From 3e65c99840f85a1a81f583fe9e85afbd859bed4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?= Date: Sun, 27 Sep 2020 12:16:11 +0300 Subject: [PATCH] leshan-integration-tests: credentials: Update with intermediate and add manufacturer CA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Split own key stores for different CA's. Add intermediate CA for making chain validation tests. Add manufacturer CA for making client certificates with that. Signed-off-by: Vesa Jääskeläinen Also-by: Simon Bernard --- .../credentials/clientKeyStore.jks | Bin 3548 -> 4844 bytes .../credentials/generate_credentials.sh | 140 ++++++++++++++++-- .../credentials/manufacturerCaKeyStore.jks | Bin 0 -> 1676 bytes .../credentials/serverKeyStore.jks | Bin 3352 -> 3805 bytes .../credentials/trustedCaKeyStore.jks | Bin 0 -> 1531 bytes .../credentials/unknownCaKeyStore.jks | Bin 0 -> 595 bytes 6 files changed, 128 insertions(+), 12 deletions(-) create mode 100644 leshan-integration-tests/credentials/manufacturerCaKeyStore.jks create mode 100644 leshan-integration-tests/credentials/trustedCaKeyStore.jks create mode 100644 leshan-integration-tests/credentials/unknownCaKeyStore.jks diff --git a/leshan-integration-tests/credentials/clientKeyStore.jks b/leshan-integration-tests/credentials/clientKeyStore.jks index d885ed157f33dbd45f9f8195b4df25f6b28f7f63..46430a78c009ede25157ace0f2613fad90dd75a6 100644 GIT binary patch literal 4844 zcmeH~c~p~E8pg8+kR>6kDmCnutv4YHPyxk?-~s}HA}#?#fM`rG2~f}qG76{_SwvbC zf`GCW1gr~c1yS6PWfXD1q9Ta9qJlD3VJ;z#CLWX%XgF9?|%39Jnwto zkw+ts5C{YchKlTp6A6V9P6z^ljJo;H2jK{8pdB4J!rMrYh~&c{;Aw?hP;?VvWG)Z#-R~!){Adk&Po;?eY^);w~LZLWPXf!6xF~~rR zN`V7_%8(Cy?9Yn<35S(C+kyM(yhwQtVR=$Gv^XD zyGpul?9b9Vgnhbfm6~36o#@h*+{`JM{&op#$E_4Gkfe~D?ktRkD zqm$q3GiO;oTX)Hwon@}`SgBRb%iDnF*w57p76geQ@s-N&c&D(GBuFh7J z6fc}#GGxx(c`j@Xe`DX_^ihZdiNJCAJgz`8j^nWd9E%6v!X>F$k54L{>iFV+g;n2{oJfK^HN4Yy>r>x%u$hf_?4UyPRy;y(pSaLX4IJC zlN;A+_T(^qX2-^KejzQ4HNM>WY!QA_Po*#z`GlA`#V%Pr1vIje2LDsul@o1Fd?v2Zd?5fH+ z*u1Vsm$m;?08VGgc8dy<_IXd8wz^@fg(?0O#!ztI>*Bq|rmWE}>=n`0=bm<7_O=+k z_#%A%RI`iBkr~@J{^evvRR3EiqYxV7PG+wN31xExKxs zE&M(wnNdstdE7~cawo}G6vLB5$d~nh;3Z?k15*umi{52}9S-%3rsZB&8p$b#yV_?+ zGIU6{8{1aSMUhRGwiJAe%Pc0=6c|pjPH2lYKNhoK*SS1ze_rUKlJ#d~sabV(Sor(d zdDv>A?Ch2Ec|aM%YqDir;L#LXaCvIW=5j~>REIZ5r_i4E3cDR=HZI0XbB<8JtR%Ko z>EH!3{nA!?gqVLdj(w)W>43q$pxA4{A?N#uyOT1ti*H8|8g>RF$DVKtO<)m!q6y=L`?Sm(7}yPQ7+MxAn@B1G;y&`)HKn%ZxgM5 zk2j6<>xfeyd0-^2xgWLfYV~m0T`ZX+%{qL?ti;6Y746Y({LS`_OQ@cK4#8xutaDT(RpR$Q2)dN(PD z-@NBw@~Ba*^GY${t{a1JSLaQR%)06@sX%Xx`R(l?eCX_7kpEnei4bz6+-UE&TZ8@Y zNEbjW=fQB3+c~%|pP{Hc@cZoyl8MJF2-Thw2md*h@>&1I}v~*<_sYwnf_3qqlq)ZF|Y0_WOTOU#~FK^nJtVRBF&Z=tpH! ze_DffeinXcX1BqKuKtK`fJY3re_P$vb?7IC6%V-`**<1JqR4tx8fUK)+EG4y>dpNQ z+}7|*#c`W=7%k0RD=nZLI=)b{p zDV5a|0o-BTyw0gE^s9Dxvhwaz@5<>L7x{+_X}jGL?U;Hl<>HCB>3;Ah)xIV9Z;qTY z_3qH?tnzE$IgpnBL))CR4pY`~s-JlE4+?n2Tz(i^%nKL1#e09lJG>bXZ7K|k9Pe^> zWV#aGPw8V7yJ5OAUHTtR*9UmNS73i@H~b0Bt{mR*V{Ds-^xCHTH<0dD?yE(&^a)L^ zZ&>{{&#o5TBzWwF@Lshiujg%@)=w*J3W~o(@9g%8Kj!jq((SHmY@^ra26fSd8x^ZS Tc2Yt@P4UoagW8PJDad~T@`DBT literal 3548 zcmY+9byO4%mxhM{25FF?Q>1f-ZV71-2Bo`8y1QFKP!U8@YKBrkO4^a`l!gJR5d;Q? z=KJlQ-S6A|>z?yG@4e@~kQmYhAPz1hhV%`HkS{?a0ZWQQfKwDh8iN-@8u1SffkdzU zUlTov7d-}v9)?5@fQbKRfrJPLSQH5Hhwy@k{uljolMxT>URl<^FWiRyEUS4-yu3Pi>rS=zD!