diff --git a/.gitignore b/.gitignore index aaea36f68..fddfcd1f9 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,7 @@ target *.iml **/log4j2-debug.xml **/.checkstyle -*.bak \ No newline at end of file +*.bak +/test-CA/newcerts/ +/test-CA/serial.txt* +/test-CA/index.txt* diff --git a/httpclient5-testing/src/test/resources/docker/BUILDING.txt b/httpclient5-testing/src/test/resources/docker/BUILDING.txt index fdc7d9056..1d4af7edc 100644 --- a/httpclient5-testing/src/test/resources/docker/BUILDING.txt +++ b/httpclient5-testing/src/test/resources/docker/BUILDING.txt @@ -1,16 +1,27 @@ -= SSL key / cert material (optional) += SSL key / cert material + +Execute in the project root # Issue a certificate request --- -openssl req -config openssl.cnf -new -nodes -sha256 -days 36500 \ - -subj '/O=Apache Software Foundation/OU=HttpComponents Project/CN=test-httpd/emailAddress=dev@hc.apache.org/' \ - -keyout server-key.pem -out server-certreq.pem +openssl req -config test-CA/openssl.cnf -new -nodes -sha256 -days 36500 \ + -subj '/O=Apache Software Foundation/OU=HttpComponents Project/CN=localhost/emailAddress=dev@hc.apache.org/' \ + -addext 'subjectAltName = DNS:localhost,DNS:test-httpd' \ + -keyout httpclient5-testing/src/test/resources/docker/server-key.pem \ + -out httpclient5-testing/src/test/resources/docker/server-certreq.pem --- # Verify the request --- -openssl req -in server-certreq.pem -text -noout +openssl req -in httpclient5-testing/src/test/resources/docker/server-certreq.pem -text -noout --- # Sign new certificate with the test CA key --- -openssl ca -config openssl.cnf -days 36500 -out server-cert.pem -in server-certreq.pem && rm server-certreq.pem +openssl ca -config test-CA/openssl.cnf -days 36500 \ + -out httpclient5-testing/src/test/resources/docker/server-cert.pem \ + -in httpclient5-testing/src/test/resources/docker/server-certreq.pem \ + && rm httpclient5-testing/src/test/resources/docker/server-certreq.pem --- + +# Create JKS store with the Test CA cert +keytool -import -trustcacerts -alias test-ca -file test-CA/ca-cert.pem -keystore httpcore5-testing/src/test/resources/test-ca.jks -storepass nopassword + diff --git a/httpclient5-testing/src/test/resources/docker/index.txt b/httpclient5-testing/src/test/resources/docker/index.txt deleted file mode 100644 index 4e09f4614..000000000 --- a/httpclient5-testing/src/test/resources/docker/index.txt +++ /dev/null @@ -1 +0,0 @@ -V 21161223094143Z 01 unknown /O=Apache Software Foundation/OU=HttpComponents