +VR0jBBgwFoAUPrOeouRDhftnQDGGE5vGYe2G1eIwHQYDVR0OBBYEFEAG933vDjVc +5TJ4xVFIKNj24AmHMA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFl +AwIBMAEwDQYJKoZIhvcNAQEFBQADgYEAHS2x3KJlEZ/YeT5mje964ccV/zmiYkiy +SP02lLjIQuB7b4R8xS4TYb6lXC18dc0776mMu6BQVqECrBq71A77N5cd5Xuc/+5U +5ZMyLiowPxjhgjqMOZV6Vno6zYQh+4bdFIqNZ4Wv1l0KyhvD5KU5gBQ6uK/Gbmgx +gC2356iQiJE= +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=anyPolicy CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICfDCCAeWgAwIBAgIBJjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEAxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEVMBMGA1UEAxMMYW55UG9saWN5 +IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGOGYJ7e91FozKo0McZ6T1 +zTYa4IXfHqChuqKgri79fgKVZZsKwOyoHWJfsLn6ClknlWE9NJATHZfQp8GfLy9k +MbdXEKgZQoyWOV2Q0s37ez+I4yuR33JZpxtpKqYQW2fKdhhOdR+DcLwgWUJ4s1Gg +KCXhxYnC4nfSho/lgR3h/QIDAQABo4GFMIGCMB8GA1UdIwQYMBaAFPts1C2Bnson +ep4NsDzqmryH/0nqMB0GA1UdDgQWBBQ+s56i5EOF+2dAMYYTm8Zh7YbV4jAOBgNV +HQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMA8GA1UdEwEB/wQFMAMBAf8w +DAYDVR0kBAUwA4ABADANBgkqhkiG9w0BAQUFAAOBgQA8JxYIM/manOaFxyoO3y+p +th/jCQFiR6fDo5mhYEOjZuHDWdejSZvNtbpPfNnKmM6W/qI57hZBgVDil9P/CMSi +wYPJvKl0ofonnhhPd+uMPhJENho/NhWyc1cgruABceTtBP966dRIhejL3K7SewrT +aV+IWdHVMKREjOXtHakoKQ== +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=anyPolicy CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:3E:B3:9E:A2:E4:43:85:FB:67:40:31:86:13:9B:C6:61:ED:86:D5:E2 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 2a:c3:2d:e7:f3:91:d6:67:7b:66:88:f9:22:e8:64:c9:80:a2: + 88:bb:d7:a0:84:a3:75:ab:d5:af:72:d0:fa:1f:ed:4e:42:29: + 62:23:32:25:59:4d:a3:45:c1:bc:ae:37:c8:b2:d0:79:00:96: + 84:0d:7d:a2:f0:58:d7:c4:99:64:cc:4e:8b:5f:88:f6:6f:cf: + ee:39:54:34:8c:7b:0f:e7:43:0b:26:d8:6e:c4:f8:6a:ed:80: + 9a:47:d3:38:bb:82:9b:fe:bf:6b:01:6e:c9:e7:8f:3e:cc:b1: + 4a:a3:df:86:3a:2d:ca:62:6c:dd:27:a8:51:c2:b4:3f:c5:ba: + 90:6c +-----BEGIN X509 CRL----- +MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDGFueVBvbGljeSBDQRcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUPrOeouRD +hftnQDGGE5vGYe2G1eIwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAKsMt +5/OR1md7Zoj5IuhkyYCiiLvXoISjdavVr3LQ+h/tTkIpYiMyJVlNo0XBvK43yLLQ +eQCWhA19ovBY18SZZMxOi1+I9m/P7jlUNIx7D+dDCybYbsT4au2AmkfTOLuCm/6/ +awFuyeePPsyxSqPfhjotymJs3SeoUcK0P8W6kGw= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem new file mode 100644 index 0000000000..bd06526d83 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/CPSPointerQualifierTest20.pem @@ -0,0 +1,120 @@ +subject=/C=US/O=Test Certificates/CN=Good CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0 +p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2 +IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp +Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa +vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE +AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya +cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg +3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq +rA== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=CPS Pointer Qualifier EE Certificate Test20 +issuer=/C=US/O=Test Certificates/CN=Good CA +-----BEGIN CERTIFICATE----- +MIICuTCCAiKgAwIBAgIBFTANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBfMQswCQYDVQQGEwJVUzEaMBgG +A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxNDAyBgNVBAMTK0NQUyBQb2ludGVyIFF1 +YWxpZmllciBFRSBDZXJ0aWZpY2F0ZSBUZXN0MjAwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBAMoJaBG/FNuQhA4cgeiGiLpg79tevgtM1J+7DRztxWNGR1ETJ2fT +76YKUm8p81GifGLyp0GPixlRYrORVU04fWNYnx8Zf7rkoCPeVEDinuLDtIrrENam +41t/iHh8pI2pzuA+AUUT9MOXDyVHFx+hGhjOseGtcUIJB0h641auD/XtAgMBAAGj +gagwgaUwHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz35oVlMcwHQYDVR0OBBYE +FMLcmlwicNMKSIWer8jYAJSooOpzMA4GA1UdDwEB/wQEAwIE8DBTBgNVHSAETDBK +MEgGCmCGSAFlAwIBMAEwOjA4BggrBgEFBQcCARYsaHR0cDovL2NzcmMubmlzdC5n +b3YvY3Nvci9wa2lyZWcuaHRtI3BraXRlc3QwDQYJKoZIhvcNAQEFBQADgYEAfDo9 +XQCL4ynO7TfTvX9MENaHI304AZw1YU+SP2zkPuDd4HxsI1FK04q1NbIaJ+TOVfk3 +Fke0kNKWelXWa4JcqZ8eg1RxzRsqB47a0IdMOcVwwjKNI5U9KkHRvHjCBMip0wjU +j6Qw2ktcJRAOZf2zsNks/lq7d2+7udwTCiASQ84= +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Good CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7 + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 0E + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Serial Number: 0F + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90: + 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f: + 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65: + 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1: + 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e: + b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb: + 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85: + 92:cd +-----BEGIN X509 CRL----- +MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0 +NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD +VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf +BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE +MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1 +KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ== +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem new file mode 100644 index 0000000000..4084a4851c --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest12.pem @@ -0,0 +1,108 @@ +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test12 +issuer=/C=US/O=Test Certificates/CN=Policies P3 CA +-----BEGIN CERTIFICATE----- +MIICfzCCAeigAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDlBvbGljaWVzIFAz +IENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowXDELMAkGA1UEBhMC +VVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTEwLwYDVQQDEyhEaWZmZXJl +bnQgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVzdDEyMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQCyCzdT70A8+vsLoViq8TWIYg7Eta6CLxVYgGuIT/jHnsK+ ++FbOsG9GIxdLYhdZrrlKG4cAlkpS/6K9L23KfQGiNNjQ4LaWC/geLyNeOOOrnXBk +nMhffhtlQ4PzTnEtjtr0fUr5iNZtCZpTUSQKxvZfEL8s8HUbsiPagLV9TwXO3QID +AQABo2swaTAfBgNVHSMEGDAWgBSOvWaPjlVlz1HkWabJKh5iv/elvDAdBgNVHQ4E +FgQUgYdlKg2WZsyn5n9xnCVxsVRQwz4wDgYDVR0PAQH/BAQDAgTwMBcGA1UdIAQQ +MA4wDAYKYIZIAWUDAgEwBDANBgkqhkiG9w0BAQUFAAOBgQA+sKsTmg7nH6jqpWTD +0+ku3zH37P/CeNynrYlFtFA/3QZZNSeBUtmPEgSANp/iYSgpIOeqcUR+vJZhsIXT ++0wX4SS7+hy3sHAuDmSZ7d4XXowNWmfn2MElY7INaPvTzjRY3+XIeTfMK43LglF5 +sftSt0FIy+7QSZiQwKIX35Hdig== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P3 CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIIChDCCAe2gAwIBAgIBJzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEIxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEXMBUGA1UEAxMOUG9saWNpZXMg +UDMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKzB4tlymiLVW8a6Ps0y +porV4ZwLRY6O21qBHaMeOvMroSc49aMMmsNM5Hq1c37ETR2NROBT065S3xFyQT58 +Q+6gu30masLdypu0ewe1f4waXVKzrOrXleRrha2wyu33duzC9XoU5rLxLJUrPXjd +F7bYw/NIHmdKb2gKdGDD5ZhlAgMBAAGjgYswgYgwHwYDVR0jBBgwFoAU+2zULYGe +yid6ng2wPOqavIf/SeowHQYDVR0OBBYEFI69Zo+OVWXPUeRZpskqHmK/96W8MA4G +A1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/ +BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEBBQUAA4GBAGIeHrFlfEpz +33KeWUQrArkcbXi4ONGl0zsMAelL8FjVyZJqVjBi4/z+31K608b9FleH0H4QlO1V +pADcQhn+/9ChWXCvHtSUuBsIPFO3WWIdgYTtmSAqxsEq3uwQIR3ku8NoMpgiak6B +EdVSLx709Z1oHVmuqVn1fYV/0968h9fo +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P3 CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:8E:BD:66:8F:8E:55:65:CF:51:E4:59:A6:C9:2A:1E:62:BF:F7:A5:BC + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 70:a1:09:11:c0:05:80:09:b9:cb:96:bd:30:59:49:1e:07:57: + d3:9b:e2:f1:41:3f:f5:f1:d7:90:67:ab:db:81:2f:1f:b6:6d: + b4:e5:45:ba:94:55:25:9c:e1:11:06:71:a3:dc:ed:1f:6d:eb: + 91:33:7f:7d:1f:40:2e:1c:84:1a:c2:45:8a:26:ed:0c:a5:6f: + 1c:00:50:99:fd:7b:d1:3a:cf:a0:1a:da:0c:f0:7a:9a:4e:b5: + f1:fb:90:9b:ab:54:57:1d:55:ab:b7:c3:a6:c4:27:e9:c8:6b: + 83:28:68:cc:9e:0b:f0:99:7e:0a:f5:f2:ca:35:28:7b:78:59: + 7c:88 +-----BEGIN X509 CRL----- +MIIBOzCBpQIBATANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFzAVBgNVBAMTDlBvbGljaWVzIFAzIENBFw0w +MTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBSOvWaP +jlVlz1HkWabJKh5iv/elvDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQBw +oQkRwAWACbnLlr0wWUkeB1fTm+LxQT/18deQZ6vbgS8ftm205UW6lFUlnOERBnGj +3O0fbeuRM399H0AuHIQawkWKJu0MpW8cAFCZ/XvROs+gGtoM8HqaTrXx+5Cbq1RX +HVWrt8OmxCfpyGuDKGjMngvwmX4K9fLKNSh7eFl8iA== +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem new file mode 100644 index 0000000000..81624cdd69 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest3.pem @@ -0,0 +1,170 @@ +subject=/C=US/O=Test Certificates/CN=Good CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0 +p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2 +IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp +Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa +vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE +AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya +cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg +3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq +rA== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P2 subCA +issuer=/C=US/O=Test Certificates/CN=Good CA +-----BEGIN CERTIFICATE----- +MIICcjCCAdugAwIBAgIBEDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBFMQswCQYDVQQGEwJVUzEaMBgG +A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAyIHN1 +YkNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFuj/BeKqm7wDc+UMIp7Qh +eY7RqfB/VGqZuKUb5UNpLiXT37UrhteMqYSqBkd76l1qvhhBwRPJt9Nq2tf5slrS +NJOAnUfF0McB9RUJMGhkITa9As3KZy0u31hre09MUaacltcuJx4irpHKUEjn+qY1 +ZdZ7NNEzH9VXWN+6lARLIQIDAQABo3wwejAfBgNVHSMEGDAWgBS3LqaCy8LIvKh7 +J0TXNTPfmhWUxzAdBgNVHQ4EFgQU5FhKqtjykfUZF2iehQcjbgo0680wDgYDVR0P +AQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBBQUAA4GBAGilgDaBiDA1cbd6xUxAl/K5DVQ8ack+2fk1 +P8G5fTuQoQtDbWX6eA7Q/nXFXBCj2i1tmJF/q8Pzh1GU6MKQ5f7J5ibEstM1+lgb +hidM5kd85uVTxTBL7GSS94BSfXFnNOOSWbRTyhSIZRxScCjERfnSfF8yBDRIbFGO +ma6qPeAC +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test3 +issuer=/C=US/O=Test Certificates/CN=Policies P2 subCA +-----BEGIN CERTIFICATE----- +MIICgTCCAeqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAy +IHN1YkNBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowWzELMAkGA1UE +BhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTAwLgYDVQQDEydEaWZm +ZXJlbnQgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVzdDMwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANc03XT9xYcVcwSWI/zfZ5VWnTC4uy5WFMe8/BNL8QuP +5xFw/xGTjgkS/ABNJJJ+a/RWsi0Q92MSeMbVNkgD0/i94SgjALWOdsg9k4LI3iH1 +ziOZ1OWKjKsJIxgCbTls+JRu7bRi4dnVYHB96WnGFVsVp9xyoS3hUYYwpCFXYLWz +AgMBAAGjazBpMB8GA1UdIwQYMBaAFORYSqrY8pH1GRdonoUHI24KNOvNMB0GA1Ud +DgQWBBRyOnvPdzFG1aaQtBqWQiKlfmoaPjAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0g +BBAwDjAMBgpghkgBZQMCATACMA0GCSqGSIb3DQEBBQUAA4GBACWQn4A03gqLgppl +ROwBGIIxHZD+wVr9BgoDJj2xwX6NaofqHfhAyVq9hDqEwylmfr0rH6m8PBAgnST0 +CnoWgQEQQ2sESHf6f/7/CTcVLlx8UQDXaTlA22nhmoJG9Y4iOdjdzhgvn/9yYySs +aTByh3KCB3TV4q9GJw6nUNAmnoOo +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P2 subCA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:E4:58:4A:AA:D8:F2:91:F5:19:17:68:9E:85:07:23:6E:0A:34:EB:CD + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + c3:6b:fd:b1:c9:49:fe:a7:76:33:87:24:1f:f7:df:41:31:b8: + 37:15:f2:3c:ae:8e:c7:17:a1:30:ea:a6:53:99:4a:8b:a1:7c: + ae:c1:4e:58:81:4f:65:e2:0d:eb:a0:cc:2d:f5:a2:ba:03:ee: + 1e:81:1c:64:3a:b1:9f:2b:d2:40:27:69:6f:32:95:fa:85:f7: + c8:76:8b:4b:7a:11:12:8d:7c:fa:1f:54:84:d7:ff:72:23:63: + 46:55:0a:e4:d2:38:1d:83:2c:57:bb:60:21:dc:44:0d:6a:95: + 11:ad:f0:b5:57:82:68:f4:20:37:f4:d7:46:93:cd:c4:c6:90: + fd:c1 +-----BEGIN X509 CRL----- +MIIBPjCBqAIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGjAYBgNVBAMTEVBvbGljaWVzIFAyIHN1YkNB +Fw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAWgBTk +WEqq2PKR9RkXaJ6FByNuCjTrzTAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOB +gQDDa/2xyUn+p3YzhyQf999BMbg3FfI8ro7HF6Ew6qZTmUqLoXyuwU5YgU9l4g3r +oMwt9aK6A+4egRxkOrGfK9JAJ2lvMpX6hffIdotLehESjXz6H1SE1/9yI2NGVQrk +0jgdgyxXu2Ah3EQNapURrfC1V4Jo9CA39NdGk83ExpD9wQ== +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Good CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7 + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 0E + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Serial Number: 0F + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90: + 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f: + 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65: + 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1: + 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e: + b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb: + 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85: + 92:cd +-----BEGIN X509 CRL----- +MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0 +NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD +VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf +BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE +MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1 +KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ== +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem new file mode 100644 index 0000000000..42c902dac2 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest4.pem @@ -0,0 +1,170 @@ +subject=/C=US/O=Test Certificates/CN=Good CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0 +p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2 +IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp +Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa +vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE +AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya +cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg +3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq +rA== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test4 +issuer=/C=US/O=Test Certificates/CN=Good subCA +-----BEGIN CERTIFICATE----- +MIICejCCAeOgAwIBAgIBATANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgNVBAMTCkdvb2Qgc3ViQ0Ew +HhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBbMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMDAuBgNVBAMTJ0RpZmZlcmVudCBQ +b2xpY2llcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEAo97r9TnN6B3H+x4fSXruIfEelkjmA4Ti1Q93FP3Op0Pfk8ybf7W8 +/meQsMFMMXAVrZ+pwfLj3YvzTspivZUbJGWA4o7r2DwkVkuXr6Rv2n3OhPlCwljb +TAFxb5S3wOOJ53FHJw33R19R8d3B0CpxKxLK1oXQVOOu0t3UKizFJakCAwEAAaNr +MGkwHwYDVR0jBBgwFoAUfFxpfJ3IVbEiBSlD+8R7j+rquH0wHQYDVR0OBBYEFOIy +WsL+F3ByhN7vnBDlbJNEkZS3MA4GA1UdDwEB/wQEAwIE8DAXBgNVHSAEEDAOMAwG +CmCGSAFlAwIBMAIwDQYJKoZIhvcNAQEFBQADgYEAVoBWMI/tY2C3bNKXPdDQHwOq ++JplKCmu37pLQlMNSVP8yssW5khRqkKYi48Jz7b21NKFN3w3/0MuV2AxjEA6ROZX +MBwaIKyeHMRCRDJndHYU3CkOvex/eDDnLXvNxTXuda755S3qZUbhNKRZnLv1iDzH +KN6TmIq39yQReXlNoNo= +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Good subCA +issuer=/C=US/O=Test Certificates/CN=Good CA +-----BEGIN CERTIFICATE----- +MIICezCCAeSgAwIBAgIBETANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjA+MQswCQYDVQQGEwJVUzEaMBgG +A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgNVBAMTCkdvb2Qgc3ViQ0EwgZ8w +DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPPDgvwjnBtonTcZM5RPe+FqtX3glBmw +zdb+WOm6gKoAp5euYnW2UZOOjSztJyTUKsmnK3qhKgntDjO8z/ito6Pz0Uo7zoby +wftFeKr76K0iBIp0t2DJQ4khnA8KjIB7LJp5CKIT1rhPdrLhPbc/r+LcUTZrAfRt +ZcQkxbznhxZxAgMBAAGjgYswgYgwHwYDVR0jBBgwFoAUty6mgsvCyLyoeydE1zUz +35oVlMcwHQYDVR0OBBYEFHxcaXydyFWxIgUpQ/vEe4/q6rh9MA4GA1UdDwEB/wQE +AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAM +BgNVHSQEBTADgAEAMA0GCSqGSIb3DQEBBQUAA4GBAI8yIYi19lr+NUCxlq3CXkpZ +TAgRtU0pqH1VbEootkv0o7apbF2cC8SHB0UDiih/yqZjqw3kHtpbBaf75KHxqoQ4 +PKqoZXt3K4rjiQooU+2cyC+mxI3uegcFjQ444R10jXwv5EqNQ4joXhz5hocJA/PF +JGFA0gkGm2pMEBR567ka +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Good subCA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:7C:5C:69:7C:9D:C8:55:B1:22:05:29:43:FB:C4:7B:8F:EA:EA:B8:7D + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + a1:14:35:58:41:58:4a:93:ea:8a:e7:cc:c1:be:02:22:8c:9a: + 21:32:d6:a9:bf:1d:df:7d:60:8c:ba:f2:8c:01:a9:38:a4:94: + 8a:6d:69:46:e5:ac:63:48:17:e5:c9:c0:de:df:13:73:c6:ec: + 3f:b7:ed:61:a2:6c:42:d8:cf:7a:ff:3b:35:41:8a:04:c8:fe: + 85:37:b8:7d:dc:a0:05:35:ba:e0:bb:39:c8:be:2a:79:57:82: + db:f1:da:21:e0:c6:54:2b:37:2a:e1:0d:82:aa:2f:47:ab:15: + fc:30:11:dd:52:ba:93:cf:bc:46:39:a7:94:29:7d:e0:2a:5c: + d4:ce +-----BEGIN X509 CRL----- +MIIBNzCBoQIBATANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEzARBgNVBAMTCkdvb2Qgc3ViQ0EXDTAxMDQx +OTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFHxcaXydyFWx +IgUpQ/vEe4/q6rh9MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GBAKEUNVhB +WEqT6ornzMG+AiKMmiEy1qm/Hd99YIy68owBqTiklIptaUblrGNIF+XJwN7fE3PG +7D+37WGibELYz3r/OzVBigTI/oU3uH3coAU1uuC7Oci+KnlXgtvx2iHgxlQrNyrh +DYKqL0erFfwwEd1SupPPvEY5p5QpfeAqXNTO +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Good CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7 + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 0E + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Serial Number: 0F + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90: + 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f: + 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65: + 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1: + 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e: + b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb: + 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85: + 92:cd +-----BEGIN X509 CRL----- +MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0 +NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD +VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf +BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE +MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1 +KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ== +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem new file mode 100644 index 0000000000..bb476975c0 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest5.pem @@ -0,0 +1,170 @@ +subject=/C=US/O=Test Certificates/CN=Good CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICbTCCAdagAwIBAgIBAjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMDsxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEQMA4GA1UEAxMHR29vZCBDQTCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsI1lQuXKwOxSkOVRaPwlhMQtgp0 +p7HT4rKLGqojfY0twvMDc4rC9uj97wlh98kkraMx3r0wlllYSQ+Cp9mCCNu/C/Y2 +IbZCyG+io4A3Um3q/QGvbHlclmrJb0j0MQi3o88GhE8Q6Vy6SGwFXGpKDJMpLSFp +Pxz8lh7M6J56Ex8CAwEAAaN8MHowHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqa +vIf/SeowHQYDVR0OBBYEFLcupoLLwsi8qHsnRNc1M9+aFZTHMA4GA1UdDwEB/wQE +AwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQUFAAOBgQCOls9+0kEUS71w+KoQhfkVLdAKANXUmGCVZHL1zsya +cPP/Q8IsCNvwjefZpgc0cuhtnHt2uDd0/zYLRmgcvJwfx5vwOfmDN13mMB8Za+cg +3sZ/NI8MqQseKvS3fWqXaK6FJoKLzxId0iUGntbF4c5+rPFArzqM6IE7f9cMD5Fq +rA== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test5 +issuer=/C=US/O=Test Certificates/CN=Policies P2 subCA2 +-----BEGIN CERTIFICATE----- +MIICgjCCAeugAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGzAZBgNVBAMTElBvbGljaWVzIFAy +IHN1YkNBMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFsxCzAJBgNV +BAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4GA1UEAxMnRGlm +ZmVyZW50IFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3Q1MIGfMA0GCSqGSIb3 +DQEBAQUAA4GNADCBiQKBgQCwZH5VW/9MO5bUFBrHnWcQmxnLKiqHAu593o6kFZKt +zkkYkVCA/vu0Wqgk09UeJz2jQPFuJEFYl/VdkkyS3U5TMdJBBcIHMYpmVTeTJSzP +G+II79/nOVLpVRfuMtKclAU+oCCJb29oiXRaOFzZjzbXuU/NvSXZu24sVctBtFQA +DQIDAQABo2swaTAfBgNVHSMEGDAWgBRx6y8V7VGl/4VJjHwa9kumm6SUBjAdBgNV +HQ4EFgQU0BTRTBvIbX1D6I9/J/Wkp7/iGNwwDgYDVR0PAQH/BAQDAgTwMBcGA1Ud +IAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQAVgTBnKECQtHJE +rSdkBjW41mPMbdbsbYgsl00518Qv4kS2bIsmMOB4V6kl48oIlmIql2dgUqb0QgvA +JFFmwyLWdyUy1Ngv1H4tT2i9htTQAG7Yhx619BHqWCfqCiue49ySUsKOefY3ZYuy +Ew2nYu2yBbFQuBajQDA+6rT6RjvF+Q== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P2 subCA2 +issuer=/C=US/O=Test Certificates/CN=Good CA +-----BEGIN CERTIFICATE----- +MIICgzCCAeygAwIBAgIBEjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EwHhcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBGMQswCQYDVQQGEwJVUzEaMBgG +A1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGzAZBgNVBAMTElBvbGljaWVzIFAyIHN1 +YkNBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtLTO6yKdiF3dWPmvdMIU +ljhMl5k5/mSISipm74fsNPvCJOAfdPJa7ZsmCH2mXZeXa5xOUPG9YzcqgSoj8YEa +L6h9u4t40L+OyapOZKiYykXi9hoZEzCuilIIu3km9rU0jF/hTntZ5QSdE65fM5qn +iMQnAPkod5ehi3XASsHZu9cCAwEAAaOBizCBiDAfBgNVHSMEGDAWgBS3LqaCy8LI +vKh7J0TXNTPfmhWUxzAdBgNVHQ4EFgQUcesvFe1Rpf+FSYx8GvZLppuklAYwDgYD +VR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8E +BTADAQH/MAwGA1UdJAQFMAOAAQAwDQYJKoZIhvcNAQEFBQADgYEApvxtR+QrmkV9 +u+IYUO9+MXgIGn7U3aab9pnQfxH2Dqkx2uPGGYsw3+Md7m0+Y29god0WgGwgrmlS +9VnFhuDw0Sks4ofgjOWCrO0gK10fO2AHzYMwxcbsaqrIPS0dIkUflnnB6vUPoz1t +0/y853VkBY8fwZC5lSrXe1j/wkrITt4= +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P2 subCA2 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:71:EB:2F:15:ED:51:A5:FF:85:49:8C:7C:1A:F6:4B:A6:9B:A4:94:06 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 0f:c9:61:2b:d8:db:62:52:36:67:85:d2:bf:79:00:4e:44:4c: + 3b:2e:a1:0f:58:1d:06:1d:47:bb:2d:b2:3f:62:d5:9c:7d:da: + bd:34:86:5d:44:f2:ec:42:d8:cb:37:16:8d:87:d7:73:3b:d1: + 82:e3:e9:2c:d6:db:6f:f5:f3:db:d4:11:bf:bf:aa:15:10:7a: + 51:76:d6:56:e5:f6:27:00:54:54:87:14:e8:0f:5a:e1:5b:64: + 16:53:de:31:1a:69:c2:6b:a5:fe:77:8c:bc:f2:42:d6:ad:84: + 6a:f5:bb:94:16:c0:12:64:af:4a:2e:68:64:2f:f5:14:5c:b1: + c5:cf +-----BEGIN X509 CRL----- +MIIBPzCBqQIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGzAZBgNVBAMTElBvbGljaWVzIFAyIHN1YkNB +MhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAU +cesvFe1Rpf+FSYx8GvZLppuklAYwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQAD +gYEAD8lhK9jbYlI2Z4XSv3kATkRMOy6hD1gdBh1Huy2yP2LVnH3avTSGXUTy7ELY +yzcWjYfXczvRguPpLNbbb/Xz29QRv7+qFRB6UXbWVuX2JwBUVIcU6A9a4VtkFlPe +MRppwmul/neMvPJC1q2EavW7lBbAEmSvSi5oZC/1FFyxxc8= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Good CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7 + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 0E + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Serial Number: 0F + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 93:c2:ec:0b:71:07:2d:9d:d7:a2:b3:f0:ed:08:4d:6e:06:90: + 66:72:06:a9:c2:30:73:f1:18:72:bf:a7:51:13:95:c4:31:3f: + 1d:79:41:ed:ed:ab:d0:96:11:1e:32:47:4c:c4:f7:e2:08:65: + 6f:73:55:c1:59:09:56:f2:60:79:27:18:2e:94:40:dd:7e:b1: + 92:bf:b8:57:e5:4c:c5:38:97:75:2a:a1:17:a2:25:0d:ec:0e: + b7:95:40:8d:2c:df:b9:fa:10:ff:be:9e:4a:f2:37:4f:25:cb: + 1b:c8:6d:ef:e4:09:b9:03:36:1b:c1:d9:f9:4f:00:5e:80:85: + 92:cd +-----BEGIN X509 CRL----- +MIIBejCB5AIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNVBAMTB0dvb2QgQ0EXDTAxMDQxOTE0 +NTcyMFoXDTExMDQxOTE0NTcyMFowRDAgAgEOFw0wMTA0MTkxNDU3MjBaMAwwCgYD +VR0VBAMKAQEwIAIBDxcNMDEwNDE5MTQ1NzIwWjAMMAoGA1UdFQQDCgEBoC8wLTAf +BgNVHSMEGDAWgBS3LqaCy8LIvKh7J0TXNTPfmhWUxzAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQUFAAOBgQCTwuwLcQctndeis/DtCE1uBpBmcgapwjBz8Rhyv6dRE5XE +MT8deUHt7avQlhEeMkdMxPfiCGVvc1XBWQlW8mB5JxgulEDdfrGSv7hX5UzFOJd1 +KqEXoiUN7A63lUCNLN+5+hD/vp5K8jdPJcsbyG3v5Am5AzYbwdn5TwBegIWSzQ== +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem new file mode 100644 index 0000000000..64913817fc --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest7.pem @@ -0,0 +1,211 @@ +subject=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P1 +issuer=/C=US/O=Test Certificates/CN=Policies P123 subCAP12 +-----BEGIN CERTIFICATE----- +MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAx +MjMgc3ViQ0FQMTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBPMQsw +CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMT +G1BvbGljaWVzIFAxMjMgc3Vic3ViQ0FQMTJQMTCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEA3JEcFcmqBaOdX0aQIeLKgr184G8kZkUDCWXFVa8Rl8JEbH8nKumt +oT+D502p0fAxQ/lu67/+Wz9X+0bAwkuPsCzJ1QCXR2UIRpVr1NxN7Rpz/7c6kzfL +/DJwrly/lSBnj0R0YirNdtTRRbIo0/YEP7P2B0gorC16aSbZViLod4ECAwEAAaN8 +MHowHwYDVR0jBBgwFoAUWocIIfvckxBtmgt8x2qxaEvfVdcwHQYDVR0OBBYEFCOJ +nPgjYULoGZabFjVqvDC9XoqCMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG +CmCGSAFlAwIBMAEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBE +8ZcL9nvf0LT9xC+cY0M+u5LPMYNxkecfdmiF5H1xmtqQ+pyLB7lUIyeSE0FWSbFS +HxkKQAkO31yPfR0lvAkmJS8uVhZf7kiMfNhK/iHQA2LE4ubMmgyfbnAidPaVhPJ/ +waAqgUmU3waTfWo4RyKCWsWN6L95KJNO3HkS5l83zg== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P123 subCAP12 +issuer=/C=US/O=Test Certificates/CN=Policies P123 CA +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAx +MjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQswCQYDVQQG +EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGlj +aWVzIFAxMjMgc3ViQ0FQMTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOll +J21WulD37Mn1rV21nTiHp+5zJm7d2iKVBk051MbS63EnC5jnUm0D6a5QJiQR8Ai2 +tuB17ppJED42WQtI7o8exytiya4Y4BvDOeGlVbVZSGgbk2vjlTzg+caDcAkVSzWD +YMs02A14NrbFODXEyAyJ7rsOTycvQorNHm6zUBvRAgMBAAGjgYswgYgwHwYDVR0j +BBgwFoAU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcwwHQYDVR0OBBYEFFqHCCH73JMQbZoL +fMdqsWhL31XXMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFlAwIB +MAEwDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAD9AiTI21pU5RaP49a5YdThygUEjL+Hvvoq4cbbg7dN3qbjYJBXUruTWyY+c +pSqrS3q3rUlt99O+9JFqZSX8LCVRMg0yWSlwymdeY8a5EBS099ZFB+r9v4tIndk0 +r1uaX/PyEiMNd+eT8GdxBwl+Jo+AHTvuHx0G9iRwLbS5Es0u +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test7 +issuer=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P1 +-----BEGIN CERTIFICATE----- +MIICnDCCAgWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAx +MjMgc3Vic3ViQ0FQMTJQMTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa +MFsxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEwMC4G +A1UEAxMnRGlmZmVyZW50IFBvbGljaWVzIEVFIENlcnRpZmljYXRlIFRlc3Q3MIGf +MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCq7BLYQUkQ5JoVVov7G3lnh8JAEwYq +LMbqpRCqw7cUk5pzpmQsxkZs6/Ucuz/aR9dCCaRZJ+YQ8GZSQ+igOWzOfGwugT2P +1F9uHaqW5hLEm4nKD0sCR7e+SSsZcVLDu43aKeP9M9W+eIiVgBDqqO/sIiP+H9lA +XGxBY7aZKR9PbQIDAQABo3wwejAfBgNVHSMEGDAWgBQjiZz4I2FC6BmWmxY1arww +vV6KgjAdBgNVHQ4EFgQU8kOeHdO942r3cR78izbu/QscRBMwDgYDVR0PAQH/BAQD +AgH2MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBBQUAA4GBAB7JKK79k5557tO3m4Z6Ggwb+wna9YjHdiEEmFrP0CbG +ydKsCOn176W5roPXJfVz4LNWRaQ1VD9hJBRNk7l7hCgrbazLj9TtrU9RrklDu54/ +tyZH3BQrH0znl+dxlEgYdfzhd0XQhMP4AGAlIzZUANHCnmjRKkqikPNXO5bMpnza +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P123 CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICojCCAgugAwIBAgIBJDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEQxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UEAxMQUG9saWNpZXMg +UDEyMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGtVArq1otVEuN/s +xR5XSOEfVzIms1FiprO4UReYXUDbKzmCYC6YypbEnOP2JpLQOPwAfVqLL8FV7xiS +o+HmK25R0aK9nQGFUPX0U9o4b5NRcWFAoYBAF2GOFBNqGF6d9wBFPlijGMT8nWr5 +ahnujYSC1Emy88N4hkp1fj4o7yMCAwEAAaOBpzCBpDAfBgNVHSMEGDAWgBT7bNQt +gZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcww +DgYDVR0PAQH/BAQDAgEGMDMGA1UdIAQsMCowDAYKYIZIAWUDAgEwATAMBgpghkgB +ZQMCATACMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTAD +gAEAMA0GCSqGSIb3DQEBBQUAA4GBAHcVVBwhebD5vRKleXMh71kleQIL8QOQFpHM +jVYS/KJiBsVUTebOeONSU0cuPmzomEkpLyYPz8cDroidExtxGEpkKgYBGi1c5ext +cDUGFsTWENTFFWjZ7xA56XUtGd8alXJfY0v6QSHqoYFosJvoqU2bjX6jqQVK5HbY +kko1SxlW +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:D0:BF:CD:9B:DF:F1:91:FD:82:87:5A:10:CF:90:AF:8B:BC:F2:C5:CC + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 81:c2:63:b3:65:bd:c4:2d:98:7c:e0:85:dd:5f:07:d7:b4:1b: + 7a:64:a7:7f:60:3d:62:3a:70:af:d5:97:23:23:9a:48:e3:b7: + 8b:c0:3d:43:c1:66:e8:24:db:ed:a9:ab:0a:70:51:d8:7d:65: + 92:ea:e9:6f:cb:96:8e:3b:cf:94:e9:9c:d2:27:54:29:8c:81: + 84:1d:a6:22:65:85:46:70:07:da:1d:e9:79:9f:e7:3c:4e:96: + 1b:11:d9:08:ec:f7:95:15:c9:db:8d:a7:17:16:3e:76:bb:41: + 98:15:94:b3:1a:19:6f:1e:dc:10:24:c8:ae:bc:38:93:c5:04: + ef:9d +-----BEGIN X509 CRL----- +MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAxMjMgQ0EX +DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNC/ +zZvf8ZH9godaEM+Qr4u88sXMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB +AIHCY7NlvcQtmHzghd1fB9e0G3pkp39gPWI6cK/VlyMjmkjjt4vAPUPBZugk2+2p +qwpwUdh9ZZLq6W/Llo47z5TpnNInVCmMgYQdpiJlhUZwB9od6Xmf5zxOlhsR2Qjs +95UVyduNpxcWPna7QZgVlLMaGW8e3BAkyK68OJPFBO+d +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 subCAP12 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:5A:87:08:21:FB:DC:93:10:6D:9A:0B:7C:C7:6A:B1:68:4B:DF:55:D7 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 67:b8:b5:f3:01:89:95:0b:52:9b:23:ed:15:82:33:84:16:99: + d5:19:f9:2a:ba:7a:1a:fd:61:2e:32:9b:bf:50:d0:02:cc:b8: + 5e:0c:f9:8f:7d:6b:d7:ce:29:7d:cd:9a:0d:01:4a:c9:ef:38: + 13:2e:a6:46:a5:13:4a:ba:01:58:71:13:21:6a:52:1a:e5:2f: + c8:58:ba:dd:bb:b5:18:3e:a0:5b:94:3a:96:d0:47:05:fa:a4: + 84:37:c0:e4:5a:42:31:19:c3:86:cc:42:90:32:85:aa:e4:70: + 23:e2:cf:eb:fe:f3:fe:e0:83:17:bc:c4:15:07:0f:b8:c0:d9: + 57:d2 +-----BEGIN X509 CRL----- +MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAxMjMgc3Vi +Q0FQMTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY +MBaAFFqHCCH73JMQbZoLfMdqsWhL31XXMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB +BQUAA4GBAGe4tfMBiZULUpsj7RWCM4QWmdUZ+Sq6ehr9YS4ym79Q0ALMuF4M+Y99 +a9fOKX3Nmg0BSsnvOBMupkalE0q6AVhxEyFqUhrlL8hYut27tRg+oFuUOpbQRwX6 +pIQ3wORaQjEZw4bMQpAyharkcCPiz+v+8/7ggxe8xBUHD7jA2VfS +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P1 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:23:89:9C:F8:23:61:42:E8:19:96:9B:16:35:6A:BC:30:BD:5E:8A:82 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 38:53:72:c0:cb:e3:f9:84:7d:49:58:c4:73:96:61:3f:7d:1a: + 78:47:82:fa:be:2b:9a:55:99:d4:73:ad:49:14:9d:a3:3c:5e: + 99:66:20:f4:df:d9:c3:d3:03:61:75:0d:18:f6:c4:b8:29:0f: + e7:e3:e9:37:f3:0d:e0:74:a0:ef:8e:9f:fa:12:18:20:a2:8a: + 3a:bb:72:e6:20:4f:2a:2b:7f:22:5d:56:01:e8:fb:76:fd:62: + 44:16:83:a8:7e:53:4d:6a:4a:0c:94:10:64:85:02:07:1d:d3: + 28:57:9f:e7:57:65:99:37:99:f4:52:ae:de:5e:4f:5c:e9:08: + f2:cc +-----BEGIN X509 CRL----- +MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAxMjMgc3Vi +c3ViQ0FQMTJQMRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD +VR0jBBgwFoAUI4mc+CNhQugZlpsWNWq8ML1eioIwCgYDVR0UBAMCAQEwDQYJKoZI +hvcNAQEFBQADgYEAOFNywMvj+YR9SVjEc5ZhP30aeEeC+r4rmlWZ1HOtSRSdozxe +mWYg9N/Zw9MDYXUNGPbEuCkP5+PpN/MN4HSg746f+hIYIKKKOrty5iBPKit/Il1W +Aej7dv1iRBaDqH5TTWpKDJQQZIUCBx3TKFef51dlmTeZ9FKu3l5PXOkI8sw= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem new file mode 100644 index 0000000000..0468f302f0 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest8.pem @@ -0,0 +1,210 @@ +subject=/C=US/O=Test Certificates/CN=Policies P12 subCAP1 +issuer=/C=US/O=Test Certificates/CN=Policies P12 CA +-----BEGIN CERTIFICATE----- +MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAx +MiBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYT +AlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUUG9saWNp +ZXMgUDEyIHN1YkNBUDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKniBOhW +3+GUH9cLSjfU8TnmUuKC8zu+bx+7Vd8N20wFU83y33ReAvzS9j5mBAT6qqLMg52i +t5h4ni8MAttxqQivCwZR6U+Mg2KMdHEAbvTp8ya69ZdGzc8StBaJ1OIIRHtRicl2 +Ek85wzHazjfWPtmnO0EaIzJImL3U24pAKDq3AgMBAAGjfDB6MB8GA1UdIwQYMBaA +FADjZemB1Ia5xx3n8zM5Bl5MEaX5MB0GA1UdDgQWBBRCiBzBeLdD2gCvvd66Q6fl +tWH/8jAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAYKVZU12G6lcEkxyRYlMJ +umN4xtytcDe50I4AFgMJlgCcLvupgFN+5QWwSGtdBpSrN3lDBFTUQ/ZrAL3O4nzA +HaKM6LaBCQS1//FE6qbi2UvRHfp8RoYUH4hM1nzTb7/Za0wsWTwegcz1uOZ4aLQ5 +M7QKfWfzax6EarTJ4jorUQA= +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P12 subsubCAP1P2 +issuer=/C=US/O=Test Certificates/CN=Policies P12 subCAP1 +-----BEGIN CERTIFICATE----- +MIIChzCCAfCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFBvbGljaWVzIFAx +MiBzdWJDQVAxMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowTTELMAkG +A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMSIwIAYDVQQDExlQ +b2xpY2llcyBQMTIgc3Vic3ViQ0FQMVAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQCgzy2UzpvEK8JSY1wMRMaoYi/MuP+Hkmtwerm88lsIWe07HlT55nuxjp5/ +vSPZEgCYm+wk0AU87yD2n6OkCJn+oUVbeucGoJSwuTEs7HK0YZq+RyYdzcoZ7Z4Z +EzNUC2I+vPj01u9NL0XBZLJ7g5h6Au8d3zGEkn6bEPk565LiewIDAQABo3wwejAf +BgNVHSMEGDAWgBRCiBzBeLdD2gCvvd66Q6fltWH/8jAdBgNVHQ4EFgQUZ+UNjYxs +KrtVbS3oIqoES3MriCowDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYKYIZI +AWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAESq+2Cg +vywkdxLqsugNl7K/+BK8s0yadUr/Q/DZKPALlPRaVW7GzKJ7aCGw1xRiMmkV5Z1Z +UjSdHXTJetXdNpCfjpVnnrAB9DjkA7RrKI1KTPxhnywtwQNTpD4gceRP6icRwaN6 +7Y/GlL6Fi1LbuHlGF94I9XchvB1mTQ0PF52O +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P12 CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICkzCCAfygAwIBAgIBJTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEMxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEYMBYGA1UEAxMPUG9saWNpZXMg +UDEyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5unCMuN8PuVFWbqxO +/wnIQsciPiEo1GoKWjM6+kb9l3h6wWyWYwmst2c158qcJLY9PxaUMhqQd/SY0Tt9 +WlHXVcE8rMoWSGmFxfK33UpeCtqwz9ugPSWwZkqx2lI/0ozQXgjYb0J9/EoKw1O0 +CxxrdQdPQkyLD4Uxe87/MlpzsQIDAQABo4GZMIGWMB8GA1UdIwQYMBaAFPts1C2B +nsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBQA42XpgdSGuccd5/MzOQZeTBGl+TAO +BgNVHQ8BAf8EBAMCAQYwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFl +AwIBMAIwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTADgAEAMA0GCSqGSIb3DQEB +BQUAA4GBABX9GMyAC90FH8BvpnNh6SDn2MIT7iINc4/9u64d1dxEhqogqcR58khK +btHyx8YrgbCcqUNS4Xs7ckW5k2VNAd9dG0Chc0uk6rwkv+sD1/zJi8LIGd/3cFjk +biIVYqPxb7WpKqo97V+43tMFsTqJNBSh+6W14vlP55+Ep5IlxcOm +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test8 +issuer=/C=US/O=Test Certificates/CN=Policies P12 subsubCAP1P2 +-----BEGIN CERTIFICATE----- +MIICmjCCAgOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVBvbGljaWVzIFAx +MiBzdWJzdWJDQVAxUDIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBb +MQswCQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxMDAuBgNV +BAMTJ0RpZmZlcmVudCBQb2xpY2llcyBFRSBDZXJ0aWZpY2F0ZSBUZXN0ODCBnzAN +BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxJrMY6Ju+VhfX1vaWidfiPUdCuUMy5lF +7s2Vle2r9FOQQ8se76y2jPKssqb3XIIG+VLRlS5GMp8T4t6VgLtE+gqb4mcBuIdV +KMwJtDrYnfNFML4yyCKSvh51ionton2akkJGnJ2POvQ4z7sLXrKKCKcGTWvbVqej +BwfkNvwk9KcCAwEAAaN8MHowHwYDVR0jBBgwFoAUZ+UNjYxsKrtVbS3oIqoES3Mr +iCowHQYDVR0OBBYEFOEf7/tJiP53/PPTMiuw+1ENh3KRMA4GA1UdDwEB/wQEAwIB +9jAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAIwDwYDVR0TAQH/BAUwAwEB/zANBgkq +hkiG9w0BAQUFAAOBgQAkAFezJ/Jf3nv9Kuw+VwXEuX91e8e8wClFff+eY0Af+kXl +fvUJnXN2TOh1iBU8C21WkavgIS9o8grJb3hbDpS03Yodnt/0151BiCMdLQI02sFK +mHABJwiZZlLj7peF4avVV4Piw4arjXD7Z1bKYlHOZeTHF1hgS/XINAc8IUsfDQ== +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P12 CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:00:E3:65:E9:81:D4:86:B9:C7:1D:E7:F3:33:39:06:5E:4C:11:A5:F9 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + a2:21:e6:6b:0b:99:66:79:2d:86:a7:9b:cd:37:9b:4d:73:1f: + df:91:63:c4:de:55:15:53:b0:32:ac:c8:3c:bd:96:aa:ae:c9: + 4f:b2:7c:9d:40:d7:f4:5d:99:8e:fa:2b:44:2d:75:ef:01:38: + 86:c8:59:ae:e4:62:e4:83:b4:73:03:34:d1:7f:52:bc:3d:bb: + 77:7e:7c:c9:41:09:4c:08:4f:a9:7f:d9:d9:0f:bc:46:9d:05: + 70:2f:66:0b:d4:0d:80:ec:11:83:4e:1b:90:95:ad:86:02:77: + e8:19:aa:a6:48:29:a3:9f:36:c3:ec:9a:f5:a4:9a:0b:f5:11: + 1d:72 +-----BEGIN X509 CRL----- +MIIBPDCBpgIBATANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGDAWBgNVBAMTD1BvbGljaWVzIFAxMiBDQRcN +MDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYDVR0jBBgwFoAUAONl +6YHUhrnHHefzMzkGXkwRpfkwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEA +oiHmawuZZnkthqebzTebTXMf35FjxN5VFVOwMqzIPL2Wqq7JT7J8nUDX9F2Zjvor +RC117wE4hshZruRi5IO0cwM00X9SvD27d358yUEJTAhPqX/Z2Q+8Rp0FcC9mC9QN +gOwRg04bkJWthgJ36Bmqpkgpo582w+ya9aSaC/URHXI= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P12 subCAP1 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:42:88:1C:C1:78:B7:43:DA:00:AF:BD:DE:BA:43:A7:E5:B5:61:FF:F2 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 38:85:fb:83:ec:f4:d5:e4:42:27:68:d3:d6:5f:c9:d5:60:4a: + fc:33:39:94:ce:d9:28:71:4e:fe:aa:e6:61:05:6b:1c:42:96: + 56:40:e4:48:e6:96:65:21:17:f2:e6:8e:69:50:6f:44:8f:33: + a3:8c:28:e9:f5:85:d6:de:55:bb:03:30:02:eb:bc:49:70:3b: + bb:12:c6:f0:8c:8e:d6:5f:3f:30:aa:58:a9:6a:4e:3e:46:a1: + f6:76:e7:a8:7d:28:e8:d8:44:32:58:76:88:f0:05:5f:37:27: + 03:28:e0:b3:88:c3:75:41:50:81:c2:fe:04:22:be:ea:4a:2b: + fc:a1 +-----BEGIN X509 CRL----- +MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFFBvbGljaWVzIFAxMiBzdWJD +QVAxFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW +gBRCiBzBeLdD2gCvvd66Q6fltWH/8jAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF +AAOBgQA4hfuD7PTV5EInaNPWX8nVYEr8MzmUztkocU7+quZhBWscQpZWQORI5pZl +IRfy5o5pUG9EjzOjjCjp9YXW3lW7AzAC67xJcDu7EsbwjI7WXz8wqlipak4+RqH2 +dueofSjo2EQyWHaI8AVfNycDKOCziMN1QVCBwv4EIr7qSiv8oQ== +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P12 subsubCAP1P2 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:67:E5:0D:8D:8C:6C:2A:BB:55:6D:2D:E8:22:AA:04:4B:73:2B:88:2A + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 25:a2:e2:75:db:ff:f0:10:9c:e2:59:90:7c:f9:c6:8e:63:cc: + d4:d1:19:7e:d4:97:09:0e:ea:09:59:88:13:b4:ec:07:f9:58: + 7d:fd:87:4e:85:00:16:e2:e4:54:c3:ec:fe:0e:bf:f3:ab:59: + af:49:e4:97:ba:c2:df:6e:45:e9:4f:e9:0e:4a:07:41:85:8e: + f5:7c:da:c7:21:73:33:37:ff:e1:e0:fc:ae:98:29:f6:04:2d: + d1:4b:54:a4:fb:ee:17:ae:4d:73:b9:ff:ca:6e:6d:56:c3:27: + d8:d2:b4:d5:9c:c6:3d:40:48:f9:37:8d:2f:22:bb:55:4f:84: + 07:65 +-----BEGIN X509 CRL----- +MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGVBvbGljaWVzIFAxMiBzdWJz +dWJDQVAxUDIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud +IwQYMBaAFGflDY2MbCq7VW0t6CKqBEtzK4gqMAoGA1UdFAQDAgEBMA0GCSqGSIb3 +DQEBBQUAA4GBACWi4nXb//AQnOJZkHz5xo5jzNTRGX7UlwkO6glZiBO07Af5WH39 +h06FABbi5FTD7P4Ov/OrWa9J5Je6wt9uRelP6Q5KB0GFjvV82schczM3/+Hg/K6Y +KfYELdFLVKT77heuTXO5/8pubVbDJ9jStNWcxj1ASPk3jS8iu1VPhAdl +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem new file mode 100644 index 0000000000..4b2ed859a9 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/DifferentPoliciesTest9.pem @@ -0,0 +1,263 @@ +subject=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P2 +issuer=/C=US/O=Test Certificates/CN=Policies P123 subCAP12 +-----BEGIN CERTIFICATE----- +MIICizCCAfSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAx +MjMgc3ViQ0FQMTIwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBPMQsw +CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMT +G1BvbGljaWVzIFAxMjMgc3Vic3ViQ0FQMTJQMjCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEA/QzSHTVMWeTWiSZ9qa++M+UWF0AfCPT9oTdaLUwN0Tnb845G4Jh5 +Ov5u75dfUmAmvRM1brlhZoYZZa3cBvQP+1YoAOosVY1qy4xX/6OE2zqM45IRhyLd +VlAJ2WJ96jOpb/HV3vodX2vjDndDMMxKRXd0WIHzbC/aZGzWYXwUvfkCAwEAAaN8 +MHowHwYDVR0jBBgwFoAUWocIIfvckxBtmgt8x2qxaEvfVdcwHQYDVR0OBBYEFIvs +OfOjrm45cGR/aCtNVJAsjgXAMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwG +CmCGSAFlAwIBMAIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCg +uNxU4/XUIM6O0+DSr6607Epm4PaQEAnvLsgMdHGHCLXL0mwL/9sNnSXGQg08zVpa +k5RjmIGMD+UcMJ28kArNA9u3q4QNB5OXZtrhoPTGhBaBtwR3rL2ZEvQxUw67t2wV +TpBcguqwCt7IIuNbBOoN3Uilox3T4WptJ/A7+zW8oA== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P123 subCAP12 +issuer=/C=US/O=Test Certificates/CN=Policies P123 CA +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAx +MjMgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBKMQswCQYDVQQG +EwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGlj +aWVzIFAxMjMgc3ViQ0FQMTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOll +J21WulD37Mn1rV21nTiHp+5zJm7d2iKVBk051MbS63EnC5jnUm0D6a5QJiQR8Ai2 +tuB17ppJED42WQtI7o8exytiya4Y4BvDOeGlVbVZSGgbk2vjlTzg+caDcAkVSzWD +YMs02A14NrbFODXEyAyJ7rsOTycvQorNHm6zUBvRAgMBAAGjgYswgYgwHwYDVR0j +BBgwFoAU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcwwHQYDVR0OBBYEFFqHCCH73JMQbZoL +fMdqsWhL31XXMA4GA1UdDwEB/wQEAwIBBjAlBgNVHSAEHjAcMAwGCmCGSAFlAwIB +MAEwDAYKYIZIAWUDAgEwAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAD9AiTI21pU5RaP49a5YdThygUEjL+Hvvoq4cbbg7dN3qbjYJBXUruTWyY+c +pSqrS3q3rUlt99O+9JFqZSX8LCVRMg0yWSlwymdeY8a5EBS099ZFB+r9v4tIndk0 +r1uaX/PyEiMNd+eT8GdxBwl+Jo+AHTvuHx0G9iRwLbS5Es0u +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Different Policies EE Certificate Test9 +issuer=/C=US/O=Test Certificates/CN=Policies P123 subsubsubCAP12P2P1 +-----BEGIN CERTIFICATE----- +MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIFBvbGljaWVzIFAx +MjMgc3Vic3Vic3ViQ0FQMTJQMlAxMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0 +NTcyMFowWzELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVz +MTAwLgYDVQQDEydEaWZmZXJlbnQgUG9saWNpZXMgRUUgQ2VydGlmaWNhdGUgVGVz +dDkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKiBlSODZy8jLC4WxxNVbFCA +SbxY2A4DLV2OXhCjWmUmHQvZhiXk2p/wQCX/9VMcX7XRH9a3JLM9l6ZSEIGVT6lO +R55lGOjNfpF8x+pGe/t0yPB/6ntPn5e9ZSNhDJDoYkJHfdplTFu2AZLbaVPlysXL +AoO69sbnDPVxAjxFX2zLAgMBAAGjazBpMB8GA1UdIwQYMBaAFNMqu/C1V0GVUt3P +qLuSnOARbnO8MB0GA1UdDgQWBBQg7JO9uU0ScBZcuzznmEWH36QRTzAOBgNVHQ8B +Af8EBAMCBPAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUA +A4GBAEeaZ7Bsae+J0lNKAzqJhR4MHfT/5SBBazWGVSwIbpWl02esU9RtrStOTA8d +zcMp2eLg3KDI+XRsYkxFb+fmJDckIYhGk2g3B9kW1a24k8DetYIqOXtFvleJ55dG +iROwoCaH8/bW75CMK0alSXqJCAnTq+Pbg5i0nPX0ShJlSjAf +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P123 subsubsubCAP12P2P1 +issuer=/C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P2 +-----BEGIN CERTIFICATE----- +MIIClTCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAx +MjMgc3Vic3ViQ0FQMTJQMjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBa +MFQxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEpMCcG +A1UEAxMgUG9saWNpZXMgUDEyMyBzdWJzdWJzdWJDQVAxMlAyUDEwgZ8wDQYJKoZI +hvcNAQEBBQADgY0AMIGJAoGBAMa9AAnNzFuqJqv1OdC4F1PtY4Lqcc+JJQBnnaIi +roTN/plb6fUL5m/SFbfSZnf/qQbYUkosko2p0cdF5VrblaCvx7vB6l12at9Zskn4 +wKneBrfSJUVDEgSyWm7mY6t1Fla7OSfywUObt1NWEzq3pyWoSKTIQxpMJ3jnYERr +/wJ9AgMBAAGjfDB6MB8GA1UdIwQYMBaAFIvsOfOjrm45cGR/aCtNVJAsjgXAMB0G +A1UdDgQWBBTTKrvwtVdBlVLdz6i7kpzgEW5zvDAOBgNVHQ8BAf8EBAMCAQYwFwYD +VR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN +AQEFBQADgYEAgk/D/ABBm/yIi8Qk1ISreDz7OgEaqXoqyrQY9uq3nf/Xzlmrktxe +C7bEDiYGugly0cHFHGProTJppes2ECdcVmrpXoIHSlbP3WucAOsWcyIW9tfH+Xsk +HAts3bXwDmfI5WEndwM+p6kMKwRsMT8/q8XJ3ZCNgsu34eoKRWhBzlQ= +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Policies P123 CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICojCCAgugAwIBAgIBJDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEQxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEZMBcGA1UEAxMQUG9saWNpZXMg +UDEyMyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGtVArq1otVEuN/s +xR5XSOEfVzIms1FiprO4UReYXUDbKzmCYC6YypbEnOP2JpLQOPwAfVqLL8FV7xiS +o+HmK25R0aK9nQGFUPX0U9o4b5NRcWFAoYBAF2GOFBNqGF6d9wBFPlijGMT8nWr5 +ahnujYSC1Emy88N4hkp1fj4o7yMCAwEAAaOBpzCBpDAfBgNVHSMEGDAWgBT7bNQt +gZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQU0L/Nm9/xkf2Ch1oQz5Cvi7zyxcww +DgYDVR0PAQH/BAQDAgEGMDMGA1UdIAQsMCowDAYKYIZIAWUDAgEwATAMBgpghkgB +ZQMCATACMAwGCmCGSAFlAwIBMAMwDwYDVR0TAQH/BAUwAwEB/zAMBgNVHSQEBTAD +gAEAMA0GCSqGSIb3DQEBBQUAA4GBAHcVVBwhebD5vRKleXMh71kleQIL8QOQFpHM +jVYS/KJiBsVUTebOeONSU0cuPmzomEkpLyYPz8cDroidExtxGEpkKgYBGi1c5ext +cDUGFsTWENTFFWjZ7xA56XUtGd8alXJfY0v6QSHqoYFosJvoqU2bjX6jqQVK5HbY +kko1SxlW +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:D0:BF:CD:9B:DF:F1:91:FD:82:87:5A:10:CF:90:AF:8B:BC:F2:C5:CC + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 81:c2:63:b3:65:bd:c4:2d:98:7c:e0:85:dd:5f:07:d7:b4:1b: + 7a:64:a7:7f:60:3d:62:3a:70:af:d5:97:23:23:9a:48:e3:b7: + 8b:c0:3d:43:c1:66:e8:24:db:ed:a9:ab:0a:70:51:d8:7d:65: + 92:ea:e9:6f:cb:96:8e:3b:cf:94:e9:9c:d2:27:54:29:8c:81: + 84:1d:a6:22:65:85:46:70:07:da:1d:e9:79:9f:e7:3c:4e:96: + 1b:11:d9:08:ec:f7:95:15:c9:db:8d:a7:17:16:3e:76:bb:41: + 98:15:94:b3:1a:19:6f:1e:dc:10:24:c8:ae:bc:38:93:c5:04: + ef:9d +-----BEGIN X509 CRL----- +MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEFBvbGljaWVzIFAxMjMgQ0EX +DTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQYMBaAFNC/ +zZvf8ZH9godaEM+Qr4u88sXMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUAA4GB +AIHCY7NlvcQtmHzghd1fB9e0G3pkp39gPWI6cK/VlyMjmkjjt4vAPUPBZugk2+2p +qwpwUdh9ZZLq6W/Llo47z5TpnNInVCmMgYQdpiJlhUZwB9od6Xmf5zxOlhsR2Qjs +95UVyduNpxcWPna7QZgVlLMaGW8e3BAkyK68OJPFBO+d +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 subCAP12 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:5A:87:08:21:FB:DC:93:10:6D:9A:0B:7C:C7:6A:B1:68:4B:DF:55:D7 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 67:b8:b5:f3:01:89:95:0b:52:9b:23:ed:15:82:33:84:16:99: + d5:19:f9:2a:ba:7a:1a:fd:61:2e:32:9b:bf:50:d0:02:cc:b8: + 5e:0c:f9:8f:7d:6b:d7:ce:29:7d:cd:9a:0d:01:4a:c9:ef:38: + 13:2e:a6:46:a5:13:4a:ba:01:58:71:13:21:6a:52:1a:e5:2f: + c8:58:ba:dd:bb:b5:18:3e:a0:5b:94:3a:96:d0:47:05:fa:a4: + 84:37:c0:e4:5a:42:31:19:c3:86:cc:42:90:32:85:aa:e4:70: + 23:e2:cf:eb:fe:f3:fe:e0:83:17:bc:c4:15:07:0f:b8:c0:d9: + 57:d2 +-----BEGIN X509 CRL----- +MIIBQzCBrQIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFlBvbGljaWVzIFAxMjMgc3Vi +Q0FQMTIXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1UdIwQY +MBaAFFqHCCH73JMQbZoLfMdqsWhL31XXMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEB +BQUAA4GBAGe4tfMBiZULUpsj7RWCM4QWmdUZ+Sq6ehr9YS4ym79Q0ALMuF4M+Y99 +a9fOKX3Nmg0BSsnvOBMupkalE0q6AVhxEyFqUhrlL8hYut27tRg+oFuUOpbQRwX6 +pIQ3wORaQjEZw4bMQpAyharkcCPiz+v+8/7ggxe8xBUHD7jA2VfS +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 subsubCAP12P2 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:8B:EC:39:F3:A3:AE:6E:39:70:64:7F:68:2B:4D:54:90:2C:8E:05:C0 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 9a:7c:38:8c:95:0d:e2:8e:c6:fb:4c:43:f5:4f:c6:0f:4b:ec: + 2e:bb:a1:8b:67:77:3f:7f:55:8a:02:ed:2a:f0:4e:0a:7c:e8: + d8:c1:26:37:47:28:ba:e5:47:de:79:74:30:b4:a1:66:8f:bd: + 8e:7d:9a:4f:37:52:71:ad:c6:50:b1:fb:ce:eb:0b:f0:58:54: + a8:22:51:9f:d5:d3:92:06:20:35:f6:e2:4b:8e:7f:a8:12:f8: + 38:a3:51:fb:cd:92:4b:2d:40:2f:f9:b9:ff:25:4d:f0:7d:9d: + 20:00:e3:eb:94:24:fe:05:ed:e2:b3:7e:fc:fb:1b:c1:4e:cf: + 9d:30 +-----BEGIN X509 CRL----- +MIIBSDCBsgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxJDAiBgNVBAMTG1BvbGljaWVzIFAxMjMgc3Vi +c3ViQ0FQMTJQMhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWqAvMC0wHwYD +VR0jBBgwFoAUi+w586OubjlwZH9oK01UkCyOBcAwCgYDVR0UBAMCAQEwDQYJKoZI +hvcNAQEFBQADgYEAmnw4jJUN4o7G+0xD9U/GD0vsLruhi2d3P39VigLtKvBOCnzo +2MEmN0couuVH3nl0MLShZo+9jn2aTzdSca3GULH7zusL8FhUqCJRn9XTkgYgNfbi +S45/qBL4OKNR+82SSy1AL/m5/yVN8H2dIADj65Qk/gXt4rN+/PsbwU7PnTA= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Policies P123 subsubsubCAP12P2P1 + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:D3:2A:BB:F0:B5:57:41:95:52:DD:CF:A8:BB:92:9C:E0:11:6E:73:BC + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 37:cf:8e:70:a0:12:c6:cf:ee:13:28:cd:1d:e3:f8:8c:6b:09: + fd:d7:31:1a:c3:2c:77:f5:13:3e:ff:6e:b7:23:0d:4d:33:3f: + a1:f4:37:4d:c2:84:0f:6d:2a:25:df:40:f8:25:96:40:7a:fb: + 59:29:4e:99:c8:8d:63:7b:23:b6:c8:eb:72:70:8e:f3:ca:5a: + 2a:36:bb:c6:9a:80:45:63:49:c9:9f:68:32:90:84:e4:a6:ca: + 22:52:d9:99:16:fa:34:93:38:ec:ba:f9:81:0d:26:b9:5b:03: + 3b:0a:ce:85:43:8e:bd:47:ca:de:50:4b:42:e8:97:91:74:12: + ac:5a +-----BEGIN X509 CRL----- +MIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAMTIFBvbGljaWVzIFAxMjMgc3Vi +c3Vic3ViQ0FQMTJQMlAxFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8w +LTAfBgNVHSMEGDAWgBTTKrvwtVdBlVLdz6i7kpzgEW5zvDAKBgNVHRQEAwIBATAN +BgkqhkiG9w0BAQUFAAOBgQA3z45woBLGz+4TKM0d4/iMawn91zEawyx39RM+/263 +Iw1NMz+h9DdNwoQPbSol30D4JZZAevtZKU6ZyI1jeyO2yOtycI7zyloqNrvGmoBF +Y0nJn2gykITkpsoiUtmZFvo0kzjsuvmBDSa5WwM7Cs6FQ469R8reUEtC6JeRdBKs +Wg== +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem new file mode 100644 index 0000000000..f8cfbfdebc --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLIssuerNameTest5.pem @@ -0,0 +1,108 @@ +subject=/C=US/O=Test Certificates/CN=Bad CRL Issuer Name CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICfDCCAeWgAwIBAgIBCTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEoxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEfMB0GA1UEAxMWQmFkIENSTCBJ +c3N1ZXIgTmFtZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8VTZxnGg +pV60/E3F2RBR9N0VgI/w8ZdVENnRoqcpmY276I2t0UaRM95qNori4u/6Rb6RI6Jy +BL5dPaJuS4hoVphnqLjMMF+huDF61ov49vcOtMo9Qw7NJYgeoINC4KcUrxvn5O33 +IjvyvGkMbrzczslZh1IaGrquWlS9DQDv3jECAwEAAaN8MHowHwYDVR0jBBgwFoAU ++2zULYGeyid6ng2wPOqavIf/SeowHQYDVR0OBBYEFMg02+C1YxZR0VCkMtLFWfhD +jOBnMA4GA1UdDwEB/wQEAwIBBjAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCYg+l+IX369jmWSOMWB2Gw +tuancmzEylYvy1g4di3sVNNOTRaST6hG6M0QkyVJDpr5wYwDCAu1me4CkJlaRHT9 +RZB8rW2LK9ydBJG5peFQa8QPQv9phrb4Hc7/2xjr0Eq6sUAQOBsCL09IY5pi2jxH +o4m0vETRDlhl/Lqsc3dLTQ== +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Invalid Bad CRL Issuer Name EE Certificate Test5 +issuer=/C=US/O=Test Certificates/CN=Bad CRL Issuer Name CA +-----BEGIN CERTIFICATE----- +MIICjzCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHzAdBgNVBAMTFkJhZCBDUkwgSXNz +dWVyIE5hbWUgQ0EwHhcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjBkMQsw +CQYDVQQGEwJVUzEaMBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxOTA3BgNVBAMT +MEludmFsaWQgQmFkIENSTCBJc3N1ZXIgTmFtZSBFRSBDZXJ0aWZpY2F0ZSBUZXN0 +NTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmWwjDb3FCLH56CnXApSXwVHB +KUEdYLsDL5afA0uwYq3CutM9nFTfpI4wfWoh8z8rbcyzMhNU/b90XnkcJeUlLe4R +GVC87g/Oh67ONY431E5nS0t2mU3gA5A+QJwCJ5GgkoRJy4aZS7IhIVayya97aITa +eeInMge1hpOIbhG4RWMCAwEAAaNrMGkwHwYDVR0jBBgwFoAUyDTb4LVjFlHRUKQy +0sVZ+EOM4GcwHQYDVR0OBBYEFLIo4xfziwpQ8zkzEpaYHC7RAmffMA4GA1UdDwEB +/wQEAwIE8DAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwDQYJKoZIhvcNAQEFBQAD +gYEAYRbr0XdXa3sve8krgu8sJ/Dj90/LJexPg4kRViyO7965tP3sBCNUAIO1Q8QW +n27WeL4IjVXDSrspE/72yM2b8MNWJ4phd+PJMkQb+ioBbC8qPrNvnesSKPbqNcDR +qLz/G2oPMHBWA5zuzG1O2ecxU1MLUV3tY4QxY1oNRuMunPo= +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Incorrect CRL Issuer Name + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:C8:34:DB:E0:B5:63:16:51:D1:50:A4:32:D2:C5:59:F8:43:8C:E0:67 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 2a:95:96:bc:9d:a1:bc:e9:8b:10:db:0c:3a:19:c0:f6:b3:bc: + a0:15:ef:97:6c:c5:83:6b:e6:ee:c3:8b:fa:54:c7:86:7b:ba: + e8:73:c0:9d:d6:e5:1a:90:74:4c:8c:71:bf:ce:81:e7:36:df: + 95:4a:d8:6a:71:e6:16:6a:20:ab:9b:7b:de:eb:c6:ec:2e:83: + e9:0d:61:4f:62:df:3b:5f:02:28:98:01:04:5b:d7:19:18:1a: + f9:18:63:83:62:2f:de:0b:9f:a8:5a:d4:8b:91:5b:94:cf:bf: + 44:d8:18:71:89:fd:99:14:c9:92:7a:a0:6b:ed:15:13:5d:37: + 91:fd +-----BEGIN X509 CRL----- +MIIBRjCBsAIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxIjAgBgNVBAMTGUluY29ycmVjdCBDUkwgSXNz +dWVyIE5hbWUXDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFqgLzAtMB8GA1Ud +IwQYMBaAFMg02+C1YxZR0VCkMtLFWfhDjOBnMAoGA1UdFAQDAgEBMA0GCSqGSIb3 +DQEBBQUAA4GBACqVlrydobzpixDbDDoZwPazvKAV75dsxYNr5u7Di/pUx4Z7uuhz +wJ3W5RqQdEyMcb/Ogec235VK2Gpx5hZqIKube97rxuwug+kNYU9i3ztfAiiYAQRb +1xkYGvkYY4NiL94Ln6ha1IuRW5TPv0TYGHGJ/ZkUyZJ6oGvtFRNdN5H9 +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem new file mode 100644 index 0000000000..6fd7c1dc31 --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBadCRLSignatureTest4.pem @@ -0,0 +1,108 @@ +subject=/C=US/O=Test Certificates/CN=Bad CRL Signature CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICejCCAeOgAwIBAgIBCDANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMEgxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEdMBsGA1UEAxMUQmFkIENSTCBT +aWduYXR1cmUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJdogWv9CPXo +9rQEcxwXXws6b/WT7R/AspFsq4aVO/l7puHNxGIQybx5jK5W55wqPtHa5PPGSpJA +YkcuKVXL1ZqZh8A+VenvazNg0XoldwJZalTN0AwR3FprLL3cXYIwu8FFFERp8l/S +YgHz8wHRlA37Ph4a7cU78oLWK0wziElzAgMBAAGjfDB6MB8GA1UdIwQYMBaAFPts +1C2Bnsonep4NsDzqmryH/0nqMB0GA1UdDgQWBBT7CxX9unvmOEiZWhVgVVCXqjZs +QzAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAmZ8+7Hn2elBnvNREi2gDIa3P +POFc8RHEq6ajCkhgeJoQRygSFdfenhTKGtfvet/3j6hBZRHEVI2e8x5yiyBN/ZKV +SAdRCjXTg99nJJtkkqDhifkO5uUaxfcgj2LFt9DI7/b/jZzlNSD8BXqcifbjAf1s +IIlWmY0HVZgwucYLmC8= +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Invalid Bad CRL Signature EE Certificate Test4 +issuer=/C=US/O=Test Certificates/CN=Bad CRL Signature CA +-----BEGIN CERTIFICATE----- +MIICizCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFEJhZCBDUkwgU2ln +bmF0dXJlIENBMB4XDTAxMDQxOTE0NTcyMFoXDTExMDQxOTE0NTcyMFowYjELMAkG +A1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNhdGVzMTcwNQYDVQQDEy5J +bnZhbGlkIEJhZCBDUkwgU2lnbmF0dXJlIEVFIENlcnRpZmljYXRlIFRlc3Q0MIGf +MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQDbS7uYXT/RjXcp9qBIMFgzo5WJJA +3/1rXCiA/BzowTDl87A4iGOmZ+LEkwpLarYI8mFzGmQAVIlJCn3KlTO4AuTWaMth +VZPgVZ5gVxVHQbqdb2VZXHVJGYB/yn+PJrghL5uy+kv9qzocq/jUrEHcnvBTQ+iI +8mutd/z8C/Qy9QIDAQABo2swaTAfBgNVHSMEGDAWgBT7CxX9unvmOEiZWhVgVVCX +qjZsQzAdBgNVHQ4EFgQUK1L621YMk2XrXnaVZG9PC/61mSYwDgYDVR0PAQH/BAQD +AgTwMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATANBgkqhkiG9w0BAQUFAAOBgQA5 +Kis0tSW5S+c/zwTmKqh6DTRRISk2nn+KeQSUJdi6YXcuX3YIX/P4SxWNQ46dwKDl +lNNDVR3u7fiwwYf9BxICorMqY2FhrdFOoGclO1mCpRuBMhmER7hWivrftdi7ekeE +2aEHKWWnWwzU/qs6Z/6FK9waN4GviF8X+sqt/EHo+A== +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Bad CRL Signature CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:0B:15:FD:BA:7B:E6:38:48:99:5A:15:60:55:50:97:AA:36:6C:43 + + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: sha1WithRSAEncryption + 68:7d:ef:9b:2c:27:82:c2:3c:2f:16:6a:09:27:73:ac:90:da: + 2e:66:07:a0:f4:c2:4e:4c:3a:52:02:f7:23:dc:52:f5:3e:2e: + 94:29:22:b8:f4:f1:c7:44:85:5e:84:8a:6e:37:5c:84:16:5e: + 70:b5:f5:13:81:8e:89:09:b6:48:0e:51:9c:15:94:21:f1:21: + e6:38:14:50:a4:c3:85:4c:84:e9:eb:f6:b7:6a:a4:cc:12:02: + a5:0f:42:af:9a:1c:d9:c0:4c:98:c3:1c:12:2e:f7:84:d8:fa: + 24:4b:68:3c:20:c6:7c:60:78:d6:46:37:68:28:4f:81:c1:b7: + 32:30 +-----BEGIN X509 CRL----- +MIIBQTCBqwIBATANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxHTAbBgNVBAMTFEJhZCBDUkwgU2lnbmF0dXJl +IENBFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaoC8wLTAfBgNVHSMEGDAW +gBT7CxX9unvmOEiZWhVgVVCXqjZsQzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUF +AAOBgQBofe+bLCeCwjwvFmoJJ3OskNouZgeg9MJOTDpSAvcj3FL1Pi6UKSK49PHH +RIVehIpuN1yEFl5wtfUTgY6JCbZIDlGcFZQh8SHmOBRQpMOFTITp6/a3aqTMEgKl +D0KvmhzZwEyYwxwSLveE2PokS2g8IMZ8YHjWRjdoKE+BwbcyMA== +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + diff --git a/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem new file mode 100644 index 0000000000..a70e68731c --- /dev/null +++ b/lib/public_key/test/pkits_SUITE_data/pkits/smime-pem/InvalidBasicSelfIssuedCRLSigningKeyTest7.pem @@ -0,0 +1,175 @@ +subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA +issuer=/C=US/O=Test Certificates/CN=Trust Anchor +-----BEGIN CERTIFICATE----- +MIICijCCAfOgAwIBAgIBFTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hv +cjAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVT +MRowGAYDVQQKExFUZXN0IENlcnRpZmljYXRlczEtMCsGA1UEAxMkQmFzaWMgU2Vs +Zi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQCfjlwgIWm+Taynv+38GP1Yf2hDPMT5pcsPYlRaeFeg7Tsr/GhTZQKB +qfO7h8J6JjoKD1m1BTcrdiHbRBnn183kxyhljulJLu87gOUt6LlTGTBFeaUhNNxv +wpzF5uQ7xQcChTE7GF4kxt/oyehJFi9TGtnjdjlSi3LXG/xfQn81GwIDAQABo3ww +ejAfBgNVHSMEGDAWgBT7bNQtgZ7KJ3qeDbA86pq8h/9J6jAdBgNVHQ4EFgQUScn8 +twM8Z20KAJOp5NalHpIftREwDgYDVR0PAQH/BAQDAgEGMBcGA1UdIAQQMA4wDAYK +YIZIAWUDAgEwATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABV8 +zJCN9czUhadFLy10H1usL1xGEcB8SRR3Row0a+Zmj8T9Se71hTgW7LfXQj3bCDJV +3AyAd+WA4N0y0+eSRWRGNAcMrOeqNp1/Ki6iGNYceZ41Goudsc34StO7symFfatg +hTr8/7eU6NXu2o9cDREBOJujBK/Uy52E4rx/Faxk +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Invalid Basic Self-Issued CRL Signing Key EE Certificate Test7 +issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA +-----BEGIN CERTIFICATE----- +MIICqzCCAhSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt +SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0 +MTkxNDU3MjBaMHIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj +YXRlczFHMEUGA1UEAxM+SW52YWxpZCBCYXNpYyBTZWxmLUlzc3VlZCBDUkwgU2ln +bmluZyBLZXkgRUUgQ2VydGlmaWNhdGUgVGVzdDcwgZ8wDQYJKoZIhvcNAQEBBQAD +gY0AMIGJAoGBANehtRiWYBhPipRRR0tIxuV4U49+DofUBRVQP5JDT79DtTbKaVOR +HWgSi30ZrKSm3WkblfZoncF9ZMN/ocoqxeUNXwBqp8/wJYbE6js5YwBGTsfi3UfP +s14vC1mU4ssE+ogwozLkXRcJGuFtJwNTZcEf43OkjdjLWiIH5DVhj9ZXAgMBAAGj +azBpMB8GA1UdIwQYMBaAFEnJ/LcDPGdtCgCTqeTWpR6SH7URMB0GA1UdDgQWBBTa +6ZIK1lgoOotgyyB2SLZbDxCDHDAOBgNVHQ8BAf8EBAMCBPAwFwYDVR0gBBAwDjAM +BgpghkgBZQMCATABMA0GCSqGSIb3DQEBBQUAA4GBAA/4ne7fgjMJuty5+P1V3QiH +TxmpO+boz9+NO3Wc2Nj23sToATQqIcc6W1G3yKbN7uQEXtHgtPcIz5diAIJ8JNQl +INBUxGlFASTWHNfnNJDgN7lwn4VjSAE7HzEKIJ3+HVTXI6+mdiCl/IYL9q02KSGi +djAHT73bFgK6ydVH8Cal +-----END CERTIFICATE----- + +subject=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA +issuer=/C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA +-----BEGIN CERTIFICATE----- +MIIDGTCCAoKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEa +MBgGA1UEChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYt +SXNzdWVkIENSTCBTaWduaW5nIEtleSBDQTAeFw0wMTA0MTkxNDU3MjBaFw0xMTA0 +MTkxNDU3MjBaMFgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFUZXN0IENlcnRpZmlj +YXRlczEtMCsGA1UEAxMkQmFzaWMgU2VsZi1Jc3N1ZWQgQ1JMIFNpZ25pbmcgS2V5 +IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXGyrLR0BviK/81C9C/igI +9zh+808dGICz2wS1Oh2CWCeYia4J/65Y7XBDRBW1TJbQLdrxt2289Lc/gc9+PW9j +gwVpGRuYkFf+AwbMgLa1Ro5zqoIbD7WjTu7vgGdDvJmrSVLfSXavpeUBzp37Dsw6 +KzSHcBjPwGes7q3pjfhOMwIDAQABo4HyMIHvMB8GA1UdIwQYMBaAFEnJ/LcDPGdt +CgCTqeTWpR6SH7URMB0GA1UdDgQWBBQPcsozQ6nEEVGrY9pEhw9hpPS+RzAOBgNV +HQ8BAf8EBAMCAQIwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMIGDBgNVHR8EfDB6 +MHigdqB0pHIwcDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVRlc3QgQ2VydGlmaWNh +dGVzMUUwQwYDVQQDEzxTZWxmLUlzc3VlZCBDZXJ0IERQIGZvciBCYXNpYyBTZWxm +LUlzc3VlZCBDUkwgU2lnbmluZyBLZXkgQ0EwDQYJKoZIhvcNAQEFBQADgYEAjoyS +h7zhrGkL40stundacKPqIEZ3HyWW0NQhD0wBhWslGAOvlCaf44kuTKggRY6r96sy +4kWEjvfGu/r/dBgrFaCCGNv0ui5FfXu8WeZ4jvHg7wZbx5ATx5Jpumqbm0PcEYCr +YnA6WBCstG0lohNV2ohM/wqRFmBB0WL1K+9IdfQ= +-----END CERTIFICATE----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Trust Anchor + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 68 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 92:12:c4:34:b4:92:ab:ba:71:6b:74:31:16:ce:ed:25:d6:4b: + 1e:fa:f8:20:1e:9d:d7:7f:30:ed:15:f7:8b:5d:64:9b:dd:31: + 40:e4:55:0f:0c:5f:82:69:63:00:76:a5:cf:9e:c4:5f:f2:53: + 9b:9b:7d:f5:69:1d:74:57:38:70:e5:fb:5b:76:58:c9:ec:31: + dc:94:1b:02:ee:9d:33:9c:38:4b:29:1d:e1:0c:29:8b:6e:c7: + bf:a0:e8:40:34:83:cf:ff:9f:cd:b5:f7:d9:4d:a7:9f:2e:bf: + 44:98:6b:f2:d3:fe:a8:20:31:c1:33:76:b7:1c:19:65:4d:b9: + 14:39 +-----BEGIN X509 CRL----- +MIIBXTCBxwIBATANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNMDEw +NDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIwWjAiMCACAWgXDTAxMDQxOTE0NTcyMFow +DDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0jBBgwFoAU+2zULYGeyid6ng2wPOqavIf/ +SeowCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAkhLENLSSq7pxa3QxFs7t +JdZLHvr4IB6d138w7RX3i11km90xQORVDwxfgmljAHalz57EX/JTm5t99WkddFc4 +cOX7W3ZYyewx3JQbAu6dM5w4Sykd4Qwpi27Hv6DoQDSDz/+fzbX32U2nny6/RJhr +8tP+qCAxwTN2txwZZU25FDk= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:0F:72:CA:33:43:A9:C4:11:51:AB:63:DA:44:87:0F:61:A4:F4:BE:47 + + X509v3 CRL Number: + 1 +Revoked Certificates: + Serial Number: 03 + Revocation Date: Apr 19 14:57:20 2001 GMT + CRL entry extensions: + X509v3 CRL Reason Code: + Key Compromise + Signature Algorithm: sha1WithRSAEncryption + 5c:cd:8f:a3:3d:9e:64:f7:64:73:9c:2c:39:e2:e7:d7:0e:b8: + 1c:3e:9b:1d:14:dc:98:c2:8e:5a:1f:e5:47:31:fd:7e:a7:d5: + 9f:52:31:c8:10:f7:d0:a2:84:3f:77:c7:f1:ba:7e:24:62:ad: + 05:ae:1c:7b:ff:f0:e2:ce:55:f5:27:d3:cc:24:7f:c8:1d:a6: + b8:ce:42:05:e1:06:ec:1f:87:4c:d5:69:8d:78:59:d2:33:94: + 1c:3b:27:68:80:3d:6f:3d:a6:c7:9f:2b:39:9f:d7:c3:83:eb: + 77:bd:cc:7f:96:b3:ad:24:68:99:d1:1a:bf:05:1c:8c:3e:2a: + 02:f8 +-----BEGIN X509 CRL----- +MIIBdTCB3wIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVUzEaMBgGA1UE +ChMRVGVzdCBDZXJ0aWZpY2F0ZXMxLTArBgNVBAMTJEJhc2ljIFNlbGYtSXNzdWVk +IENSTCBTaWduaW5nIEtleSBDQRcNMDEwNDE5MTQ1NzIwWhcNMTEwNDE5MTQ1NzIw +WjAiMCACAQMXDTAxMDQxOTE0NTcyMFowDDAKBgNVHRUEAwoBAaAvMC0wHwYDVR0j +BBgwFoAUD3LKM0OpxBFRq2PaRIcPYaT0vkcwCgYDVR0UBAMCAQEwDQYJKoZIhvcN +AQEFBQADgYEAXM2Poz2eZPdkc5wsOeLn1w64HD6bHRTcmMKOWh/lRzH9fqfVn1Ix +yBD30KKEP3fH8bp+JGKtBa4ce//w4s5V9SfTzCR/yB2muM5CBeEG7B+HTNVpjXhZ +0jOUHDsnaIA9bz2mx58rOZ/Xw4Prd73Mf5azrSRomdEavwUcjD4qAvg= +-----END X509 CRL----- + +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/O=Test Certificates/CN=Basic Self-Issued CRL Signing Key CA + Last Update: Apr 19 14:57:20 2001 GMT + Next Update: Apr 19 14:57:20 2011 GMT + CRL extensions: + X509v3 Authority Key Identifier: + keyid:49:C9:FC:B7:03:3C:67:6D:0A:00:93:A9:E4:D6:A5:1E:92:1F:B5:11 + + X509v3 CRL Number: + 1 + 2.5.29.28: critical + 0x.v.t.r0p1.0...U....US1.0...U. +..Test Certificates1E0C..U... Config +%% Config - [tuple()] +%% A list of key/value pairs, holding the test case configuration. +%% Description: Initialization before the whole suite +%% +%% Note: This function is free to add any key/value pairs to the Config +%% variable, but should NOT alter/remove any existing entries. +%%-------------------------------------------------------------------- +init_per_suite(Config) -> + crypto:start(), + Config. + +%%-------------------------------------------------------------------- +%% Function: end_per_suite(Config) -> _ +%% Config - [tuple()] +%% A list of key/value pairs, holding the test case configuration. +%% Description: Cleanup after the whole suite +%%-------------------------------------------------------------------- +end_per_suite(_Config) -> + crypto:stop(). + +%%-------------------------------------------------------------------- +%% Function: init_per_testcase(TestCase, Config) -> Config +%% Case - atom() +%% Name of the test case that is about to be run. +%% Config - [tuple()] +%% A list of key/value pairs, holding the test case configuration. +%% +%% Description: Initialization before each test case +%% +%% Note: This function is free to add any key/value pairs to the Config +%% variable, but should NOT alter/remove any existing entries. +%% Description: Initialization before each test case +%%-------------------------------------------------------------------- +init_per_testcase(_TestCase, Config0) -> + Config = lists:keydelete(watchdog, 1, Config0), + Dog = test_server:timetrap(?TIMEOUT), + [{watchdog, Dog} | Config]. + +%%-------------------------------------------------------------------- +%% Function: end_per_testcase(TestCase, Config) -> _ +%% Case - atom() +%% Name of the test case that is about to be run. +%% Config - [tuple()] +%% A list of key/value pairs, holding the test case configuration. +%% Description: Cleanup after each test case +%%-------------------------------------------------------------------- +end_per_testcase(_TestCase, Config) -> + Dog = ?config(watchdog, Config), + case Dog of + undefined -> + ok; + _ -> + test_server:timetrap_cancel(Dog) + end. + +%%-------------------------------------------------------------------- +%% Function: all(Clause) -> TestCases +%% Clause - atom() - suite | doc +%% TestCases - [Case] +%% Case - atom() +%% Name of a test case. +%% Description: Returns a list of all test cases in this test suite +%%-------------------------------------------------------------------- +all(doc) -> + ["Test the public_key rsa functionality"]; + +all(suite) -> + [app, + pem_to_der, + decode_private_key +%% encrypt_decrypt, +%% rsa_verify +%% dsa_verify_sign, +%% pkix_encode_decode, +%% pkix_verify_sign, +%% pkix_path_validation + ]. + +%% Test cases starts here. +%%-------------------------------------------------------------------- + +app(doc) -> + "Test that the public_key app file is ok"; +app(suite) -> + []; +app(Config) when list(Config) -> + ok = test_server:app_test(public_key). + +pem_to_der(doc) -> + ["Check that supported PEM files are decoded into the expected entry type"]; +pem_to_der(suite) -> + []; +pem_to_der(Config) when is_list(Config) -> + Datadir = ?config(data_dir, Config), + {ok,[{dsa_private_key, _, not_encrypted}]} = + public_key:pem_to_der(filename:join(Datadir, "dsa.pem")), + {ok,[{rsa_private_key, _, _}]} = + public_key:pem_to_der(filename:join(Datadir, "client_key.pem")), + {ok,[{rsa_private_key, _, _}]} = + public_key:pem_to_der(filename:join(Datadir, "rsa.pem")), + {ok,[{rsa_private_key, _, _}]} = + public_key:pem_to_der(filename:join(Datadir, "rsa.pem"), "abcd1234"), + {ok, Bin0} = file:read_file(filename:join(Datadir, "rsa.pem")), + {ok, [{rsa_private_key, _, _}]} = public_key:pem_to_der(Bin0, "abcd1234"), + + {ok,[{dh_params, _, _}]} = + public_key:pem_to_der(filename:join(Datadir, "dh.pem")), + {ok,[{cert, _, not_encrypted}]} = + public_key:pem_to_der(filename:join(Datadir, "client_cert.pem")), + {ok,[{cert_req, _, _}]} = + public_key:pem_to_der(filename:join(Datadir, "req.pem")), + {ok,[{cert, _, _}, {cert, _, _}]} = + public_key:pem_to_der(filename:join(Datadir, "cacerts.pem")), + + {ok, Bin1} = file:read_file(filename:join(Datadir, "cacerts.pem")), + {ok, [{cert, _, _}, {cert, _, _}]} = public_key:pem_to_der(Bin1), + + ok. +%%-------------------------------------------------------------------- +decode_private_key(doc) -> + ["Check that private keys are decode to the expected key type."]; +decode_private_key(suite) -> + []; +decode_private_key(Config) when is_list(Config) -> + Datadir = ?config(data_dir, Config), + {ok,[DsaKey = {dsa_private_key, _DsaKey, _}]} = + public_key:pem_to_der(filename:join(Datadir, "dsa.pem")), + {ok,[RsaKey = {rsa_private_key, _RsaKey,_}]} = + public_key:pem_to_der(filename:join(Datadir, "client_key.pem")), + {ok,[ProtectedRsaKey1 = {rsa_private_key, _ProtectedRsaKey1,_}]} = + public_key:pem_to_der(filename:join(Datadir, "rsa.pem"), "abcd1234"), + {ok,[ProtectedRsaKey2 = {rsa_private_key, _ProtectedRsaKey2,_}]} = + public_key:pem_to_der(filename:join(Datadir, "rsa.pem")), + + {ok, #'DSAPrivateKey'{}} = public_key:decode_private_key(DsaKey), + {ok, #'RSAPrivateKey'{}} = public_key:decode_private_key(RsaKey), + {ok, #'RSAPrivateKey'{}} = public_key:decode_private_key(ProtectedRsaKey1), + {ok, #'RSAPrivateKey'{}} = public_key:decode_private_key(ProtectedRsaKey2, "abcd1234"), + ok. +%%-------------------------------------------------------------------- +encrypt_decrypt(doc) -> + [""]; +encrypt_decrypt(suite) -> + []; +encrypt_decrypt(Config) when is_list(Config) -> + RSAPrivateKey = #'RSAPrivateKey'{publicExponent = 17, + modulus = 3233, + privateExponent = 2753, + prime1 = 61, + prime2 = 53, + version = 'two-prime'}, + Msg = <<0,123>>, + {ok, Encrypted} = public_key:encrypt(Msg, RSAPrivateKey, [{block_type, 2}]), + test_server:format("Expected 855, Encrypted ~p ~n", [Encrypted]), + ok. + + + + + + + + + +%% Datadir = ?config(data_dir, Config), +%% {ok,[{rsa_private_key, EncKey}]} = +%% public_key:pem_to_der(filename:join(Datadir, "server_key.pem")), +%% {ok, Key} = public_key:decode_private_key(EncKey, rsa), +%% RSAPublicKey = #'RSAPublicKey'{publicExponent = +%% Key#'RSAPrivateKey'.publicExponent, +%% modulus = Key#'RSAPrivateKey'.modulus}, +%% {ok, Msg} = file:read_file(filename:join(Datadir, "msg.txt")), +%% Hash = crypto:sha(Msg), +%% {ok, Encrypted} = public_key:encrypt(Hash, Key, [{block_type, 2}]), +%% test_server:format("Encrypted ~p", [Encrypted]), +%% {ok, Decrypted} = public_key:decrypt(Encrypted, +%% RSAPublicKey, [{block_type, 1}]), +%% test_server:format("Encrypted ~p", [Decrypted]), +%% true = Encrypted == Decrypted. + +%%-------------------------------------------------------------------- +rsa_verify(doc) -> + ["Cheks that we can verify an rsa signature."]; +rsa_verify(suite) -> + []; +rsa_verify(Config) when is_list(Config) -> + Datadir = ?config(data_dir, Config), + + {ok,[{cert, DerCert}]} = + public_key:pem_to_der(filename:join(Datadir, "server_cert.pem")), + + {ok, OTPCert} = public_key:pkix_decode_cert(DerCert, otp), + + {0, Signature} = OTPCert#'Certificate'.signature, + TBSCert = OTPCert#'Certificate'.tbsCertificate, + + #'TBSCertificate'{subjectPublicKeyInfo = Info} = TBSCert, + + #'SubjectPublicKeyInfo'{subjectPublicKey = RSAPublicKey} = Info, + + EncTBSCert = encoded_tbs_cert(DerCert), + Digest = crypto:sha(EncTBSCert), + + public_key:verify_signature(Digest, Signature, RSAPublicKey). + + +%% Signature is generated in the following way (in datadir): +%% openssl dgst -sha1 -binary -out rsa_signature -sign server_key.pem msg.txt +%%{ok, Signature} = file:read_file(filename:join(Datadir, "rsa_signature")), +%%{ok, Signature} = file:read_file(filename:join(Datadir, "rsa_signature")), +%% {ok, Msg} = file:read_file(filename:join(Datadir, "msg.txt")), +%% Digest = crypto:sha(Msg), +%% {ok,[{rsa_private_key, EncKey}]} = +%% public_key:pem_to_der(filename:join(Datadir, "server_key.pem")), +%% {ok, Key} = public_key:decode_private_key(EncKey, rsa), +%% RSAPublicKey = #'RSAPublicKey'{publicExponent = +%% Key#'RSAPrivateKey'.publicExponent, +%% modulus = Key#'RSAPrivateKey'.modulus}, + +encoded_tbs_cert(Cert) -> + {ok, PKIXCert} = + 'OTP-PUB-KEY':decode_TBSCert_exclusive(Cert), + {'Certificate', + {'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert, + EncodedTBSCert. + diff --git a/lib/public_key/test/public_key_SUITE_data/cacerts.pem b/lib/public_key/test/public_key_SUITE_data/cacerts.pem new file mode 100644 index 0000000000..d56b9a8227 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/cacerts.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIC7jCCAlegAwIBAgIJAOaRYda/AniWMA0GCSqGSIb3DQEBBQUAMIGGMREwDwYD +VQQDEwhlcmxhbmdDQTETMBEGA1UECxMKRXJsYW5nIE9UUDEUMBIGA1UEChMLRXJp +Y3Nzb24gQUIxEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxJTAjBgkq +hkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwHhcNMDgwMTA5MDgyOTI5 +WhcNMDgwMjA4MDgyOTI5WjCBhjERMA8GA1UEAxMIZXJsYW5nQ0ExEzARBgNVBAsT +CkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFCMRIwEAYDVQQHEwlTdG9j +a2hvbG0xCzAJBgNVBAYTAlNFMSUwIwYJKoZIhvcNAQkBFhZwZXRlckBlcml4LmVy +aWNzc29uLnNlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDL0btNSeda6nac +HJANkZAzF34pUgKawY21B4WDLGcuwOO6mZbPh1Tw3OVVIaSVHWJRXgxWCeAeaxlp +ti+ShJEGT5wayWTMs0g03lwEoH0S2EGi4bhawCI7PVUt23CBVRJodisfNqJR+VqD +BmU3K9Ftd6erWqQo6lxHhce8+0ViiwIDAQABo2IwYDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUG9lBmAYejoT1qLXpnBMa9UrSrTowIQYD +VR0RBBowGIEWcGV0ZXJAZXJpeC5lcmljc3Nvbi5zZTANBgkqhkiG9w0BAQUFAAOB +gQCjugej2Jg/L5rqi0maYHilAjTEw22nwNzHn4JixQCU7m9HkIMv2RXa2WiCncqm +rySo5Ki9TlyMGqwMa1sA31LZBt7L8giCz9BIc4f1fPlUcqQBIu9nebwJSXufCISK +2X5kM4N0u8rR2TK7fQ1uvaekDtzx1T6zrSYyU7GrgWJfUw== +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIDyDCCAzGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhjERMA8GA1UEAxMIZXJs +YW5nQ0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFC +MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMSUwIwYJKoZIhvcNAQkB +FhZwZXRlckBlcml4LmVyaWNzc29uLnNlMB4XDTA4MDEwOTA4MjkyOVoXDTE3MTEx +NzA4MjkyOVowgYMxDjAMBgNVBAMTBW90cENBMRMwEQYDVQQLEwpFcmxhbmcgT1RQ +MRQwEgYDVQQKEwtFcmljc3NvbiBBQjELMAkGA1UEBhMCU0UxEjAQBgNVBAcTCVN0 +b2NraG9sbTElMCMGCSqGSIb3DQEJARYWcGV0ZXJAZXJpeC5lcmljc3Nvbi5zZTCB +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA19NLtRF22E1WAK/1QGF1zg3e1Z6T +W0W9WAukXc8ATj3Pn4051+9ZHpq9HL++iSGrJHMGrFKbX5DtFpTvecRDPQxBSv4r +pQgFr4t9K8XBiuAeEurghGKeiysoPqosgapc7OBQQf0hIoKY6ozqJUK3brFcPwXZ +Weeji79z8TOq7SsCAwEAAaOCAUUwggFBMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0P +BAQDAgEGMB0GA1UdDgQWBBQGq4A0OqS4drK9nS4o5W2R3n0BmzCBuwYDVR0jBIGz +MIGwgBQb2UGYBh6OhPWotemcExr1StKtOqGBjKSBiTCBhjERMA8GA1UEAxMIZXJs +YW5nQ0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFC +MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMSUwIwYJKoZIhvcNAQkB +FhZwZXRlckBlcml4LmVyaWNzc29uLnNlggkA5pFh1r8CeJYwIQYDVR0RBBowGIEW +cGV0ZXJAZXJpeC5lcmljc3Nvbi5zZTAhBgNVHRIEGjAYgRZwZXRlckBlcml4LmVy +aWNzc29uLnNlMA0GCSqGSIb3DQEBBQUAA4GBALeYUWp8zsoZJJ1I93STYAauqvv5 +MovrPeDCzQZKTfrdCgmYGx1/wxYMa1vHbV1QRqEK/ri7He8/sF/5ckXHUqXRKD/q +vBjIIv/rGixJSueMG2bYyz3r6BU6hw0blnUwzCbvD76Dr2QIRoQsKoWsXnfN5l/D +zhyxDkq1j6Q3DCIL +-----END CERTIFICATE----- + diff --git a/lib/public_key/test/public_key_SUITE_data/client_cert.pem b/lib/public_key/test/public_key_SUITE_data/client_cert.pem new file mode 100644 index 0000000000..9017e99fce --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/client_cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAyGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzEOMAwGA1UEAxMFb3Rw +Q0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFCMQsw +CQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xtMSUwIwYJKoZIhvcNAQkBFhZw +ZXRlckBlcml4LmVyaWNzc29uLnNlMB4XDTA4MDEwOTA4MjkzMFoXDTE3MTExNzA4 +MjkzMFowgYQxDzANBgNVBAMTBmNsaWVudDETMBEGA1UECxMKRXJsYW5nIE9UUDEU +MBIGA1UEChMLRXJpY3Nzb24gQUIxCzAJBgNVBAYTAlNFMRIwEAYDVQQHEwlTdG9j +a2hvbG0xJTAjBgkqhkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwgZ8w +DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPU4RP7c78G+P922PENNeaPWiIm3iwim +HmQbLRF+Og+tl9pL4JQOFqQKZLq3aK/FYWC2kpZqgYxkwmpaPoXpmy6bIWXcU8G2 +6PBj/flyCJ+sj02zhOXNHW656eA0GZX5ZFDlx30XapLpnxoNCKHO3SvwlSotwr5V +BuuY3NugIJBDAgMBAAGjggE3MIIBMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAd +BgNVHQ4EFgQUGjssBUjTntYXIh7xfRt7c12j53gwgbMGA1UdIwSBqzCBqIAUBquA +NDqkuHayvZ0uKOVtkd59AZuhgYykgYkwgYYxETAPBgNVBAMTCGVybGFuZ0NBMRMw +EQYDVQQLEwpFcmxhbmcgT1RQMRQwEgYDVQQKEwtFcmljc3NvbiBBQjESMBAGA1UE +BxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTElMCMGCSqGSIb3DQEJARYWcGV0ZXJA +ZXJpeC5lcmljc3Nvbi5zZYIBATAhBgNVHREEGjAYgRZwZXRlckBlcml4LmVyaWNz +c29uLnNlMCEGA1UdEgQaMBiBFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwDQYJKoZI +hvcNAQEFBQADgYEAXQtw43kPebP3h27YEcVUEpWmk46+sgDRvgCO6ZBkws3ctknM +bCpfFzA/BHjvKsIZuCN1a2DlEi1Men0oq9KEMpKyoDcRI//Qch4vN7mam6XMtA6P +FOoG6snhSOsFVz3/+hfZAZD2Yt3fZjGosQ1G8Rob/vvZDvQS8sWXMrrWDyo= +-----END CERTIFICATE----- diff --git a/lib/public_key/test/public_key_SUITE_data/client_key.pem b/lib/public_key/test/public_key_SUITE_data/client_key.pem new file mode 100644 index 0000000000..9d7e0dd5fb --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/client_key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQD1OET+3O/Bvj/dtjxDTXmj1oiJt4sIph5kGy0RfjoPrZfaS+CU +DhakCmS6t2ivxWFgtpKWaoGMZMJqWj6F6ZsumyFl3FPBtujwY/35cgifrI9Ns4Tl +zR1uuengNBmV+WRQ5cd9F2qS6Z8aDQihzt0r8JUqLcK+VQbrmNzboCCQQwIDAQAB +AoGAPQEyqPTt8JUT7mRXuaacjFXiweAXhp9NEDpyi9eLOjtFe9lElZCrsUOkq47V +TGUeRKEm9qSodfTbKPoqc8YaBJGJPhUaTAcha+7QcDdfHBvIsgxvU7ePVnlpXRp3 +CCUEMPhlnx6xBoTYP+fRU0e3+xJIPVyVCqX1jAdUMkzfRoECQQD6ux7B1QJAIWyK +SGkbDUbBilNmzCFNgIpOP6PA+bwfi5d16diTpra5AX09keQABAo/KaP1PdV8Vg0p +z4P3A7G3AkEA+l+AKG6m0kQTTBMJDqOdVPYwe+5GxunMaqmhokpEbuGsrZBl5Dvd +WpcBjR7jmenrhKZRIuA+Fz5HPo/UQJPl1QJBAKxstDkeED8j/S2XoFhPKAJ+6t39 +sUVICVTIZQeXdmzHJXCcUSkw8+WEhakqw/3SyW0oaK2FSWQJFWJUZ+8eJj8CQEh3 +xeduB5kKnS9CvzdeghZqX6QvVosSdtlUmfUYW/BgH5PpHKTP8wTaeld3XldZTpMJ +dKiMkUw2+XYROVUrubUCQD+Na1LhULlpn4ISEtIEfqpdlUhxDgO15Wg8USmsng+x +ICliVOSQtwaZjm8kwaFt0W7XnpnDxbRs37vIEbIMWak= +-----END RSA PRIVATE KEY----- diff --git a/lib/public_key/test/public_key_SUITE_data/dh.pem b/lib/public_key/test/public_key_SUITE_data/dh.pem new file mode 100644 index 0000000000..c133540b44 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/dh.pem @@ -0,0 +1,4 @@ +-----BEGIN DH PARAMETERS----- +MEYCQQD+KCcagSasA1QSo8tRXpbaLJJ1Ezt3FJFEZ3RVplp4qZwXQpSZ+Vly3xWx +q3YvALe/enMbIq8F3OUmppq3UHwTAgEC +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/lib/public_key/test/public_key_SUITE_data/dsa.pem b/lib/public_key/test/public_key_SUITE_data/dsa.pem new file mode 100644 index 0000000000..58f0a65cba --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/dsa.pem @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBuwIBAAKBgQC3s+bZJWOQnRXkzKLPPfaQOouLuLgrbM4Ac63QZOnJeRVas3c1 +jBk0Isp506RrKzhEop8z9OiKfqRteVntjjkcILwsQ/1veWgojdP/jHYl6pbJm6AQ +ETM7GvkpgRDTd4Bf/rbrhABczl1NatnJhMsES8n2zNiiAVRP0woVmMNnkQIVANUe +uFb3EPdFwPEjilQ5jANHQc7pAoGBAJSzGD9KW4AZYB0FTt/2rwB5VjayKudi8ZO0 +nTyVoDLz40yvWerL/PJMbAnMnbY7zuN/Y9cqnMJOdBkHPvOpLQVls/d/x5CHZxcq +mn3n+Jplr5tlKugpUCkvgNALH2o/DMrPh1DIiPqrH3Y0W8iKcG+zF9Z7FXbCswC5 +2TTFtuwNAoGAfEIAb3mLjtFfiF/tsZb4/DGHdWSb6Ir0hFkoBUZ9ymBO70wlfZVS +QGs240kZtOMpAOpJL1Dy8oH6PUQ+JyacwZIo8fdq19/Kwm6CPrpaEhzErmMvwT2C +ZJYZ+HOk55ljLkVCiyG7MzEj2+odLKym9yoQsbsJolHzIRpkLk45y4cCFFmAnw67 ++basD1iibtNHs9Edfdkm +-----END DSA PRIVATE KEY----- diff --git a/lib/public_key/test/public_key_SUITE_data/req.pem b/lib/public_key/test/public_key_SUITE_data/req.pem new file mode 100644 index 0000000000..86d74d05a3 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/req.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBxTCCAS4CAQAwgYQxDzANBgNVBAMTBmNsaWVudDETMBEGA1UECxMKRXJsYW5n +IE9UUDEUMBIGA1UEChMLRXJpY3Nzb24gQUIxEjAQBgNVBAcTCVN0b2NraG9sbTEL +MAkGA1UEBhMCU0UxJTAjBgkqhkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24u +c2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPU4RP7c78G+P922PENNeaPW +iIm3iwimHmQbLRF+Og+tl9pL4JQOFqQKZLq3aK/FYWC2kpZqgYxkwmpaPoXpmy6b +IWXcU8G26PBj/flyCJ+sj02zhOXNHW656eA0GZX5ZFDlx30XapLpnxoNCKHO3Svw +lSotwr5VBuuY3NugIJBDAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQATS9GOidrC +bOJ+PuSUpRnDHfZAZANZAd/9v4hW57bMMIQlCEb8CgfPvGKztNMxTH8Xc7VPDTp8 +FWKQ53R29T0IWEochHA5FjJyCVrkZjgZ0qcQUV8aCe9NTB0LW58OWOOwGYjJb8hp +dL+3RvUr4OchWxMzzF5YmjyUbt8GSpevrg== +-----END CERTIFICATE REQUEST----- diff --git a/lib/public_key/test/public_key_SUITE_data/rsa.pem b/lib/public_key/test/public_key_SUITE_data/rsa.pem new file mode 100644 index 0000000000..88f7d446f2 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/rsa.pem @@ -0,0 +1,16 @@ +Bag Attributes + friendlyName: host_key + localKeyID: 68 6F 73 74 +Key Attributes: +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,6BD965F8BC70B54C + +4Gx1y5goD02Aft3DmvlV0Mr7bXd4OR1ZEwk1b2utIXLRMXfDkrK+vHbHhIbGBLOn +TIhdSxASnNhh7NmaXaTsZ+H/tZSmX+4OkeQOsRfrPj8C81pkXjuxtxhCRuaTWg/R +VABz7u/4rL2OMIPz9w/dyEWCSZnBoWpbxI20gP/k+/kZgzVbz6mkhMs5Xkf4lFwU +WnjR498pwlHmMHYwBIEMFBsIvb9JYeEQEZOjxAjUljmhYHB0pMyMBxHjlSSEIN5h +cSXT0ZxQmT+59FediRRQCDZHuy7Bc/nanUavvs5dk7en+gy2LSVKJ/K16zv6gtoV +c1MN48wQlCd+tRFVXRsPX3OliTKEwkSNlT7gdyzBaQxt610EAj2YKZVHE7i+d0Sk +4rQ9iwALjoohWhP8SjcTonZD4kOvhjlRggn1JTGlo6s= +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/lib/public_key/test/public_key_SUITE_data/server_cert.pem b/lib/public_key/test/public_key_SUITE_data/server_cert.pem new file mode 100644 index 0000000000..da68c7a8ab --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/server_cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAyGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBgzEOMAwGA1UEAxMFb3Rw +Q0ExEzARBgNVBAsTCkVybGFuZyBPVFAxFDASBgNVBAoTC0VyaWNzc29uIEFCMQsw +CQYDVQQGEwJTRTESMBAGA1UEBxMJU3RvY2tob2xtMSUwIwYJKoZIhvcNAQkBFhZw +ZXRlckBlcml4LmVyaWNzc29uLnNlMB4XDTA4MDEwOTA4MjkzMFoXDTE3MTExNzA4 +MjkzMFowgYQxDzANBgNVBAMTBnNlcnZlcjETMBEGA1UECxMKRXJsYW5nIE9UUDEU +MBIGA1UEChMLRXJpY3Nzb24gQUIxCzAJBgNVBAYTAlNFMRIwEAYDVQQHEwlTdG9j +a2hvbG0xJTAjBgkqhkiG9w0BCQEWFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwgZ8w +DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKR20HPrkDGdiavHUyWwFEQwta2dmtF2 +eQZZi9Xk68UJYbuU7CikHs2srkrwzj0OPIqbp/xOBNzJ7Kch0o4yO6vcEAiSCJ6A +B4uSM742hrYW4qXgc18K6PqTwSuKr94sn3qQuo4hF/ymCxLrnSicrNpzGOz9A0Lf +2+Vk6hV0BtdHAgMBAAGjggE3MIIBMzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAd +BgNVHQ4EFgQUi19l/qhEwHP/CUeaEjWy4GhOBRIwgbMGA1UdIwSBqzCBqIAUBquA +NDqkuHayvZ0uKOVtkd59AZuhgYykgYkwgYYxETAPBgNVBAMTCGVybGFuZ0NBMRMw +EQYDVQQLEwpFcmxhbmcgT1RQMRQwEgYDVQQKEwtFcmljc3NvbiBBQjESMBAGA1UE +BxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTElMCMGCSqGSIb3DQEJARYWcGV0ZXJA +ZXJpeC5lcmljc3Nvbi5zZYIBATAhBgNVHREEGjAYgRZwZXRlckBlcml4LmVyaWNz +c29uLnNlMCEGA1UdEgQaMBiBFnBldGVyQGVyaXguZXJpY3Nzb24uc2UwDQYJKoZI +hvcNAQEFBQADgYEAzHGutrGMSeC3Di7Z8d65SM7jZLrkkusmL+D2oPVIOGrfZbVu +yfDKU/nImm99z+lhC/N3JEEpB6PgAYSskfVdBL3LoxbUTaCn/+G3A/G8NfRVIYyA +NTBeNW6ueNpjnauLzcwpyXpu3vp1VBg8wBePtGTBIbRHRgtwwHRXAddE/Ws= +-----END CERTIFICATE----- diff --git a/lib/public_key/test/public_key_SUITE_data/server_key.pem b/lib/public_key/test/public_key_SUITE_data/server_key.pem new file mode 100644 index 0000000000..d9618da7b7 --- /dev/null +++ b/lib/public_key/test/public_key_SUITE_data/server_key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQCkdtBz65AxnYmrx1MlsBREMLWtnZrRdnkGWYvV5OvFCWG7lOwo +pB7NrK5K8M49DjyKm6f8TgTcyeynIdKOMjur3BAIkgiegAeLkjO+Noa2FuKl4HNf +Cuj6k8Eriq/eLJ96kLqOIRf8pgsS650onKzacxjs/QNC39vlZOoVdAbXRwIDAQAB +AoGAUsSQx6XnXXDhFhgsGi1xJZg19nf4sC2lXrK2EyEwHmtISjT6XMGr1upulLx3 +rnZ5tW/8rJc/DzZ36Oy2oGVbbaVeS4UJAgv2yRYb7F+am8BACRyEl4ap6nrz5c7G +E+aSLwFG3INlHiojlhhwB6wv1I+UDRUT+FXJVHTemscUEPECQQDZ0wpra1E86heR +jgHIBxHHlv1761gFFoJv6iqASOw9+yIctx0KC3Hrc35tiBaFcu5Nqzc8AEkiui8m +fEEIDfvbAkEAwUmzIWD/6nv34l5W1U3M7atNwvLEepBoTJYf/VENL8dG5nBnVtah +vZsKPS1VTmqlMTy+THe3u/hS9AgXOOyEBQJAcPExPONnOvtx/wGvwMSRnniWtHMh +r3mtZlP3d47YF4cod9UmVHf8uIWo7ygZ7VXbZCA7wnuvcDczjXPt0DxX8wJAA6p9 +LkXjtLPTOMTnSrZmC5/zIp5uIZD5mXJDew99e4mBC7/YBeqeOLVnFU/1zT3ykiN/ +zH18y6DjGePJZPf/bQJBAJfnIL4y1rKGhliqhzokYtKURJ4eCR7qzJRkgyya+4UV +INi6+MZ+mVYkxjGRH8C6+pIUk9TFpMj+1LfHyzMRIxg= +-----END RSA PRIVATE KEY----- diff --git a/lib/public_key/vsn.mk b/lib/public_key/vsn.mk new file mode 100644 index 0000000000..64f0203915 --- /dev/null +++ b/lib/public_key/vsn.mk @@ -0,0 +1,6 @@ +PUBLIC_KEY_VSN = 0.4 + +TICKETS = OTP-8250 +#TICKETS_0.3 = OTP-8100 OTP-8142 +#TICKETS_0.2 = OTP-7860 +#TICKETS_0.1 = OTP-7637 \ No newline at end of file -- cgit v1.2.3