>e= zT+QLjE+Rn#+5rwkh?RmGM{fc}H+pv?fbA(mxC~Sg!uan83Bgb@77~CR;1$3H-~jLd z_(2~1M^Zz3ul53)@tdwFd`*O5 ze3u^FqrG>W+sQ+bJv(6`SAu6SvYg$pXg=8PFiX?XI8?bU;PK+4HzNqD&R=~U)8?hS z6x2pmwp8iN`rIdUaJ6@`tT=tSL%>U+3T?b;#A5Xsdfw0bz|}1&nm}8G^N+4|hfc%{ zyzHktIZcW8Oj2OOrQ~$3M&c***yp(_$5#jbVv=RY{DHt!Jgs78X$Sv0ozZ2%iwfDh zL~!Tt5NkF{eRU63QriWh?RJC9KX0Pb8_~Hei4yblluhx6+s~?hH=o8ICRN805gVe4rLftj;{OcX7 zOh0N%TJ4Un=RnNbn-QU&<~=_O^2SLMG4YpEBo@-W=LU0p8)@SOp|-!bK2#NuU6OJr z5+MIR)uVYPib0W*7v~mWX#Q5K$*WAZl38{qU-HXG<|2IdlD;T0!)26Nce=KG@xyX- zD6^3yBZK-EntVnsMAKvApN7%2vigQrzHhSUR@)TZIZ;~ckxB|4IPxZLJ5)zpJDq9I z?}*oG&K^^gtE3Vl&4ga#^?2-{1i!p;EHPPEb+p7!;kgjH5v9?&v0~)%tx-xAU8xH* z%38mWoZK(Ro!zz&*BvHWX8`cHzL)BM9q5KC3KbQlyQ85vunjuUe0tqH>P}-8N8LUn zdo#*IgVz0+xYc)YdD{KMaX<@37PY5eqIVY?>B6gpFyy=B3()Gs?scD&LxJr_z7}gf z>fjPyv?#@=!<-vn0n=WOuRwB{&w*_aR%r9sa3$JMH}GD6?xGa16kZyYU* znUi~=bzYKay-DlPd*{b$Z~j=GLD{Z6KnVk#8Tcx-k7>SiT22u8z8}KJ~|X zm{N%T7&dO&{0vB$Jm>D&O1pjd13t!;{?4+LaR|YoPKoe%MKNd`D4As*8d~B&7GF(& zXap|i=&_T@VYSnxe78)pDq3I^!*{1AQ2A}J3pi+PN^q=Io#`TX+ff1!AZh0XpR(DP z5J=29GP3K|zS8g5&=G2%BlAJU9ylitbG!4G?I6p0d6#;msH+4z zwGV%rRP$(IdiN*vXzwU6Z4|oG;&H2QzO(m-{juj*nXeiAkpkaeRG4d+MR2Xs-l(Go zJN+G+_$F)UwXB`YzESsjR^8U-&tnjt%+ITS#RzNT9q&bt?-DYa7*nXOAjMAKypA}2Y8`+W^-f}STl=Uy& z07_+wR(vOqTRLfUWXW@{^g^+RazS+QLtJ3EvH+~(B~aGQI$b0NI2@LuQosN9 z96n!I&uLhGL$2zZUCF#J-J+N|y_fDDY>*K=@{ZtSlDgh5hfig8ugztNZ{fbG)A};$ zJgRN%0xyLPz7DMAChW;?Vn4$^=eC-E1~(_miFh6qlOF?8b5DhDh^_oq+R7{N zQDJ;`jqCm1jZW!xh5EaISV~hIeWz@tZtr3wIC8Dxh*;)`N zt#%)b>FegvRW+#2cwEMISTXVZS%btxsnloB)h$Pxfr(7l0{w7j$wYIauS*yX?c3!= zaI88?@%m@ub`*ynU(<0r+1FOpo{Xs@n?mowE|@eDzM;9f!Nf}_kYeg*JpQp=BSZc; z&9$_o<^ijxb8OdiSYh65#Rg0W((eZe5xo_P{S9S!bW13)^PJ_2LA1k-A7P&Oi8=qQ$Oy*$xoK7Q?5~ z87kw2amtY|M*r+3Zrd`$Cn|~Q#(O~)qIcvv)dH?x@`o~%?oJ;z`vIz5T~|MGRE-v4 zfn$tZv3{kY1{HwwI#o>IZ7V0j)t8%5?5g1+)8S!?DK?LtiHV{c{&R;x;d|}PHrwgM zd$K?E`_oh9;FPil1I2$R+0#DPe|wvq$I5Unq;``jIEiPRY}W3KjG}t7RNf5}hv5>& zW>8#R9U4&xf5~aUO;MkDjlI|`0?PCJ8WNMIayr?u2n&h$i+hY%iB4J?+sOKuvSm&;BHk* zr0g3FgbKI$As1N}6$0<9MjyYef+6`O_Rxy8B*Xsgy!^r+p<}&~{Va)T7BZMYh!rzI z^)cNSY5gHiqmJD;O|*+iwvl9UzWY2Th9Ge*)17CJ(Qt=uySiB*_&crJ@FIbooTfPZ zc~&?9OY29R`CspA7*i^YCAccVro6ao>nV*hLf@w79(aZaZrR@^-#!+#YPzlp$dm8T z`h|B*%sEk`&HHVQ{|>9H_7>C`G`BfVTp$fAi+@flCWtTVe9LQ9Y*7?uO&G#ycW<>h`?8f66+rWjZbR z^JlizfIt76@s;t1>#i8T6=&~d-I7}9)+LLu#WkyA*T%8OnJ<84qo$l zPr8&7b;CSRQ&Je3aTV8_PA294E+TG^L4lXuHY%7=r1O$k7CALyp0L_e*jBoZ>HwSL$i7(M2d0Q2gppw__b>I;jLCz30RO089hARFc}nF(Uf zJiMV-{uPW`5v%PHoW09I;PoXTG}I!_(F?5@nO?rmIm_=CI4bFboy3t48Km^=&81eQhd7D4)i~k(^g+QN_md55ax> zkaO{Y-bHD{BqiY8QvqJ*&SIiCdEnTuj_N`Z;U5Asca$wt)9k^dntr}ZPy2{Sy_*)c zSGISFQdV+=PBrffP2gY`XLAF>j?FLEfkDX+k|ouxU+a=IyX9}rd>WOwN{5CXTrg3_ zJyA8h_pt3)&uq;dyz(F*7LD~x4xS)e;5D=gFRy^20}#gh%;9G2dyXiLZRB?@eb%!?pIlHn z(>PKU4sWc&O$0<;=wL+}Z4>7s-9KV-7~QTbHXNc{bMgn|xz=xD$YwJj3Xn$-LJ&Sb z87`0kAAkqeDWWi-rci%}Q*9rDy^H3JrRqiFfuD)kd@;eF?saPUs~S8tE2o?!1OnpX HBozG%%vHss diff --git a/leshan-integration-tests/credentials/generate_credentials.sh b/leshan-integration-tests/credentials/generate_credentials.sh index caf1212d3f..5fec982aa8 100755 --- a/leshan-integration-tests/credentials/generate_credentials.sh +++ b/leshan-integration-tests/credentials/generate_credentials.sh @@ -1,12 +1,20 @@ #!