Project/CN=test-httpd/emailAddress=dev@hc.apache.org diff --git a/httpclient5-testing/src/test/resources/docker/openssl.cnf b/httpclient5-testing/src/test/resources/docker/openssl.cnf deleted file mode 100644 index 3377e85a3..000000000 --- a/httpclient5-testing/src/test/resources/docker/openssl.cnf +++ /dev/null @@ -1,355 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -# Policies used by the TSA examples. -tsa_policy1 = 1.2.3.4.1 -tsa_policy2 = 1.2.3.4.5.6 -tsa_policy3 = 1.2.3.4.5.7 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = . # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir # default place for new certs. - -certificate = ../../../test-CA/ca-cert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = ../../../test-CA/ca-key.pem # The private key -RANDFILE = ../../../test-CA/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -organizationName = match -organizationalUnitName = match -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString (PKIX recommendation before 2004) -# utf8only: only UTF8Strings (PKIX recommendation after 2004). -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. -string_mask = utf8only - -req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Apache Software Foundation - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = HttpComponents Project - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 -commonName_default = test-httpd - -emailAddress = Email Address -emailAddress_max = 64 -emailAddress_default = dev@hc.apache.org - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -subjectAltName = @alt_names - -[ alt_names ] -DNS.1 = test-httpd -DNS.2 = localhost - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always - -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo - -#################################################################### -[ tsa ] - -default_tsa = tsa_config1 # the default TSA section - -[ tsa_config1 ] - -# These are used by the TSA reply generation only. -dir = ./demoCA # TSA root directory -serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing -signer_cert = $dir/tsacert.pem # The TSA signing certificate - # (optional) -certs = $dir/cacert.