Fix and improve X.509 key usage and extended key usage

- Fix extended key usage with OpenSSL 3.0
- Client certificates need extended key usage clientAuth
- Add new certificate to the OPC UA viewer example

Change-Id: Ib0664bc4fc1edb4e5d3b6f78e1cdfc9e9655ac7c
Pick-to: 6.5
Pick-to: 6.6
Reviewed-by: Frank Meerkoetter <frank.meerkoetter@basyskom.com>

3 files changed, 35 insertions, 27 deletions

diff --git a/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der b/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der
index 38d41ba..6bd1572 100644
--- a/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der
+++ b/examples/opcua/opcuaviewer/pki/own/certs/opcuaviewer.der
diff --git a/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem b/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem
index 398bdf6..084de11 100644
--- a/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem
+++ b/examples/opcua/opcuaviewer/pki/own/private/opcuaviewer.pem
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfGOEbSa0a+vhg
-Adwwk6gtxpluNTbb8qq/DOpiOARtEgJLgnJtxioRph4V+vPbFNaVOFojOh/yk3L6
-LI3MG6vrky0PAYl0lptOYofFWQnQz7zqtM1ZzYYf28GD5C+4gUNj8QVVYIJii3RJ
-ol2rOivwcaj0jjpVQPaRI5dYGaVkHrTFFW5f5s5LM3dKD3uEOEFUcofU9KChPBpp
-nr1zZRn07XGUPBPl+OZGsdylrN+tRKbVjq0uKRlw9cqBQtgREHRgZOHdSEZge2Zr
-6YCkWJddVgEqpHqZiq5orp3+XciiSJfIUQqTVSk0gzeqHxKLAJIMzySFkCexKnc7
-cvDO8yf9AgMBAAECggEBAIs/8jGgGQZAJAt43cEMSOrZjSb23BkJLH43R4yqvkh9
-9yS+dUIDcHq3nwvFKbRTG2TkWY6nVw2H7zor2Q3PL83IfVVidjNpVeLlKS2K18+X
-+qjc1Vf6Kn90ISN7qDWXqUKWS+fwZzGvLZRQXfrkQkzABN8wb0SLWdtZxbtdtpf4
-T4n+y3pyiK0ppfQZd42Fq9fBGGNfnl8A3sWbreVDcNOyZzitlus+aJ6KXeof3N8w
-JQ297lNPMKctzIkptm79/b7YzTT0I1Hk9EwAupVh5ndKsKdHnQPfrlXAwxeRxini
-yVgWs4ltVHGPLG4PeNuz5U4EzSe3nWdTkCrmJ8J+AlkCgYEA/2s9uyt1Evv4uwYu
-wkkS974VNuWC3WnwqcDWErUmH1+m13lzTPvfyLHW3tvzKx+BQB7sbK7b6ewS1yOc
-nE6ecs9gyWohdXpWUXllQsMfm/NG3BCwLEQhPTlMGEdBVlJpJC1nwaudl+8b2PtN
-jAxV+QJDfaYIN/53655rIHf4TM8CgYEA35rQSyW8v6EsRZkH/XCVXTq2e5nk4OBP
-S+uegIGuzPp2yOWli6srWlsMTbPpGVrnAlgj/Cyod/zBFTEgaNbupAzp1eau2yzC
-4EwEAamFaKaeiMhx+EX8uPVQXjx03WFaOxM7a6AHlhWbDPFBtHxO/undQIj2SYxQ
-2D/BaroMqXMCgYAxNyTJ7/G7Grour15LKXFyMzo7PbYdm9A3pWSabjVOTkwDsO86
-oj3YmgvhHViZspRhGpRLzNWrGUX4FnCS3cNCNBteNAkGbfA7+rw8RQTOM+4vcTfB
-D8+n0GaNNw2r6G1B/03Cz6KqJ/ShtqqWlbnrJTiD+X4T7ACHchsKQpOhmQKBgF6C
-XM+mX6TPRpsUF2BzmW4SRtbvMOIrbNi1+gRuy6cvpc0740CpVGWYXhbpl/hzh3hi
-MLOBXKN6XVHLtdsaHTuRibQzEGzq+mM7PeZF9HFLG27M6f759dtnNFTgULTRVQXr
-Fw5iUVKKR0KtJgxXDjyINE/2k8J6YCFGsUWe5YMpAoGBAJ+igv0nkfPYr6khJuDa
-sKs+VNYodRQSrHywtn16GSTLKOimDDfzoUmnsU1RzlVawfDmWurjrxMsq/xLcu2K
-YdhcRPeDn2YugzIQd6SA75RuLwO6duJthw9ppLXzsEiRzVlvtQ2TCwWcnuSZPtV7
-xOLrnCjh6l8tY52zeNMvUXvO
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpmis8IxNXR7FM
+OndsBssXpHCCHbFf0ifMZOG/EJ+bUqIwNjqqTEK+hw18TZHpSIbSh8Y1EKLL8AIp
+LYqFZ/pkKe68g5LtL5/cS5YdorXBL5Ly0cNNtjJjzi+YsJx6000mNDLXRXiASX+U
+CvMAeddWkosogxkNVG/QQoY+rEr5L2uD8yj1b+noftw+72qYzliuj6OJttvgh3Av
+t5KCD/XoSFV8V8c1MI9BV3PVBRjzUIPS+4iKKcnjoSXqUVke0vB3LzLDPO6kiqze
+Ki9jbEwXZ3HwmCZaB4a0p8FGZ+cpj/9BBsrn2u/RyGetmqLcroUH0sA01UyEJYL6
+EiXNRBzzAgMBAAECggEAGjgasffMMCSFrL6nIpykPfnuaLcVajZPb8IywfpcakMq
+jqB7jkMu2EyBkbNeOL29FgPmaOKzACsQ8nO3Y+tQorZ20U7X4nIH2SMYSGmUhpKH
+uaEi+7sMbDB+XDEFZ9mNpjfQmkYDnHWAUw8kRPERELGj8LXfpBdnF7+JCFxTVNU2
+bZA2mWY309U78DCZkH6MLpZoWrLtpLNEB7gdHB+xZWko6pTglkpHKveddpaBvIyT
++F2VGDuWFYnsDyWnRUZvfiTFTOzzi7uLpyY324bP29+cytnswQZYjYBGny53LOeI
+7QVTuGG8Oc4Pkx1M+FwOYyVP/MCZM4m9RN/3LHwwAQKBgQC3pGT4Y8uMAxpVEiLP
+Jp1FCyEYOkQq4bX6fIPRk9IPBuvqiUixibw288AkFYUnU1s+ET1fBFWgw8UdOT0i
+KV++ojGylI4x+YeeaiEq98bVwRA49Oo9M/Ca+DPWI7ndHZiEW4B9RHYfbsx4Fqrq
+7vg+VL5YhPks0iNgsq/qa/3QAQKBgQDsbZgqlxrAxHRjqcKE2rV2aBNd9vdGcCit
+mvEGoCtki/ehERuDGZzP8IkWaRKASPdLHXAmKrVwkNgQf2jtRGtHclAnIkhKKaOM
+Hg1p5vLVvlfpy4N4jptijIL5lvWwg4p6t+J8iuKei4gWHlL0kSsVKDQGM9GDNXcX
+KHztE5es8wKBgEoob8HCgvLyWdLatQXUARRdjyq6dMagSR1y5MRgHiaFVAVtFNbk
+2QWT3xZzPkcIKUNiMNdK58044UOQ1rgR3yEbXFhSFy3lJzf4gZZZYoj1IrjtZh36
++IGME1q5KJg7GFjynmt3lv/QfW9NMA4ZHFQHYqpaYEkSPskQv2s52tABAoGBAIiW
+0EBax8PyO2OQoaZrTEa53eZ9VWJGTdnuF61CP495JXjSD1jwJR4k0q41ydB/Vw74
+VOBX8Da2F32AfjgFPQ0rx460SZs+7xN2ET3LhSNjMhsJzkyJ5s9KaiiTxCFT/V7k
+eV6GRmJeLiLJJhfQ/ljcvyGOMk5hRwoEBBhbJ1dtAoGAYdoTCywu9HQbcc3asCaO
+M/mcspyqTV2Aw/prM9oUofQrLyumtsgQvCCJg1WG1GzqDMTmdo5qlVN8ICGdWUZs
+5A2SkgR02w1AaTfyqJ8OfZfOUEwf8VGfQZItcBMUcHh18pHXaez6mjekDIbn2BH7
+YaGbIVtCIcmQFWEPzK2rBCg=
 -----END PRIVATE KEY-----
diff --git a/examples/opcua/x509/main.cpp b/examples/opcua/x509/main.cpp
index eb421f4..ff13120 100644
--- a/examples/opcua/x509/main.cpp
+++ b/examples/opcua/x509/main.cpp
@@ -7,6 +7,7 @@
 #include <QOpcUaX509ExtensionSubjectAlternativeName>
 #include <QOpcUaX509ExtensionBasicConstraints>
 #include <QOpcUaX509ExtensionKeyUsage>
+#include <QOpcUaX509ExtensionExtendedKeyUsage>
 #include <QFile>
 