/bin/bash # Keystore parameters + CLIENT_STORE=clientKeyStore.jks CLIENT_STORE_PWD=client SERVER_STORE=serverKeyStore.jks SERVER_STORE_PWD=server +TRUSTED_CA_STORE=trustedCaKeyStore.jks +TRUSTED_CA_STORE_PWD=trusted +MANUFACTURER_CA_STORE=manufacturerCaKeyStore.jks +MANUFACTURER_CA_STORE_PWD=manufacturer +UNKNOWN_CA_STORE=unknownCaKeyStore.jks +UNKNOWN_CA_STORE_PWD=unknown VALIDITY=36500 #days +DEFAULT_STORE_TYPE=JKS #PKCS12 is not supported by Java7 # Color output stuff red=`tput setaf 1` @@ -17,26 +25,83 @@ H1=${green}${bold} H2=${blue} RESET=`tput sgr0` -# Generation of the keystore needed for Leshan integration tests. -echo "${H1}Server Keystore : ${RESET}" -echo "${H1}==================${RESET}" +# Generation of the Trusted CA keystore needed for Leshan integration tests. +echo "${H1}Trusted CA Keystore : ${RESET}" +echo "${H1}======================${RESET}" echo "${H2}Creating the trusted root CA key and certificate...${RESET}" keytool -genkeypair -alias rootCA -keyalg EC -dname 'CN=Leshan root CA' \ -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ -ext BasicConstraints:critical=ca:true \ -ext KeyUsage:critical=keyCertSign,cRLSign \ - -keypass $SERVER_STORE_PWD -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD + -keypass $TRUSTED_CA_STORE_PWD -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD +keytool -exportcert -alias rootCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD -file rootCA.der +echo +echo "${H2}Creating the intermediate CA key and certificate...${RESET}" +keytool -genkeypair -alias intermediateCA -keyalg EC -dname 'CN=Leshan intermediate CA' \ + -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ + -ext BasicConstraints:critical=ca:true,pathlen:0 \ + -ext KeyUsage:critical=keyCertSign,cRLSign \ + -keypass $TRUSTED_CA_STORE_PWD -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD +echo +keytool -certreq -alias intermediateCA -dname 'CN=Leshan intermediate CA' -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD | \ + keytool -gencert -alias rootCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD \ + -validity $VALIDITY \ + -ext BasicConstraints:critical=ca:true,pathlen:0 \ + -ext KeyUsage:critical=keyCertSign,cRLSign | \ + keytool -importcert -alias intermediateCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD +keytool -exportcert -alias intermediateCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD -file intermediateCA.der +echo + +# Generation of the Manufacturer CA keystore needed for Leshan integration tests. +echo "${H1}Manufacturer CA Keystore : ${RESET}" +echo "${H1}======================${RESET}" +echo "${H2}Creating the trusted root CA key and certificate...${RESET}" +keytool -genkeypair -alias mfgProductsRootCA -keyalg EC -dname 'CN=Products Root CA,O=Manufacturer' \ + -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ + -ext BasicConstraints:critical=ca:true \ + -ext KeyUsage:critical=keyCertSign,cRLSign \ + -keypass $MANUFACTURER_CA_STORE_PWD -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD +keytool -exportcert -alias mfgProductsRootCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD -file mfgProductsRootCA.der echo +echo "${H2}Creating the Devices CA key and certificate...${RESET}" +keytool -genkeypair -alias mfgDevicesCA -keyalg EC -dname 'CN=Devices CA,O=Manufacturer' \ + -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ + -ext BasicConstraints:critical=ca:true,pathlen:0 \ + -ext KeyUsage:critical=keyCertSign,cRLSign \ + -keypass $MANUFACTURER_CA_STORE_PWD -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD +echo +keytool -certreq -alias mfgDevicesCA -dname 'CN=Devices CA,O=Manufacturer' -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD | \ + keytool -gencert -alias mfgProductsRootCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD \ + -validity $VALIDITY \ + -ext BasicConstraints:critical=ca:true,pathlen:0 \ + -ext KeyUsage:critical=keyCertSign,cRLSign | \ + keytool -importcert -alias mfgDevicesCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD +keytool -exportcert -alias mfgDevicesCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD -file mfgDevicesCA.der +echo + +# Generation of the Unknown CA keystore needed for Leshan integration tests. +echo "${H1}Unknown CA Keystore : ${RESET}" +echo "${H1}======================${RESET}" echo "${H2}Creating an untrusted root CA key and certificate...${RESET}" -keytool -genkeypair -alias untrustedrootCA -keyalg EC -dname 'CN=Leshan untrusted root CA' \ +keytool -genkeypair -alias untrustedRootCA -keyalg EC -dname 'CN=Leshan untrusted root CA' \ -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ -ext BasicConstraints:critical=ca:true \ -ext KeyUsage:critical=keyCertSign,cRLSign \ - -keypass $SERVER_STORE_PWD -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD + -keypass $UNKNOWN_CA_STORE_PWD -keystore $UNKNOWN_CA_STORE -storepass $UNKNOWN_CA_STORE_PWD +keytool -exportcert -alias untrustedRootCA -keystore $UNKNOWN_CA_STORE -storepass $UNKNOWN_CA_STORE_PWD -file untrustedRootCA.der echo +# Generation of the keystore needed for Leshan integration tests. +echo "${H1}Server Keystore : ${RESET}" +echo "${H1}==================${RESET}" echo "${H2}Creating server key and self-signed certificate ...${RESET}" keytool -genkeypair -alias server -keyalg EC -dname 'CN=localhost' \ -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ -ext BasicConstraints=ca:false \ -ext KeyUsage:critical=digitalSignature,keyAgreement \ -ext ExtendedkeyUsage=serverAuth \ @@ -44,15 +109,42 @@ keytool -genkeypair -alias server -keyalg EC -dname 'CN=localhost' \ keytool -exportcert -alias server -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \ keytool -importcert -alias server_self_signed -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt +echo +echo "${H2}Creating second server key and self-signed certificate ...${RESET}" +keytool -genkeypair -alias serverInt -keyalg EC -dname 'CN=Server signed with Intermediate CA' -ext san=dns:localhost \ + -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ + -ext BasicConstraints=ca:false \ + -ext KeyUsage:critical=digitalSignature,keyAgreement \ + -ext ExtendedkeyUsage=serverAuth \ + -keypass $SERVER_STORE_PWD -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD +keytool -exportcert -alias serverInt -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \ + keytool -importcert -alias serverInt_self_signed -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt +echo +echo "${H2}Importing Root CA certificate ...