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -clock_precision_digits = 0 # number of digits after dot. (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) diff --git a/httpclient5-testing/src/test/resources/docker/serial b/httpclient5-testing/src/test/resources/docker/serial deleted file mode 100644 index 9e22bcb8e..000000000 --- a/httpclient5-testing/src/test/resources/docker/serial +++ /dev/null @@ -1 +0,0 @@ -02 diff --git a/httpclient5-testing/src/test/resources/docker/server-cert.pem b/httpclient5-testing/src/test/resources/docker/server-cert.pem index ea08c8a3c..3b8282c2c 100644 --- a/httpclient5-testing/src/test/resources/docker/server-cert.pem +++ b/httpclient5-testing/src/test/resources/docker/server-cert.pem @@ -1,35 +1,35 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption + Serial Number: 0 (0x0) + Signature Algorithm: sha256WithRSAEncryption Issuer: O=Apache Software Foundation, OU=HttpComponents Project, CN=Test CA/emailAddress=dev@hc.apache.org Validity - Not Before: Jan 16 09:41:43 2017 GMT - Not After : Dec 23 09:41:43 2116 GMT - Subject: O=Apache Software Foundation, OU=HttpComponents Project, CN=test-httpd/emailAddress=dev@hc.apache.org + Not Before: Oct 20 19:14:02 2024 GMT + Not After : Sep 26 19:14:02 2124 GMT + Subject: O=Apache Software Foundation, OU=HttpComponents Project, CN=localhost/emailAddress=dev@hc.apache.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: - 00:da:55:cb:73:c3:42:cf:c1:4e:6e:d9:74:b8:f8: - 1c:3f:1a:de:8d:72:3a:c4:62:f7:eb:e4:72:5b:9b: - 9e:65:09:0e:f4:9b:f0:bd:29:d5:af:a9:d1:5f:82: - 99:53:49:1f:7a:5c:6f:6c:0f:a2:48:68:c7:53:3e: - 9b:9f:b2:c2:eb:8f:6b:38:c4:6a:75:52:55:60:9d: - 60:40:9b:a4:79:c6:c7:ae:1c:6c:d9:c8:b6:5b:cb: - d4:af:78:45:0e:57:62:04:48:1d:d2:f3:c1:98:ac: - 64:1f:ae:8d:30:78:ec:52:b3:03:6c:4b:1c:b1:87: - 56:5e:a4:c3:3c:54:6b:05:22:95:30:c8:0c:d4:d4: - 43:f0:eb:5b:58:29:5c:ce:98:97:cc:86:7a:8a:fd: - 70:0e:c0:55:57:21:2e:4a:f5:5d:be:ba:6e:76:99: - 6a:c7:9d:9f:5f:31:63:9c:ae:b5:03:75:6c:ec:d7: - e8:75:6b:e4:5d:23:30:e7:c8:b9:86:ec:9d:73:e8: - 06:43:6a:66:51:57:84:bd:75:1b:c8:4d:6b:9c:11: - 79:36:bf:dd:d4:a8:0d:ce:6b:c3:d7:7e:0e:f5:b0: - 78:c1:80:96:d5:45:73:ca:86:8e:7e:0f:85:43:6e: - 26:0d:20:3a:72:12:80:73:60:a2:90:a1:13:30:27: - d5:35 + 00:9d:12:0f:d0:8a:7e:0a:e4:76:b8:08:af:3f:5f: + 0f:b4:4c:70:24:22:4e:8f:8f:55:ec:ae:31:6c:e2: + 05:68:df:c5:c0:4d:e9:a5:ed:d9:4e:71:ed:e7:3c: + 51:ac:0a:fe:21:96:7c:0c:7b:2f:fa:6f:4f:73:69: + 38:a0:25:a7:4c:d0:69:fc:a2:8d:94:cb:4f:9e:c7: + 1f:a3:b2:5b:94:5f:20:3c:61:4d:73:a6:9c:a4:7c: + 72:25:26:ee:a6:d0:d8:f0:49:e7:b3:e0:f5:4d:de: + 6e:54:80:b9:54:8c:37:9d:d2:c0:ac:8b:43:03:8d: + 9c:c9:ac:91:f9:31:4f:6d:e9:2d:d5:de:b9:c4:34: + de:67:3d:1a:4e:25:43:5e:ee:8e:01:67:d6:b2:4a: + 49:53:f9:d3:0c:93:5d:a9:1f:52:f7:23:93:1d:73: + 3a:d4:e1:dd:2b:a2:d1:65:b1:ef:69:12:1a:fc:6b: + 24:7c:96:6b:d2:27:21:4e:38:04:af:e4:d1:f6:4e: + b2:8a:a4:59:b6:c8:c5:21:d5:c0:d6:d8:7e:58:b2: + 4e:3a:9e:6f:81:8a:1a:0e:0e:61:69:15:cb:7a:19: + 1a:37:62:3b:96:b3:3b:20:11:b7:1e:a6:63:39:2b: + 0c:c2:2b:77:7b:0d:21:ef:42:26:71:ce:76:49:cb: + 68:33 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -37,52 +37,49 @@ Certificate: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: - 01:1E:40:80:D8:79:41:3D:8D:69:D6:E5:6C:DF:34:5D:8E:D7:07:D1 + 38:19:4F:BF:C1:71:41:FE:78:91:B0:09:39:8B:AD:D7:05:B9:D9:82 X509v3 Authority Key Identifier: - keyid:03:E4:E7:DA:0F:64:DB:13:1E:BD:85:AB:76:BC:29:CA:2F:A7:C7:4B - - X509v3 Key Usage: - Digital Signature, Non Repudiation, Key Encipherment + 03:E4:E7:DA:0F:64:DB:13:1E:BD:85:AB:76:BC:29:CA:2F:A7:C7:4B X509v3 Subject Alternative Name: - DNS:test-httpd, DNS:localhost + DNS:localhost, DNS:test-httpd Signature Algorithm: sha256WithRSAEncryption - 88:be:99:32:13:9b:3f:89:59:65:19:2a:0e:1e:7d:9f:29:c5: - d6:7e:82:db:18:2c:cb:b9:71:ef:ac:8b:31:0e:7c:b1:f9:7a: - b5:60:2f:08:63:e1:1e:f5:d0:fe:e4:b7:4e:98:de:1b:01:22: - 35:35:1c:ab:39:aa:25:d5:77:42:4c:eb:f6:d7:88:ba:14:27: - 05:ae:08:b8:80:69:3c:e1:c6:d3:d1:26:1e:76:c7:a9:b2:2b: - c3:2e:f6:27:db:3d:6c:2e:5c:ac:b1:2b:06:b0:8c:0b:74:3a: - 72:dc:15:48:20:df:23:b1:2f:60:ba:e3:80:da:36:dc:aa:f6: - 87:4a:c9:82:74:40:4a:f9:cc:95:d9:2b:2b:20:c8:fd:b5:87: - 14:f6:13:1b:38:e6:7e:13:84:0b:c1:24:fe:dd:18:0c:ca:df: - fb:71:5d:ea:aa:fb:ca:20:54:0b:7b:40:93:20:c5:4b:af:a6: - 89:86:2f:49:d7:83:0e:4e:47:be:5f:f9:34:f9:38:7f:25:18: - 05:0c:26:5e:aa:4c:c6:70:d2:27:5d:20:ef:8a:51:b6:86:8c: - 66:26:3d:36:8b:b0:b9:e0:cb:17:22:a5:b6:30:a0:c4:ae:9f: - 80:fb:7b:f1:55:f8:2f:61:b8:1e:f8:eb:2c:86:a3:53:6c:bd: - c5:af:a2:1f + Signature Value: + 07:59:06:b5:60:2d:55:ce:09:bd:f1:46:19:ef:e5:90:fa:b8: + bf:da:08:ac:cd:96:9e:06:e4:b2:dc:1c:92:bf:b4:c0:ee:84: + d5:39:92:43:84:bc:c7:c9:ea:6d:c0:90:f5:0c:d3:df:09:c2: + c3:44:6b:5e:4d:fe:7f:6b:04:f9:58:9f:b3:e8:2f:ad:9a:09: + 91:b7:3c:dc:2b:ff:6c:db:9f:c8:63:aa:33:0e:3a:93:8e:2a: + 99:c4:c0:c0:5a:a1:d1:a2:79:ac:07:cf:f6:aa:f7:f3:7a:42: + 9a:99:47:7c:9e:a3:7a:0c:bd:59:d1:07:18:de:f5:64:71:53: + 83:99:38:bf:12:30:8d:89:49:8d:4b:c9:58:03:5e:6d:86:58: + f3:32:a9:e0:24:18:0f:60:79:5a:54:8b:9e:be:9d:68:41:24: + 4b:2b:f8:d0:21:74:9e:bc:ea:f9:0c:c0:f9:56:e2:2c:ff:69: + 71:03:5c:76:d2:ea:f6:9c:05:4f:d2:28:7c:99:a1:5d:aa:ab: + 9b:31:82:ce:11:69:08:1c:5a:2c:86:92:4c:82:86:9a:ed:9f: + f4:fe:c6:0b:df:1b:15:38:13:9c:3b:46:75:d8:ce:b0:ae:6e: + 64:3f:1b:b4:0b:1a:fb:bc:67:f4:aa:8e:e3:42:e1:3e:6e:e7: + 5f:98:64:2e -----BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADB6MSMwIQYDVQQKDBpBcGFj +MIIEEjCCAvqgAwIBAgIBADANBgkqhkiG9w0BAQsFADB6MSMwIQYDVQQKDBpBcGFj aGUgU29mdHdhcmUgRm91bmRhdGlvbjEfMB0GA1UECwwWSHR0cENvbXBvbmVudHMg UHJvamVjdDEQMA4GA1UEAwwHVGVzdCBDQTEgMB4GCSqGSIb3DQEJARYRZGV2QGhj -LmFwYWNoZS5vcmcwIBcNMTcwMTE2MDk0MTQzWhgPMjExNjEyMjMwOTQxNDNaMH0x +LmFwYWNoZS5vcmcwIBcNMjQxMDIwMTkxNDAyWhgPMjEyNDA5MjYxOTE0MDJaMHwx IzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMR8wHQYDVQQLDBZI -dHRwQ29tcG9uZW50cyBQcm9qZWN0MRMwEQYDVQQDDAp0ZXN0LWh0dHBkMSAwHgYJ -KoZIhvcNAQkBFhFkZXZAaGMuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBANpVy3PDQs/BTm7ZdLj4HD8a3o1yOsRi9+vkclubnmUJDvSb -8L0p1a+p0V+CmVNJH3pcb2wPokhox1M+m5+ywuuPazjEanVSVWCdYECbpHnGx64c -bNnItlvL1K94RQ5XYgRIHdLzwZisZB+ujTB47FKzA2xLHLGHVl6kwzxUawUilTDI -DNTUQ/DrW1gpXM6Yl8yGeor9cA7AVVchLkr1Xb66bnaZasedn18xY5yutQN1bOzX -6HVr5F0jMOfIuYbsnXPoBkNqZlFXhL11G8hNa5wReTa/3dSoDc5rw9d+DvWweMGA -ltVFc8qGjn4PhUNuJg0gOnISgHNgopChEzAn1TUCAwEAAaOBqzCBqDAJBgNVHRME -AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 -ZTAdBgNVHQ4EFgQUAR5AgNh5QT2NadblbN80XY7XB9EwHwYDVR0jBBgwFoAUA+Tn -2g9k2xMevYWrdrwpyi+nx0swCwYDVR0PBAQDAgXgMCAGA1UdEQQZMBeCCnRlc3Qt -aHR0cGSCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAiL6ZMhObP4lZZRkq -Dh59nynF1n6C2xgsy7lx76yLMQ58sfl6tWAvCGPhHvXQ/uS3TpjeGwEiNTUcqzmq -JdV3Qkzr9teIuhQnBa4IuIBpPOHG09EmHnbHqbIrwy72J9s9bC5crLErBrCMC3Q6 -ctwVSCDfI7EvYLrjgNo23Kr2h0rJgnRASvnMldkrKyDI/bWHFPYTGzjmfhOEC8Ek -/t0YDMrf+3Fd6qr7yiBUC3tAkyDFS6+miYYvSdeDDk5Hvl/5NPk4fyUYBQwmXqpM -xnDSJ10g74pRtoaMZiY9NouwueDLFyKltjCgxK6fgPt78VX4L2G4HvjrLIajU2y9 -xa+iHw== +dHRwQ29tcG9uZW50cyBQcm9qZWN0MRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkq +hkiG9w0BCQEWEWRldkBoYy5hcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnRIP0Ip+CuR2uAivP18PtExwJCJOj49V7K4xbOIFaN/FwE3p +pe3ZTnHt5zxRrAr+IZZ8DHsv+m9Pc2k4oCWnTNBp/KKNlMtPnscfo7JblF8gPGFN +c6acpHxyJSbuptDY8Enns+D1Td5uVIC5VIw3ndLArItDA42cyayR+TFPbekt1d65 +xDTeZz0aTiVDXu6OAWfWskpJU/nTDJNdqR9S9yOTHXM61OHdK6LRZbHvaRIa/Gsk +fJZr0ichTjgEr+TR9k6yiqRZtsjFIdXA1th+WLJOOp5vgYoaDg5haRXLehkaN2I7 +lrM7IBG3HqZjOSsMwit3ew0h70Imcc52SctoMwIDAQABo4GeMIGbMAkGA1UdEwQC +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBQ4GU+/wXFB/niRsAk5i63XBbnZgjAfBgNVHSMEGDAWgBQD5Ofa +D2TbEx69hat2vCnKL6fHSzAgBgNVHREEGTAXgglsb2NhbGhvc3SCCnRlc3QtaHR0 +cGQwDQYJKoZIhvcNAQELBQADggEBAAdZBrVgLVXOCb3xRhnv5ZD6uL/aCKzNlp4G +5LLcHJK/tMDuhNU5kkOEvMfJ6m3AkPUM098JwsNEa15N/n9rBPlYn7PoL62aCZG3 +PNwr/2zbn8hjqjMOOpOOKpnEwMBaodGieawHz/aq9/N6QpqZR3yeo3oMvVnRBxje +9WRxU4OZOL8SMI2JSY1LyVgDXm2GWPMyqeAkGA9geVpUi56+nWhBJEsr+NAhdJ68 +6vkMwPlW4iz/aXEDXHbS6vacBU/SKHyZoV2qq5sxgs4RaQgcWiyGkkyChprtn/T+ +xgvfGxU4E5w7RnXYzrCubmQ/G7QLGvu8Z/SqjuNC4T5u51+YZC4= -----END CERTIFICATE----- diff --git a/httpclient5-testing/src/test/resources/docker/server-key.pem b/httpclient5-testing/src/test/resources/docker/server-key.pem index 4a86bacef..5a11a6c04 100644 --- a/httpclient5-testing/src/test/resources/docker/server-key.pem +++ b/httpclient5-testing/src/test/resources/docker/server-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDaVctzw0LPwU5u -2XS4+Bw/Gt6NcjrEYvfr5HJbm55lCQ70m/C9KdWvqdFfgplTSR96XG9sD6JIaMdT -PpufssLrj2s4xGp1UlVgnWBAm6R5xseuHGzZyLZby9SveEUOV2IESB3S88GYrGQf -ro0weOxSswNsSxyxh1ZepMM8VGsFIpUwyAzU1EPw61tYKVzOmJfMhnqK/XAOwFVX -IS5K9V2+um52mWrHnZ9fMWOcrrUDdWzs1+h1a+RdIzDnyLmG7J1z6AZDamZRV4S9 -dRvITWucEXk2v93UqA3Oa8PXfg71sHjBgJbVRXPKho5+D4VDbiYNIDpyEoBzYKKQ -oRMwJ9U1AgMBAAECggEBAIEr4wthCUUKs5GHW7QXLfbzuZlrbHNFrjHEXRfvkJ1r -54o2PA5eEsszp+hexsFscJAe4djHwxYdz1djogSwaPueRSw3oFg61sIrOYffzUYy -oW5T6N5MDf9vLyyE9i4O6rFnzSVCC1Z9H1tTFLsJv58Jw8utAJPTYvjpd4xY0Vwe -SqT/ZdIB9Cb+3R46+yJdcUWFUqpzKXOWZ1JH1b3nOpaLeyXJX0Xau7oyTxh/8hjg -+2DV9VI9LEKqzIV96iSsMzk28y9Iio7OW4x/vEDdpf9izmCSU8o2zLNHGBSvnUxM -wHH3pO96fmOBwq/vQkwZ7I2Y+LiL0nrukUiGpaxBz0ECgYEA95LdkhdS+Ou8hEJt -o9cILbTP+vK4NzhKhA1tRsWylNjuv8Bp/MwM1OvRInEwl05VenG3Fbm2AsDerQEQ -b+aFPK+l78ZMlRZ945my9Q+jk3qYxmhl0j7mz+GdYt0MoKRyDe30wkk/cCPpwdhe -GF8Tvk7EjfGoDFiuf8wCyMEF9+UCgYEA4cQrtQLztRBZBeO+r0Wx1r6AjEKNBMPl -FYHh9qfAsRqF452xa331ftNjyPV2vmGdjVTU0FQgbf6ZSK5kCqyVTk9QHZdt65ds -vqdpOS9FocWZOV6qTaIVoSJY804ZZJKVB+97HrFOHxPnOn0uJvtk/3x0awOoSu0I -TCU/MXNk8xECgYEAn48aGlPJ+AAGqb8eZp/p93s3J+dS7tPqwpzctuYnqGL/zLm4 -FWN1Sa0KRoZo6Ltlv9qWQvxD4BZp7VpoO5Z4fJo/+f710IiEbjHa8rI3nI9A827J -YO2FWKlyBAuvXcFeeLfKLYWDy0R6HaLTUiXE1bxyVYFP61Ukcd0MVlKBBDkCgYAM -KC0WVS9cW6H/kDDvbThTUPTJGLhRPl8ylkjdqFDW+I+nHxGzsResGaPw6U7Yl5cN -SjkfcrhAVApbAJEAhiSQD/NHdKUFn6TKa2deHe6I9IP4s+FFxumVQK07hMQXR1Fh -GQMvNur2/3JfEuiOTtE0dLYsIQlJ55Ofzg2mEwmnkQKBgQCjtelLDrPJn8x/7NzW -L4/5xv3zHsjKxpvyn6jmP0s9wz2Dxeh4VzMudflw3y0l02bMLyPacQcaU9l5DKgP -WRGD7a9Yig0dx/gHCjX+QMdKvgNR6Pi7iJiD15THsZB3L1ZpzjNGr/ENxn/Xx6VC -bCjMxWkkzDr0xYCRr3FzQ1iEkg== +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdEg/Qin4K5Ha4 +CK8/Xw+0THAkIk6Pj1XsrjFs4gVo38XATeml7dlOce3nPFGsCv4hlnwMey/6b09z +aTigJadM0Gn8oo2Uy0+exx+jsluUXyA8YU1zppykfHIlJu6m0NjwSeez4PVN3m5U +gLlUjDed0sCsi0MDjZzJrJH5MU9t6S3V3rnENN5nPRpOJUNe7o4BZ9aySklT+dMM +k12pH1L3I5MdczrU4d0rotFlse9pEhr8ayR8lmvSJyFOOASv5NH2TrKKpFm2yMUh +1cDW2H5Ysk46nm+BihoODmFpFct6GRo3YjuWszsgEbcepmM5KwzCK3d7DSHvQiZx +znZJy2gzAgMBAAECggEAB11ucmfcCyS1UGHP3dfWQ60F4RvetSqSa9urI6Dhgg5k +FmVQ3F/vvZboAdy5M6j8S5Tj0i4AjOylPBMl/ZRmaNqo7ZitrNlvrVFG8YUOeEGR +oGMrn42jcK8JJybRL+9BDNtaSvv0ZKdWYw36IrXEcdkNAcox5TvBq081NQsT32Jp +2/dZB6yDlxTD8NVf1mzaeO0v+VxbRvPQ7HY9o0F1FVxBot/NjidU/fQwSSg2lFNq +K+u9q5W2e0Ca2KYEV7tHpOJMmMKH6kOYjM+UiQpPWXiuClcf+LbCsj4v3a5MrlsM +fdDFMnddn6cvM3RP/lpELCqSgkzTM3srAFydY6wMEQKBgQDPUOQaxo/xPYVAGW/Q +THbQjfA7fZweWNT2EmB3PsDA/79TtkKgFF/kuSoq5AOYcQOP3Q0qZF9DjeIhL0tK +WZxV9Y24q/EfnLpZOjui+SHu+RA6paFYveKcy7Mj3E5A/D3qKwDIPYX/K195LaEd +Pll5hiWcwWIqj1bEerqPSIvSqQKBgQDB9JeR/kPvnNFXnXtUQ/o0w42GKr1Gx5HW +iiNllS5OwOGKXif8+T+liJ2eUFJ5lFb6eZhTSdWEUqygDDE00XDwnjUQm4tvBK/3 +vfAkpT6RDtLZ7rIWXHXN+45MTl6LhSBYNphZK6UFY4JvtJSweRbXl8OnK1peENTE +OOvvpRNJewKBgBwc1QHIgUZuWD5r9Jyjcc0wIi5/Bweadi50KX6iFNNXGuPIKFq6 +yJIkhdJRHyex05DTofBosf5gJBTp6+TGKAwEA1bSgh0OTLrCycl8zRwxzACX6zw0 +a6FlggJP4pCvY9n4QN/mb+A9SnINPPbROKLhDQKnup8Y1uRH3DqH1OYZAoGBAKO6 +MPT5+ilcbM+UThbNJ3rBFUgL7inAsFi11bmb3DJ42iuu3fzL/zFiiQOqdGTTlzTr +zm2Ip2iDTdvxTtxybO+B7fOuCl9WSqFMwlp877sOE2oK+GSt+ng+gVni0ibe43Xz +6Fll4XESFnrrqpTqMyEdqPkGPMupU6KtFmX/KK/fAoGAdYADpMf467obKaUPOvR+ +wPUjCQlopCK6wCFE2kuEv3e64NOpN7VJ1GHzro4DsaxndBHhG3+Pml3fnoclZgYP +9LVY/rduV+2xwP6GVd5iLSFKtaXPGVxkGPKEgX6842Z6i7BLUQZQyWHr19UEkgFj +RB0YbKKxrC01hpdKKHWMlHU= -----END PRIVATE KEY----- diff --git a/test-CA/openssl.cnf b/test-CA/openssl.cnf index af03c6db0..b1c8257fe 100644 --- a/test-CA/openssl.cnf +++ b/test-CA/openssl.cnf @@ -52,7 +52,7 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = ./demoCA # Where everything is kept +dir = ./test-CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. @@ -60,13 +60,13 @@ database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number +certificate = $dir/ca-cert.pem # The CA certificate +serial = $dir/serial.txt # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file +private_key = $dir/ca-key.pem# The private key +RANDFILE = $dir/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert @@ -76,7 +76,7 @@ name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. -# copy_extensions = copy +copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. @@ -95,8 +95,8 @@ policy = policy_match # For the CA policy [ policy_match ] -countryName = match -stateOrProvinceName = match +countryName = optional +stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied