Problems of the previous version are solved; TLS Pool rocks again :)

* The Remote I/O problem can occur with access privileges when using SoftHSMv2
* The Certificate Templates did not create the right key usage flags

diff --git a/testdata/tlspool-test-ca-cert.template b/testdata/tlspool-test-ca-cert.template
index 489851e..bfbb743 100644 (file)
--- a/testdata/tlspool-test-ca-cert.template
+++ b/testdata/tlspool-test-ca-cert.template
@@ -96,6 +96,18 @@ ca
 # for microsoft smart card logon
 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
 
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
+
+
 ### Other predefined key purpose OIDs
 
 # Whether this certificate will be used for a TLS client

diff --git a/testdata/tlspool-test-client-cert.template b/testdata/tlspool-test-client-cert.template
index 8c8964b..d531474 100644 (file)
--- a/testdata/tlspool-test-client-cert.template
+++ b/testdata/tlspool-test-client-cert.template
@@ -91,7 +91,18 @@ email = "testcli@tlspool.arpa2.lab"
 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
 
 # Whether this is a CA certificate or not
-ca
+# ca
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
 
 # for microsoft smart card logon
 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
@@ -114,7 +125,7 @@ signing_key
 encryption_key
 
 # Whether this key will be used to sign other certificates.
-cert_signing_key
+# cert_signing_key
 
 # Whether this key will be used to sign CRLs.
 crl_signing_key

diff --git a/testdata/tlspool-test-server-cert.template b/testdata/tlspool-test-server-cert.template
index 67f7df7..7425487 100644 (file)
--- a/testdata/tlspool-test-server-cert.template
+++ b/testdata/tlspool-test-server-cert.template
@@ -91,7 +91,18 @@ email = "testsrv@tlspool.arpa2.lab"
 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
 
 # Whether this is a CA certificate or not
-ca
+# ca
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
 
 # for microsoft smart card logon
 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
@@ -114,7 +125,7 @@ signing_key
 encryption_key
 
 # Whether this key will be used to sign other certificates.
-cert_signing_key
+# cert_signing_key
 
 # Whether this key will be used to sign CRLs.
 crl_signing_key

diff --git a/testdata/tlspool-test-webhost-cert.template b/testdata/tlspool-test-webhost-cert.template
index e3de2c1..2ce2b46 100644 (file)
--- a/testdata/tlspool-test-webhost-cert.template
+++ b/testdata/tlspool-test-webhost-cert.template
@@ -93,7 +93,19 @@ dns_name = "localhost"
 #crl_dist_points = "http://www.getcrl.crl/getcrl/"
 
 # Whether this is a CA certificate or not
-ca
+# ca
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
+
 
 # for microsoft smart card logon
 # key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
@@ -116,7 +128,7 @@ signing_key
 encryption_key
 
 # Whether this key will be used to sign other certificates.
-cert_signing_key
+# cert_signing_key
 
 # Whether this key will be used to sign CRLs.
 crl_signing_key