${RESET}" +keytool -importcert -alias rootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt -file rootCA.der +echo +echo "${H2}Importing Intermediate CA certificate ...${RESET}" +keytool -importcert -alias intermediateCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD -noprompt -file intermediateCA.der echo echo "${H2}Creating server certificate signed by root CA...${RESET}" keytool -certreq -alias server -dname 'CN=localhost' -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \ - keytool -gencert -alias rootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD \ + keytool -gencert -alias rootCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD \ -validity $VALIDITY \ -ext BasicConstraints=ca:false \ -ext KeyUsage:critical=digitalSignature,keyAgreement \ -ext ExtendedkeyUsage=serverAuth | \ keytool -importcert -alias server -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD +echo +echo "${H2}Creating server certificate signed by intermediate CA...${RESET}" +keytool -certreq -alias serverInt -dname 'CN=Server signed with Intermediate CA' -ext san=dns:localhost -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \ + keytool -gencert -alias intermediateCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD \ + -validity $VALIDITY \ + -ext BasicConstraints=ca:false \ + -ext KeyUsage:critical=digitalSignature,keyAgreement \ + -ext ExtendedkeyUsage=serverAuth \ + -ext san=dns:localhost | \ + keytool -importcert -alias serverInt -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD echo echo "${H1}Client Keystore : ${RESET}" @@ -60,6 +152,7 @@ echo "${H1}==================${RESET}" echo "${H2}Creating client key and self-signed certificate with expected CN...${RESET}" keytool -genkeypair -alias client -keyalg EC -dname 'CN=leshan_integration_test' \ -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ -ext BasicConstraints=ca:false \ -ext KeyUsage:critical=digitalSignature,keyAgreement \ -ext ExtendedkeyUsage=clientAuth \ @@ -68,12 +161,11 @@ keytool -exportcert -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STO keytool -importcert -alias client_self_signed -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt echo echo "${H2}Import root certificate just to be able to sign certificate ...${RESET}" -keytool -exportcert -alias rootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD | \ - keytool -importcert -alias rootCA -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt +keytool -importcert -alias rootCA -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt -file rootCA.der echo echo "${H2}Creating client certificate signed by root CA with expected CN...${RESET}" keytool -certreq -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD | \ - keytool -gencert -alias rootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD \ + keytool -gencert -alias rootCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD \ -validity $VALIDITY \ -ext BasicConstraints=ca:false \ -ext KeyUsage:critical=digitalSignature,keyAgreement \ @@ -82,7 +174,7 @@ keytool -certreq -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STORE_ echo echo "${H2}Creating client certificate signed by root CA with bad/unexpected CN...${RESET}" keytool -certreq -alias client -dname 'CN=leshan_client_with_bad_cn' -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD | \ - keytool -gencert -alias rootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD \ + keytool -gencert -alias rootCA -keystore $TRUSTED_CA_STORE -storepass $TRUSTED_CA_STORE_PWD \ -validity $VALIDITY \ -ext BasicConstraints=ca:false \ -ext KeyUsage:critical=digitalSignature,keyAgreement \ @@ -91,9 +183,33 @@ keytool -certreq -alias client -dname 'CN=leshan_client_with_bad_cn' -keystore $ echo echo "${H2}Creating client certificate signed by untrusted root CA with expected CN...${RESET}" keytool -certreq -alias client -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD | \ - keytool -gencert -alias untrustedrootCA -keystore $SERVER_STORE -storepass $SERVER_STORE_PWD \ + keytool -gencert -alias untrustedRootCA -keystore $UNKNOWN_CA_STORE -storepass $UNKNOWN_CA_STORE_PWD \ -validity $VALIDITY \ -ext BasicConstraints=ca:false \ -ext KeyUsage:critical=digitalSignature,keyAgreement \ -ext ExtendedkeyUsage=clientAuth | \ keytool -importcert -alias client_not_trusted -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt +echo +echo "${H2}Creating mfg client key and self-signed certificate with expected CN...${RESET}" +keytool -genkeypair -alias mfgClient -keyalg EC -dname 'CN=urn:dev:ops:32473-IoT_Device-K1234567,O=Manufacturer' \ + -validity $VALIDITY \ + -storetype $DEFAULT_STORE_TYPE \ + -ext BasicConstraints=ca:false \ + -ext KeyUsage:critical=digitalSignature,keyAgreement \ + -ext ExtendedkeyUsage=clientAuth \ + -keypass $CLIENT_STORE_PWD -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD +echo +echo "${H2}Import mfg products root CA certificate just to be able to sign certificate ...${RESET}" +keytool -importcert -alias mfgProductsRootCA -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt -file mfgProductsRootCA.der +echo +echo "${H2}Import mfg devices CA certificate just to be able to sign certificate ...${RESET}" +keytool -importcert -alias mfgDevicesCA -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt -file mfgDevicesCA.der +echo +echo "${H2}Creating mfg client certificate signed by root CA with expected CN...${RESET}" +keytool -certreq -alias mfgClient -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD | \ + keytool -gencert -alias mfgDevicesCA -keystore $MANUFACTURER_CA_STORE -storepass $MANUFACTURER_CA_STORE_PWD \ + -validity $VALIDITY \ + -ext BasicConstraints=ca:false \ + -ext KeyUsage:critical=digitalSignature,keyAgreement \ + -ext ExtendedkeyUsage=clientAuth | \ + keytool -importcert -alias mfgClient -keystore $CLIENT_STORE -storepass $CLIENT_STORE_PWD -noprompt diff --git a/leshan-integration-tests/credentials/manufacturerCaKeyStore.jks b/leshan-integration-tests/credentials/manufacturerCaKeyStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..007b04e4cb7d42034a73dbe65fee8b7c176aa4b4 GIT binary patch literal 1676 zcmezO_TO6u1_mZ5W@O;WO-oNnEz3+!Ely5kU|=kL@bhLgP`2Kn)_{+VOPh_6g;9%1 zkdcvTHPbp0nJR1`2r-q*1rmB7^CE#R zUIJJp^8BgW zpR24;^801-b`E=tbGgULkg$+-W)_o*j>s*v+K|3D%^<}<7HFd^ABz}^$ZF#yIp-o; z*7ooC{N{^P>7nI82j>H$3n+Yv>H*P!7u+Vt^iiu$-g_h_{I_9s-sC$69tEWu&lG@H0H;n!yN%95#HM_ak$-n_A zLb1jLdW7=BBb3#E85p6c!3K-0laB0P9qvl(yY(!i!oZ`P^;z%!>ov^pCD*=5y*52i zWet;p*aqI?_XMsm1?Ct%SZ|SfKK;`2s?I60F>|ZuFEZS=Ck~kR7#ReC1w#Qe!xRDY z3#@dwvJzM6&}{qrl;H-gBhqzg*N)69yrUCdu(s?#p`#+__sP1a@0s#ySymS|eoepl z@%o08+-}X>_I;aXMJ<<%PpEUOjj^5hVTnR)@{_|X{-?Ip-6?c9;k4>6g_RPBUOZ~;LW^sXeid+ENtSCMJ literal 0 HcmV?d00001 diff --git a/leshan-integration-tests/credentials/serverKeyStore.jks b/leshan-integration-tests/credentials/serverKeyStore.jks index cab5387fff5946c00b09011c638a32c1defc235c..c9095c43b842f9492f0fdd366fca560d1d172673 100644 GIT binary patch literal 3805 zcmeH~do+}39LL|=j3_h2kVG$qnCO{_hSX-WZc!>-&_#?PH4NicnpNaPMHDI2$uXr+ z87ke_;!xREx0OoCx};b_rA00KVv3PE_UxYB{^*b2dC&WtdFFZM_x*mp&oezOJuMIf zAw-e;pA;{j01n@q1ez+t;W5FGehS8Xmtax^dkCdBI@5Dp(CYECMOzzBi`hpe6f z#*xS9?XbQz7ef&e1XLKxfJR1_W2gefj^n@H)d%PEcmcTi_W)OxWda6+VZtypWElbH z2~;M77y!&!;sKz+m<-egCM$_258YDVmpB0hvQ+5Oyh{^QE*XS|qxh zUG1{Dx%6S9KsGZ+;5q+^FHNgeGw@`E7KjjaJNVJf)T~X*GjuwWxEH;%RYKUF(Ho0i zH3~g|d;jWc6if+IJjJ+}9nW{)=X`I!`ZKfBMk`X*JpdG9b81u=?!|~-3zNb4zITPb z_c4G>JP;THll#V|U=x7SHpSGsB^GN^U1+PGCuYuDuxyX0Z0#M%hN0FFus}4Rw>}l* zE2=#2qgBsB9;Gi*uCnN&{e)D{T;D8PXguK|ir}tOD;A~Rx z*GD(hEuHL@8$7jNLULcTKS)Gn%yt)Wr3_UdI`^G4N zATOP@vhdhkrIO1z!uh~#h-4#nd$?rOkCKr9N=PQzgb#9D2`{*-)5$E{L+vEh6x$xJ zw%i@(sB(LUecid`8E!po2)-g!uR-p28G8q(lt;IbBT_uu6CGNd#2X%d+=%+~dwU5v zU`X1Z!w=%{2@?;%^!zB{#uWn#Aa@zV_lD~SzNyRtHYDsmiYj3hWlmu)>mbs_|5A}fNg@x=Ebo_B{t?!u= za(02+EVSB6v`F!7P1LmH;^+Qe!tD>sQ<7~NDysFqXxeqvQ#1OF@{#Fs!W4Ii3J@D( zL9|7%WKTwer6k)%!wh0%DgOcsm{ zm*(==uH5xJ{{SG}Zzc=@lGu-!9SVJ))xyRB8S)rHdlE?sg(Vw3U_N}xuRg)~?O|3L zo8Dnnw>&E67C8u6=bj{*Shq&DHSWwL(xTZn+Q(TGbLe{3(WPS;Q7bY+yYh8WQiVZ5 z&dmw7g~fy1e~awCwtvl$P5YP;F8&;@hsyvJ19?${4k}qdKzfm=HDXYgryhuq^v~aA zOcL6e!=at|H9_kMIR84bqa{)Us)7yJH$Pat&1vJ24x32rps|dHwwde{nhfh|yh*!&wLjozozmDedu2zJ zj-JA|k@2}#^JWMQcxMdL_!@J~Z1?WkT~IQW>&tG+lYgrmUXN><)>SmnlOLZqMen&u zo&_m{y$%p%Dz=!}c&El;78~{b&TzP$44r`@V?2-}cqGn%AtCzt`+-7vL5oyEtH`PS z{Zbs4quV8Eo|`V9^*C=R)Gd~3v#biLpospxd?7>T&Ffcmdxv(7~W!9wrjsz&}BA$vFXZ%S}GNLSF>O+ z2)&krjAG_+c9{PIJ4=B5 zKVWC{XcTYh-NLl2*L>GyeY1LN(%Dq=Y2W1uw@_bdizwbYYfdBhLJHJCyFbgON4G}9 t$MME?JGzbOnKzC2(~wLDiq+E~+d~VXG)t2+G4G;{mKRRyoVToZ+FuLwuhRek literal 3352 zcmb7?2T&7Q7KQ@>d;}7}B!JSZQY49l4oZN~q=WRTp+!JC5mX=uQbLm^h=_>v-VB0t z5FQ;N6j4Nw5*{K|LKN|Pvs^gkv{(4Ec!48B7MlI9Dt1MXJYyD5i5v}K0gE*gp^78#sDZd*GW(}OacHp+XclG_oh6Cx2qo5ODgGE}}44MnLV zdH&TSGYkdcX9f5JZl9h&z)gS)Qs^%ej)F0qwea+I6-3D?DIk$@C|LzG3WbcE`yWvB z9Z-Mv<943R{-w+fm1{({ckxT;EI^z4+zKj3D2%O8>-sV@p4uX0ww4Rs}W9?QY99U?pzx<1iXiDi~5PgPj>t2PJq+hawyrC->B zE->+#Hy3q$4G>PYSN~5r1)Ku;1A_m4|CgMUE-NY_i6GH`jpqzgJ`n^zl{o0>0H+1? zmqYh&d&u1xM_r4D7nAH(f3+2IJfrV3r>?EGHq?v$3D;q#!JAv(xhuV^V!`S?Nfqv`dT zE{zub3&XWekwM@*tvKCeLqXi-R_$v!4>MHvA#L(2tWQgK_WB^;4{YRma!~I*7586B zzLbz{q5C&}Ap<#FNe`-GKY8CODg^uOwydgIOo(mYTueMn zRu};pmpJl-fQE4KGJRrKIES_i z$!fFc!MR<{fkxO3aIpeQD))mE%^Eoyw#t@oTZHwC-bSO}7$m0*Vt4Wk0hzu+auCxT3Z=~&vs#kzo+H7!6WMH;S z75nn7;H&3%wy2$JFZaG!