Generate new Ed488 certificates
authorKurt Roeckx <kurt@roeckx.be>
Thu, 2 Jan 2020 22:16:30 +0000 (23:16 +0100)
committerKurt Roeckx <kurt@roeckx.be>
Tue, 11 Feb 2020 22:23:42 +0000 (23:23 +0100)
Create a whole chain of Ed488 certificates so that we can use it at security
level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the
Ed488 certificate using SHA256 (128 bit, level 3).

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785

test/certs/root-ed448-cert.pem [new file with mode: 0644]
test/certs/root-ed448-key.pem [new file with mode: 0644]
test/certs/server-ed448-cert.pem
test/certs/setup.sh
test/ssl-tests/20-cert-select.conf
test/ssl-tests/20-cert-select.conf.in
test/ssl-tests/28-seclevel.conf
test/ssl-tests/28-seclevel.conf.in

diff --git a/test/certs/root-ed448-cert.pem b/test/certs/root-ed448-cert.pem
new file mode 100644 (file)
index 0000000..48e293d
--- /dev/null
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBeDCB+aADAgECAgEBMAUGAytlcTAVMRMwEQYDVQQDDApSb290IEVkNDQ4MCAX
+DTIwMDIwOTEzMjY1NVoYDzIxMjAwMjEwMTMyNjU1WjAVMRMwEQYDVQQDDApSb290
+IEVkNDQ4MEMwBQYDK2VxAzoAbbhuwNA/rdlgdLSyTJ6WaCVNO1gzccKiKW6pCADM
+McMBCNiQqWSt4EIbHpqDc+eWoiKbG6t7tjUAo1MwUTAdBgNVHQ4EFgQUVg2aQ+yh
+VRhOuW1l19jtgxfTgj8wHwYDVR0jBBgwFoAUVg2aQ+yhVRhOuW1l19jtgxfTgj8w
+DwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCiXlZXyMubWFqLYiLXfKYrurajBMON
+lclLrYr57Syd+nAIlgXiF0rGK2PawoMPXVB3VWWSigEb54AImb6tsW42gC+zC6oq
+nkPC2FTLXPvqqgGXUpK/OfhPUP9bWw6mcJaIozlyzJD4AyebN9LDrBqCMwA=
+-----END CERTIFICATE-----
diff --git a/test/certs/root-ed448-key.pem b/test/certs/root-ed448-key.pem
new file mode 100644 (file)
index 0000000..e0c36ff
--- /dev/null
@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOQeryQn6L8gItRarrM0pRHxjNdtaIz3BrWU2mwhLZQaq
+8Cm6w5gP6aitAIde7Td3nQ55bIGC5roxFQ==
+-----END PRIVATE KEY-----
index 740f275549773824ca91d97dc6298e775b5d0506..ba050077c3e0c472130f001118fcf634033fd672 100644 (file)
@@ -1,14 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIICHTCCAQWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
-IENBMCAXDTE4MDIyNzE1MDcxM1oYDzIxMTgwMjI4MTUwNzEzWjAQMQ4wDAYDVQQD
-DAVFZDQ0ODBDMAUGAytlcQM6ABBicYlhG1s3AoG5BFmY3r50lJzjQoER4zwuieEe
-QTvKxLEV06vGh79UWO6yQ5FxqmxvM1F/Xw7RAKNfMF0wHQYDVR0OBBYEFAwa1L4m
-3pwA8+IEJ7K/4izrjJIHMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJ
-MAkGA1UdEwQCMAAwEAYDVR0RBAkwB4IFRWQ0NDgwDQYJKoZIhvcNAQELBQADggEB
-AAugH2aE6VvArnOVjKBtalqtHlx+NCC3+S65sdWc9A9sNgI1ZiN7dn76TKn5d0T7
-NqV8nY1rwQg6WPGrCD6Eh63qhotytqYIxltppb4MOUJcz/Zf0ZwhB5bUfwNB//Ih
-5aZT86FpXVuyMnwUTWPcISJqpZiBv95yzZFMpniHFvecvV445ly4TFW5y6VURh40
-Tg4tMgjPTE7ADw+dX4FvnTWY3blxT1GzGxGvqWW4HgP8dOETnjmAwCzN0nUVmH9s
-7ybHORcSljcpe0XH6L/K7mbI+r8mVLsAoIzUeDwUdKKJZ2uGEtdhQDmJBp4EjOXE
-3qIn3wEQQ6ax4NIwkZihdLI=
+MIIBlTCCARWgAwIBAgIBAjAFBgMrZXEwFTETMBEGA1UEAwwKUm9vdCBFZDQ0ODAg
+Fw0yMDAyMDkxMzMwMjJaGA8yMTIwMDIxMDEzMzAyMlowEDEOMAwGA1UEAwwFZWQ0
+NDgwQzAFBgMrZXEDOgAQYnGJYRtbNwKBuQRZmN6+dJSc40KBEeM8LonhHkE7ysSx
+FdOrxoe/VFjuskORcapsbzNRf18O0QCjdDByMB0GA1UdDgQWBBQMGtS+Jt6cAPPi
+BCeyv+Is64ySBzAfBgNVHSMEGDAWgBRWDZpD7KFVGE65bWXX2O2DF9OCPzAJBgNV
+HRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBAGA1UdEQQJMAeCBWVkNDQ4MAUG
+AytlcQNzABLGZiaU6JPKa9eQ/VsE4HN9XjSogZBKIEHEWwyxrtGvjWiZ5MOnNJmQ
+7mX+Y2eJzfZ6MGHc63IlgPdIPFPzInnnAugw297kUNoLTg9SsGYeVGLbI3PNjwFL
+mQ3508f1Jobb8qZnf8YFUZrd85aurgoKAA==
 -----END CERTIFICATE-----
index bd0b66394486457694e8b7df7be87ddedfdf72a2..d58d0d789b4e6cc483487fa9351b1cc4564d18e3 100755 (executable)
@@ -378,3 +378,8 @@ openssl req -new -nodes -subj "/CN=localhost" \
 
