diff options
Diffstat (limited to 'src/test/ssl/conf')
21 files changed, 393 insertions, 0 deletions
diff --git a/src/test/ssl/conf/cas.config b/src/test/ssl/conf/cas.config new file mode 100644 index 0000000..2c48510 --- /dev/null +++ b/src/test/ssl/conf/cas.config @@ -0,0 +1,60 @@ +# This file contains the configuration for all the CAs. + +# Root CA, used to sign the certificates of the intermediary server and +# client CAs. +[ root_ca ] +dir = ./ssl/ +database = ./ssl/root_ca-certindex +serial = ./ssl/root_ca.srl +default_md = sha256 +default_days= 10000 +default_crl_days= 10000 +certificate = ./ssl/root_ca.crt +private_key = ./ssl/root_ca.key +new_certs_dir = ./ssl/new_certs_dir +policy = policy_match +email_in_dn = no +copy_extensions = copy + +# CA used to sign all the server certificates. +[ server_ca ] +dir = ./ssl/ +database = ./ssl/server_ca-certindex +default_md = sha256 +default_days= 10000 +default_crl_days= 10000 +certificate = ./ssl/server_ca.crt +private_key = ./ssl/server_ca.key +new_certs_dir = ./ssl/new_certs_dir +serial = ./ssl/server_ca.srl +policy = policy_match +email_in_dn = no +copy_extensions = copy +unique_subject = no +crl = ./ssl/server.crl + +# CA used to sign all the client certificates. +[ client_ca ] +dir = ./ssl/ +database = ./ssl/client_ca-certindex +default_md = sha256 +default_days= 10000 +default_crl_days= 10000 +certificate = ./ssl/client_ca.crt +private_key = ./ssl/client_ca.key +new_certs_dir = ./ssl/new_certs_dir +serial = ./ssl/client_ca.srl +policy = policy_match +email_in_dn = no +copy_extensions = copy +unique_subject = no +crl = ./ssl/client.crl + +# This is common for all CAs. +[ policy_match ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional diff --git a/src/test/ssl/conf/client-dn.config b/src/test/ssl/conf/client-dn.config new file mode 100644 index 0000000..0c71d83 --- /dev/null +++ b/src/test/ssl/conf/client-dn.config @@ -0,0 +1,15 @@ +# An OpenSSL format CSR config file for creating a client certificate. +# +# The certificate is for user "ssltestuser-dn" with a multi-part DN + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = PGDG +0.OU = Engineering +1.OU = Testing +CN = ssltestuser-dn + +# no extensions in client certs diff --git a/src/test/ssl/conf/client-revoked.config b/src/test/ssl/conf/client-revoked.config new file mode 100644 index 0000000..3b82b57 --- /dev/null +++ b/src/test/ssl/conf/client-revoked.config @@ -0,0 +1,13 @@ +# An OpenSSL format CSR config file for creating a client certificate. +# +# This is identical to the client.config certificate, but this one is revoked +# later. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = ssltestuser + +# no extensions in client certs diff --git a/src/test/ssl/conf/client.config b/src/test/ssl/conf/client.config new file mode 100644 index 0000000..26fc257 --- /dev/null +++ b/src/test/ssl/conf/client.config @@ -0,0 +1,12 @@ +# An OpenSSL format CSR config file for creating a client certificate. +# +# The certificate is for user "ssltestuser". + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = ssltestuser + +# no extensions in client certs diff --git a/src/test/ssl/conf/client_ca.config b/src/test/ssl/conf/client_ca.config new file mode 100644 index 0000000..5990f06 --- /dev/null +++ b/src/test/ssl/conf/client_ca.config @@ -0,0 +1,16 @@ +# An OpenSSL format CSR config file for creating the client root certificate. +# This configuration file is also used when operating the CA. +# +# This certificate is used to sign client certificates. It is self-signed. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no +req_extensions = v3_ca + +[ req_distinguished_name ] +CN = Test CA for PostgreSQL SSL regression test client certs + +# Extensions for CA certs +[ v3_ca ] +basicConstraints = CA:true diff --git a/src/test/ssl/conf/client_ext.config b/src/test/ssl/conf/client_ext.config new file mode 100644 index 0000000..c2dbfef --- /dev/null +++ b/src/test/ssl/conf/client_ext.config @@ -0,0 +1,16 @@ +# An OpenSSL format CSR config file for creating a client certificate. +# +# The certificate is for user "ssltestuser" and intends to test client +# certificate with extensions. + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = client_ext +prompt = no + +[ req_distinguished_name ] +CN = ssltestuser + +[ client_ext ] +basicConstraints = critical,CA:false +extendedKeyUsage = clientAuth diff --git a/src/test/ssl/conf/root_ca.config b/src/test/ssl/conf/root_ca.config new file mode 100644 index 0000000..e193186 --- /dev/null +++ b/src/test/ssl/conf/root_ca.config @@ -0,0 +1,14 @@ +# A root certificate authority. The server and client CA's certificates +# are signed by this root CA. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +CN = Test root CA for PostgreSQL SSL regression test suite + +# Extensions for CA certs +[ v3_ca ] +basicConstraints = CA:true diff --git a/src/test/ssl/conf/server-cn-and-alt-names.config b/src/test/ssl/conf/server-cn-and-alt-names.config new file mode 100644 index 0000000..6734251 --- /dev/null +++ b/src/test/ssl/conf/server-cn-and-alt-names.config @@ -0,0 +1,25 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate contains both a CN, and SANs. + + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +# Note: According to RFC 2818 and 6125, the CN is ignored, when SANs are +# present. In practice, the hostname that's put in the CN field is always +# also listed as a SAN, but we intentionally don't do that here so that we +# can test adherence to those RFCs. +CN = common-name.pg-ssltest.test +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = dns1.alt-name.pg-ssltest.test +DNS.2 = dns2.alt-name.pg-ssltest.test diff --git a/src/test/ssl/conf/server-cn-and-ip-alt-names.config b/src/test/ssl/conf/server-cn-and-ip-alt-names.config new file mode 100644 index 0000000..a6fa09b --- /dev/null +++ b/src/test/ssl/conf/server-cn-and-ip-alt-names.config @@ -0,0 +1,24 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate contains a CN and SANs for both IPv4 and IPv6. + + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +# Note: According to RFC 2818 and 6125, the CN is ignored, when DNS names are +# present in the SANs. But they are silent on whether the CN is checked when IP +# addresses are present. +CN = common-name.pg-ssltest.test +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 192.0.2.1 +IP.2 = 2001:DB8::1 diff --git a/src/test/ssl/conf/server-cn-only.config b/src/test/ssl/conf/server-cn-only.config new file mode 100644 index 0000000..9edb7b7 --- /dev/null +++ b/src/test/ssl/conf/server-cn-only.config @@ -0,0 +1,12 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = common-name.pg-ssltest.test +OU = PostgreSQL test suite + +# No Subject Alternative Names diff --git a/src/test/ssl/conf/server-ip-alt-names.config b/src/test/ssl/conf/server-ip-alt-names.config new file mode 100644 index 0000000..c22f229 --- /dev/null +++ b/src/test/ssl/conf/server-ip-alt-names.config @@ -0,0 +1,19 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate has a two IP-address SANs, and no CN. + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 192.0.2.1 +IP.2 = 2001:DB8::1 diff --git a/src/test/ssl/conf/server-ip-cn-and-alt-names.config b/src/test/ssl/conf/server-ip-cn-and-alt-names.config new file mode 100644 index 0000000..a4087f0 --- /dev/null +++ b/src/test/ssl/conf/server-ip-cn-and-alt-names.config @@ -0,0 +1,21 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate contains both a CN and SANs in IP address format. + + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +CN = 192.0.2.1 +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +IP.1 = 192.0.2.2 +IP.2 = 2001:DB8::1 diff --git a/src/test/ssl/conf/server-ip-cn-and-dns-alt-names.config b/src/test/ssl/conf/server-ip-cn-and-dns-alt-names.config new file mode 100644 index 0000000..7121803 --- /dev/null +++ b/src/test/ssl/conf/server-ip-cn-and-dns-alt-names.config @@ -0,0 +1,21 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate contains both a CN and SANs in IP address format. + + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +CN = 192.0.2.1 +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = dns1.alt-name.pg-ssltest.test +DNS.2 = dns2.alt-name.pg-ssltest.test diff --git a/src/test/ssl/conf/server-ip-cn-only.config b/src/test/ssl/conf/server-ip-cn-only.config new file mode 100644 index 0000000..585d8bd --- /dev/null +++ b/src/test/ssl/conf/server-ip-cn-only.config @@ -0,0 +1,12 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = 192.0.2.1 +OU = PostgreSQL test suite + +# No Subject Alternative Names diff --git a/src/test/ssl/conf/server-ip-in-dnsname.config b/src/test/ssl/conf/server-ip-in-dnsname.config new file mode 100644 index 0000000..b15649a --- /dev/null +++ b/src/test/ssl/conf/server-ip-in-dnsname.config @@ -0,0 +1,18 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +# Normally IP addresses should not go into a dNSName. +[ alt_names ] +DNS.1 = 192.0.2.1 diff --git a/src/test/ssl/conf/server-multiple-alt-names.config b/src/test/ssl/conf/server-multiple-alt-names.config new file mode 100644 index 0000000..fe230df --- /dev/null +++ b/src/test/ssl/conf/server-multiple-alt-names.config @@ -0,0 +1,20 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate contains multiple SANs, and no CN. + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = dns1.alt-name.pg-ssltest.test +DNS.2 = dns2.alt-name.pg-ssltest.test +DNS.3 = *.wildcard.pg-ssltest.test diff --git a/src/test/ssl/conf/server-no-names.config b/src/test/ssl/conf/server-no-names.config new file mode 100644 index 0000000..89075de --- /dev/null +++ b/src/test/ssl/conf/server-no-names.config @@ -0,0 +1,13 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate contains no CN, nor SANs. Not very useful, but make +# sure the client can handle it gracefully. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# No Subject Alternative Names diff --git a/src/test/ssl/conf/server-revoked.config b/src/test/ssl/conf/server-revoked.config new file mode 100644 index 0000000..c9e1f5d --- /dev/null +++ b/src/test/ssl/conf/server-revoked.config @@ -0,0 +1,14 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This is identical to server-cn-only certificate, but this one is revoked +# later. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = common-name.pg-ssltest.test +OU = PostgreSQL test suite + +# No Subject Alternative Names diff --git a/src/test/ssl/conf/server-rsapss.config b/src/test/ssl/conf/server-rsapss.config new file mode 100644 index 0000000..391f9b8 --- /dev/null +++ b/src/test/ssl/conf/server-rsapss.config @@ -0,0 +1,14 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This is identical to server-cn-only certificate, but we specify +# RSA-PSS as the algorithm on the command line. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +CN = common-name.pg-ssltest.test +OU = PostgreSQL test suite + +# No Subject Alternative Names
\ No newline at end of file diff --git a/src/test/ssl/conf/server-single-alt-name.config b/src/test/ssl/conf/server-single-alt-name.config new file mode 100644 index 0000000..2b3ddf4 --- /dev/null +++ b/src/test/ssl/conf/server-single-alt-name.config @@ -0,0 +1,18 @@ +# An OpenSSL format CSR config file for creating a server certificate. +# +# This certificate has a single SAN, and no CN. + +[ req ] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +OU = PostgreSQL test suite + +# For Subject Alternative Names +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = single.alt-name.pg-ssltest.test diff --git a/src/test/ssl/conf/server_ca.config b/src/test/ssl/conf/server_ca.config new file mode 100644 index 0000000..496aaba --- /dev/null +++ b/src/test/ssl/conf/server_ca.config @@ -0,0 +1,16 @@ +# An OpenSSL format CSR config file for creating the server root certificate. +# This configuration file is also used when operating the CA. +# +# This certificate is used to sign server certificates. It is self-signed. + +[ req ] +distinguished_name = req_distinguished_name +prompt = no +req_extensions = v3_ca + +[ req_distinguished_name ] +CN = Test CA for PostgreSQL SSL regression test server certs + +# Extensions for CA certs +[ v3_ca ] +basicConstraints = CA:true |