`Dnob)>_`;A~c2yssvD_F;&@mi&Wkb<{_&3E&}OIK6J9jk+$gH-LgayK*b!#B~) z2lfQ-xqXMEIIlqdv1iQJes!8-&b9)qCP@t4icz)O%G8T&1epGaQQjXMp9)$01#8j- zM@*W(L(VYwbBTEwl*YP6zPpCOeS;%9;VRpF{YDj|gplWnv%XCgQyLF?&}d9tVGKw3 zB_T7*B1`>;QI)J=-AC`HM-hK3OR~dBuP%y!i>tdewj$LG9f>KC#)re<2gBKnc#JX-Nq~ zsy!B6tJ5|lK54%K`4IPp1;?7bZOau<%#H;nQqJ=3xKvA@*VIW{yKOKU@UBjug6r+(Tsl1;)S2YZVL zJGC`V{z}aX`;E0_%si*fUYKl#+3@+p8E?RIn9DtR|6UX6ipjf1%?WfCD&J=_lxH+x zI5Gq+I?>3F+xJfXu~Fs~<&@F@^z+H_}grB;&c4+Ed{f!y<_#SsS=n zibU$*)2`#GxukSSwlw**k-|CwDKbKBJj6WrMG!dNWn5$u>mP-rW(0p}&E=j~1P0Sp^O^x~|piB$KQbWRUYD7Tqby!oT*9*4KNd}TzGCR6m@ zx4qIXuAqZjH-QoxAu_H35WK+2E)iFBro`TZ5W47JV#+#RUF|gNL^sK(lGYtB;LV)z zV;Go^S@`8ZYN=w+v7pv17{qxIY%GS&Z_g&?$f$n~{x*7tmns?AH9FnOX|M-9;xg+n zJ@9|7_`AahMSC@7@sBz(!V}kBSg}W4K9pk~EA3x?l)_j4x;|A&5_!#H_#E%@Zf?uR zOP1Eh{N_!4gXKPqs@}?KY@tMeR-q?i^vL1<1>JP2p2J{-{MQ|iM7lZy@2;47<~y1? zLw8K@wX}3(`I7?MjGz0w{8x=XD5g(O~qZ74PL-<;;u^wiHU{o>I)rxnEkB-jNvU-oNutJ%qc$7KGnR*l|YHSyCD8}QQN#{8b7LFZ^fdbF3mfkaHz_x;ZI^~)l<3A8yTUxfSbChgR_!7SLz z9#V&&P3JA+dgbf`3=Ch%1^fAX`Ad1^6vS;ewxV<7<0?m3sBvU><^EXccwZf#Q7ou} zt75N7h0vXC&BFsWW5mpFc}z`HGn#v3fkVQ{Ob1y@0FH?tQ?;tmUho=(YVR9ZyL)Z9 z8nd>CKtR;Ik=YIr`2Qhy6Z-{jtj7L&+_w zZx*!q3AvXZH~uKfVsUj{xof}iu)7lalS@kEn-LcC*6EYYA6Lq+mEyOQ@qw&A?NKfo zF%uV0;B6Xo{a{UAKnQ*fvm563(ez~`E~)HT)zY?zeIo#>Vy20%+sn_k*w}P0_SM^L z&Tt!rBriO@( zu3K4&$6(sa-|5$nMBlQau6EhU3V)p2-u=9d^RRenXW8o&c=hLHO2Kd`T&0g)Adhw= zA$|-pf-ak0{;Xyn5fcAX5LZ;-*YEb=W7OIpN;;s5GH-XZg18;*PYA{qIS2-}har2oI5no%67lA-S=Cbc}iXQLzh=1~Lt6TUM z-5U0riP1UoGeGS<`UZ+t%+Pqy z`@0JMA_Vh=m=cyHH?^tj%~tRF7F{XRt-n6SkD!{Ot9%9fXU@Qt-xb2yaz#V8CpQlhMkT}eWGjTZ8hE8Ti16P;#0vFK~tZ>#i>!CvIPW;VuF z`dEuGj9(j6>>Bvfq|^^>xx8%&Q;;HV8p|SX)o0ck+)<7nD)T477jusliqHVKspq#Dc{;#yAt0lul zRt8+|;Fc;n37{y}h1(UT_rIP|=T=*kos<^T5>wr`#IU@Ea;rNQ(7hIUQi!~Q6hbmH zF-k#z^ye7?46x5Q%U6}Dno6kOU`IwY_d#%6x()+OZm9T@yC&$_6TgP4M+Oi%F1?k(GfZ zo8i@(`)6yfv6y>rout2P;puk^PZS<)vc0Or$fw2TC7&gqqL*xyb?5{)`}`IEw7eJ_ zPozyel)GZZtma<~jwU^em%aE?Qsw`okXv@i*ALkS>r)XrUa7vx+WesHO+*wNh^7dsg^7{~&hEX&6t z#v-!daiDALf_TyB=hIf%dxi9EI2(5X7zIFSen!UsEI?l}vKjD$_`)DQs{u2RLJb6F z4+aBQCPjw*O?xk@|1dh($Nz)%;SulU_uaZDL`a@*^MAZGbY;@N4@?SS3$&gIyyo%` zj+}k-JkxykeD4)sRa2*(NGr@~d9r=te{k^gW#*Nn7Uia-Asd z^Viqv`Mg#9cfR_y9+$u;uXO(NOMLHZd*_S3DmeejlraN{ZJ?>6yedW?HDK^XFiPq$H9$)pKmh|qLwRsK0h5*(G-)A+ z3@C}=P9?jh{CLN?p=ZN}-RtkiSH3xU<7Ex+s*N@2PIn4KRo^R>uDPaa(6ZrIaG|z? ztcUfLmFhoc=IqQ}FIknG-jjXk)62za1}R9XWUb-O^^=QICPiJED)-c3ooU$YgzFfo zL-tl4 zAJcu~j5oXoEhKI*GbtphT=QFSI-lE6>c^xB0q!i!+t?%De16jN>~WBM=B9ELL^O?N dVmfDH%?saUZ@Rg6+~b`#^Q3*{4~LY$F94Kj|6Tw9 literal 0 HcmV?d00001 diff --git a/leshan-integration-tests/credentials/unknownCaKeyStore.jks b/leshan-integration-tests/credentials/unknownCaKeyStore.jks new file mode 100644 index 0000000000000000000000000000000000000000..8c5295e4842db6193db60f424a394773ffe5085a GIT binary patch literal 595 zcmezO_TO6u1_mY|W&~sY(!7$Q(&CcTl%o9nlH^37cX_7 zT1I#^*?78N*l>6>Ncw-vdn83ceDi0cx=>dqRehsDl8swnn(Lg-0utaS<+Qn_iO$gy?G<6YU9xp z+WtTLIL~}e+u-`KMxV*i!Kv!j86IIod`p`oFrp^1sP zsZo>!zmXwOz`)21DnOhukp{wS>|nc@7@>|}W@Kk}Vqhsz3tV+$(=V%@KU<0yHXNOw z+V#(IYSsVOe?2P-;uG9%aqkE_8}W4W6@gXuD~|t6oOAZ;wuw(u0@v*Q`!Z+h{iLUh zoeUfdWP#q0qI9?cr5&`85k&6bF=(ilmL?= z!~R3(KDnN2|02h