 # CT entry
 ./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key
+
+OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
+    root-ed448-key root-ed448-cert
+OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
+    server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
index 93f3a1ff689a130adce3549da368c454e789f5bc..757b973e577b80b173d15f53e8d6d407f8446b58 100644 (file)
@@ -216,9 +216,9 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [4-Ed448 CipherString and Signature Algorithm Selection-client]
 CipherString = aECDSA
 MaxProtocol = TLSv1.2
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 SignatureAlgorithms = ed448:ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-4]
@@ -421,7 +421,7 @@ CipherString = aECDSA
 Curves = X448
 MaxProtocol = TLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-10]
@@ -1454,7 +1454,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 [44-TLS 1.3 Ed448 Signature Algorithm Selection-client]
 CipherString = DEFAULT
 SignatureAlgorithms = ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-44]
index 5e9bfede5dba991d2028408d9af6e0d974df6dc2..24093548cd682791974f7d1dac68af2074c6ad08 100644 (file)
@@ -134,7 +134,8 @@ our @tests = (
             "CipherString" => "aECDSA",
             "MaxProtocol" => "TLSv1.2",
             "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
-            "RequestCAFile" => test_pem("root-cert.pem"),
+            "RequestCAFile" => test_pem("root-ed448-cert.pem"),
+            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
         },
         test   => {
             "ExpectedServerCertType" =>, "Ed448",
@@ -231,6 +232,7 @@ our @tests = (
             "CipherString" => "aECDSA",
             "MaxProtocol" => "TLSv1.2",
             "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
+            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
             # Excluding P-256 from the supported curves list means server
             # certificate should be Ed25519 and not P-256
             "Curves" => "X448"
@@ -727,6 +729,7 @@ my @tests_tls_1_3 = (
         server => $server_tls_1_3,
         client => {
             "SignatureAlgorithms" => "ed448",
+            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
         },
         test   => {
             "ExpectedServerCertType" => "Ed448",
index f863f68b080115a10ae2df6b3ad6e36372f264ec..04a0c4fbd5469fa916ff4e6466615bb506f7c8b2 100644 (file)
@@ -45,7 +45,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 
 [1-SECLEVEL 3 with ED448 key-client]
 CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-1]
@@ -93,7 +93,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 
 [3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
 CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
 VerifyMode = Peer
 
 [test-3]
index 9d400a45edbf7ed776ffceb3e79f579d4643e85d..f2cdc477ba92e92c73ae162024f44ae56848644e 100644 (file)
@@ -27,7 +27,7 @@ our @tests_ec = (
         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
                     "Certificate" => test_pem("server-ed448-cert.pem"),
                     "PrivateKey" => test_pem("server-ed448-key.pem") },
-        client => { },
+        client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
         test   => { "ExpectedResult" => "Success" },
     },
     {
@@ -49,7 +49,7 @@ our @tests_tls1_2 = (
                     "Certificate" => test_pem("server-ed448-cert.pem"),
                     "PrivateKey" => test_pem("server-ed448-key.pem"),
                     "MaxProtocol" => "TLSv1.2" },
-        client => { },
+        client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
         test   => { "ExpectedResult" => "Success" },
     },
 );