 int main(int argc, char **argv)
@@ -55,6 +56,8 @@ int main(int argc, char **argv)
     bc->setCritical(true);
     csr.addExtension(bc);
 
+    // The required values for key usage and extended key usage are defined in OPC UA Part 6, 6.2.2, Table 43
+
     // Set the key usage constraints
     QOpcUaX509ExtensionKeyUsage *ku = new QOpcUaX509ExtensionKeyUsage;
     ku->setCritical(true);
@@ -62,9 +65,14 @@ int main(int argc, char **argv)
     ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::NonRepudiation);
     ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::KeyEncipherment);
     ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::DataEncipherment);
-    ku->setKeyUsage(QOpcUaX509ExtensionKeyUsage::KeyUsage::CertificateSigning);
     csr.addExtension(ku);
 
+    // Set the extended key usage constraints
+    QOpcUaX509ExtensionExtendedKeyUsage *eku = new QOpcUaX509ExtensionExtendedKeyUsage;
+    eku->setCritical(true);
+    eku->setKeyUsage(QOpcUaX509ExtensionExtendedKeyUsage::KeyUsage::TlsWebClientAuthentication);
+    csr.addExtension(eku);
+
     // Now there are two options:
     // 1. When you need to get your certificate signing request signed by a certificate authority
     //    you have to use the request data.