diff options
author | Jannis Voelker <jannis.voelker@basyskom.com> | 2023-07-27 11:08:55 +0200 |
---|---|---|
committer | Jannis Völker <jannis.voelker@basyskom.com> | 2023-07-28 08:49:56 +0000 |
commit | 68587faea26a9cd3d1f7f7b0d23813015bd81c8f (patch) | |
tree | 36c700eae515848fc0ad2a7e7df136a9079fbe0d /examples | |
parent | 8523c81fbd818ad99e64b975e288ccfe28d0656f (diff) |
Fix and improve X.509 key usage and extended key usage
- Fix extended key usage with OpenSSL 3.0
- Client certificates need extended key usage clientAuth
- Add new certificate to the OPC UA viewer example
Change-Id: Ib0664bc4fc1edb4e5d3b6f78e1cdfc9e9655ac7c
Pick-to: 6.5
Pick-to: 6.6
Reviewed-by: Frank Meerkoetter <frank.meerkoetter@basyskom.com>
Diffstat (limited to 'examples')
-rw-r--r-- | examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der | bin | 1148 -> 1172 bytes | |||
-rw-r--r-- | examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem | 52 | ||||
-rw-r--r-- | examples/opcua/x509/main.cpp | 10 |
3 files changed, 35 insertions, 27 deletions
diff --git a/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der b/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der Binary files differindex 38d41ba..6bd1572 100644 --- a/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der +++ b/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der diff --git a/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem b/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem index 398bdf6..084de11 100644 --- a/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem +++ b/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfGOEbSa0a+vhg -Adwwk6gtxpluNTbb8qq/DOpiOARtEgJLgnJtxioRph4V+vPbFNaVOFojOh/yk3L6 -LI3MG6vrky0PAYl0lptOYofFWQnQz7zqtM1ZzYYf28GD5C+4gUNj8QVVYIJii3RJ -ol2rOivwcaj0jjpVQPaRI5dYGaVkHrTFFW5f5s5LM3dKD3uEOEFUcofU9KChPBpp -nr1zZRn07XGUPBPl+OZGsdylrN+tRKbVjq0uKRlw9cqBQtgREHRgZOHdSEZge2Zr -6YCkWJddVgEqpHqZiq5orp3+XciiSJfIUQqTVSk0gzeqHxKLAJIMzySFkCexKnc7 -cvDO8yf9AgMBAAECggEBAIs/8jGgGQZAJAt43cEMSOrZjSb23BkJLH43R4yqvkh9 -9yS+dUIDcHq3nwvFKbRTG2TkWY6nVw2H7zor2Q3PL83IfVVidjNpVeLlKS2K18+X -+qjc1Vf6Kn90ISN7qDWXqUKWS+fwZzGvLZRQXfrkQkzABN8wb0SLWdtZxbtdtpf4 -T4n+y3pyiK0ppfQZd42Fq9fBGGNfnl8A3sWbreVDcNOyZzitlus+aJ6KXeof3N8w -JQ297lNPMKctzIkptm79/b7YzTT0I1Hk9EwAupVh5ndKsKdHnQPfrlXAwxeRxini -yVgWs4ltVHGPLG4PeNuz5U4EzSe3nWdTkCrmJ8J+AlkCgYEA/2s9uyt1Evv4uwYu -wkkS974VNuWC3WnwqcDWErUmH1+m13lzTPvfyLHW3tvzKx+BQB7sbK7b6ewS1yOc -nE6ecs9gyWohdXpWUXllQsMfm/NG3BCwLEQhPTlMGEdBVlJpJC1nwaudl+8b2PtN -jAxV+QJDfaYIN/53655rIHf4TM8CgYEA35rQSyW8v6EsRZkH/XCVXTq2e5nk4OBP -S+uegIGuzPp2yOWli6srWlsMTbPpGVrnAlgj/Cyod/zBFTEgaNbupAzp1eau2yzC -4EwEAamFaKaeiMhx+EX8uPVQXjx03WFaOxM7a6AHlhWbDPFBtHxO/undQIj2SYxQ -2D/BaroMqXMCgYAxNyTJ7/G7Grour15LKXFyMzo7PbYdm9A3pWSabjVOTkwDsO86 -oj3YmgvhHViZspRhGpRLzNWrGUX4FnCS3cNCNBteNAkGbfA7+rw8RQTOM+4vcTfB -D8+n0GaNNw2r6G1B/03Cz6KqJ/ShtqqWlbnrJTiD+X4T7ACHchsKQpOhmQKBgF6C -XM+mX6TPRpsUF2BzmW4SRtbvMOIrbNi1+gRuy6cvpc0740CpVGWYXhbpl/hzh3hi -MLOBXKN6XVHLtdsaHTuRibQzEGzq+mM7PeZF9HFLG27M6f759dtnNFTgULTRVQXr -Fw5iUVKKR0KtJgxXDjyINE/2k8J6YCFGsUWe5YMpAoGBAJ+igv0nkfPYr6khJuDa -sKs+VNYodRQSrHywtn16GSTLKOimDDfzoUmnsU1RzlVawfDmWurjrxMsq/xLcu2K -YdhcRPeDn2YugzIQd6SA75RuLwO6duJthw9ppLXzsEiRzVlvtQ2TCwWcnuSZPtV7 -xOLrnCjh6l8tY52zeNMvUXvO +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpmis8IxNXR7FM +OndsBssXpHCCHbFf0ifMZOG/EJ+bUqIwNjqqTEK+hw18TZHpSIbSh8Y1EKLL8AIp +LYqFZ/pkKe68g5LtL5/cS5YdorXBL5Ly0cNNtjJjzi+YsJx6000mNDLXRXiASX+U +CvMAeddWkosogxkNVG/QQoY+rEr5L2uD8yj1b+noftw+72qYzliuj6OJttvgh3Av +t5KCD/XoSFV8V8c1MI9BV3PVBRjzUIPS+4iKKcnjoSXqUVke0vB3LzLDPO6kiqze +Ki9jbEwXZ3HwmCZaB4a0p8FGZ+cpj/9BBsrn2u/RyGetmqLcroUH0sA01UyEJYL6 +EiXNRBzzAgMBAAECggEAGjgasffMMCSFrL6nIpykPfnuaLcVajZPb8IywfpcakMq +jqB7jkMu2EyBkbNeOL29FgPmaOKzACsQ8nO3Y+tQorZ20U7X4nIH2SMYSGmUhpKH +uaEi+7sMbDB+XDEFZ9mNpjfQmkYDnHWAUw8kRPERELGj8LXfpBdnF7+JCFxTVNU2 +bZA2mWY309U78DCZkH6MLpZoWrLtpLNEB7gdHB+xZWko6pTglkpHKveddpaBvIyT ++F2VGDuWFYnsDyWnRUZvfiTFTOzzi7uLpyY324bP29+cytnswQZYjYBGny53LOeI +7QVTuGG8Oc4Pkx1M+FwOYyVP/MCZM4m9RN/3LHwwAQKBgQC3pGT4Y8uMAxpVEiLP +Jp1FCyEYOkQq4bX6fIPRk9IPBuvqiUixibw288AkFYUnU1s+ET1fBFWgw8UdOT0i +KV++ojGylI4x+YeeaiEq98bVwRA49Oo9M/Ca+DPWI7ndHZiEW4B9RHYfbsx4Fqrq +7vg+VL5YhPks0iNgsq/qa/3QAQKBgQDsbZgqlxrAxHRjqcKE2rV2aBNd9vdGcCit +mvEGoCtki/ehERuDGZzP8IkWaRKASPdLHXAmKrVwkNgQf2jtRGtHclAnIkhKKaOM +Hg1p5vLVvlfpy4N4jptijIL5lvWwg4p6t+J8iuKei4gWHlL0kSsVKDQGM9GDNXcX +KHztE5es8wKBgEoob8HCgvLyWdLatQXUARRdjyq6dMagSR1y5MRgHiaFVAVtFNbk +2QWT3xZzPkcIKUNiMNdK58044UOQ1rgR3yEbXFhSFy3lJzf4gZZZYoj1IrjtZh36 ++IGME1q5KJg7GFjynmt3lv/QfW9NMA4ZHFQHYqpaYEkSPskQv2s52tABAoGBAIiW +0EBax8PyO2OQoaZrTEa53eZ9VWJGTdnuF61CP495JXjSD1jwJR4k0q41ydB/Vw74 +VOBX8Da2F32AfjgFPQ0rx460SZs+7xN2ET3LhSNjMhsJzkyJ5s9KaiiTxCFT/V7k +eV6GRmJeLiLJJhfQ/ljcvyGOMk5hRwoEBBhbJ1dtAoGAYdoTCywu9HQbcc3asCaO +M/mcspyqTV2Aw/prM9oUofQrLyumtsgQvCCJg1WG1GzqDMTmdo5qlVN8ICGdWUZs +5A2SkgR02w1AaTfyqJ8OfZfOUEwf8VGfQZItcBMUcHh18pHXaez6mjekDIbn2BH7 +YaGbIVtCIcmQFWEPzK2rBCg= -----END PRIVATE KEY----- diff --git a/examples/opcua/x509/main.cpp b/examples/opcua/x509/main.cpp index eb421f4..ff13120 100644 --- a/examples/opcua/x509/main.cpp +++ b/examples/opcua/x509/main.cpp @@ -7,6 +7,7 @@ #include <QOpcUaX509ExtensionSubjectAlternativeName> #include <QOpcUaX509ExtensionBasicConstraints> #include <QOpcUaX509ExtensionKeyUsage> +#include <QOpcUaX509ExtensionExtendedKeyUsage> #include <QFile> int main(int argc, char **argv) @@ -55,6 +56,8 @@ int main(int argc, char **argv) bc->setCritical(true); csr.addExtension(bc); + // The required values for key usage and extended key usage are defined in OPC UA Part 6, 6.2.2, Table 43 + // Set the key usage constraints QOpcUaX509ExtensionKeyUsage *ku = new QOpcUaX509ExtensionKeyUsage; ku->setCritical(true); @@ -62,9 +65,14 @@ int main(int argc, char **argv) ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::NonRepudiation); ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::KeyEncipherment); ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::DataEncipherment); - ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::CertificateSigning); csr.addExtension(ku); + // Set the extended key usage constraints + QOpcUaX509ExtensionExtendedKeyUsage *eku = new QOpcUaX509ExtensionExtendedKeyUsage; + eku->setCritical(true); + eku->setKeyUsage(QOpcUaX509ExtensionExtendedKeyUsage::KeyUsage::TlsWebClientAuthentication); + csr.addExtension(eku); + // Now there are two options: // 1. When you need to get your certificate signing request signed by a certificate authority // you have to use the request data. |