[ssh_x509] Test certificates from 'make check'

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Sep 11 12:56:50 EEST 2019


Hi Everyone,

I'm testing pkix-ssh. After 'make check' I looked at a certificate
produced by the patched OpenSSH. A certificate is shown below. I have
two questions.

First, why was Netscape Cert Type used, and why was SSL Client selected?

Second, why were Key Usage and Extended Key Usage omitted
(https://tools.ietf.org/html/rfc6187#page-7)?

Thanks in advance,

Jeffrey Walton

==========

Find a test certificate:

pkixssh-12.1$ find . -name '*.pem'
./tests/CA/ca-test/newcerts/20040216090600001B.pem
./tests/CA/ca-test/newcerts/200402160906000021.pem
./tests/CA/ca-test/newcerts/200402160906000014.pem
...

And then:

pkixssh-12.1$ cat tests/CA/ca-test/newcerts/20040216090600001B.pem |
openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            20:04:02:16:09:06:00:00:1b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = XX, ST = World, L = Somewhere
cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89, O = SSH Test
Team cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89, OU = SSH
Testers cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89, OU = SSH
Testers cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89 rsa_sha1
keys, CN = SSH TestCA rsa_sha1 key
        Validity
            Not Before: Sep 10 09:40:36 2019 GMT
            Not After : Nov  9 09:40:36 2019 GMT
        Subject: C = XX, ST = World, O = SSH Test Team
cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89, OU = SSH
Testers cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89-2, OU = SSH
Testers cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89-1, OU = SSH
Testers cyrillic-\D0\90\D0\91\D0\92-\D0\AF\D0\B0\D0\B1\D0\B2-\D1\8F
greek-\CE\91\CE\92\CE\93-\CE\A9\CE\B1\CE\B2\CE\B3-\CF\89-3, CN = SSH
ECDSA(nistp384) test certificate(rsa_sha1-revoked), emailAddress =
email at not.set
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:a1:c2:5d:e1:47:2a:06:15:2e:1b:42:b8:21:fd:
                    6f:d0:8d:4e:c3:bc:f6:20:6e:30:77:a4:c3:8d:11:
                    bf:c5:a8:60:f0:b1:8b:72:5e:a3:28:b4:a6:b7:31:
                    ba:04:f8:42:a6:60:89:6f:01:9c:0f:8e:34:27:dc:
                    a8:65:93:47:d8:ea:2f:cf:fc:b4:b5:9f:45:15:43:
                    39:70:7e:3d:40:f0:74:a4:2f:be:22:88:c3:6c:81:
                    ff:5d:6c:ca:e3:a6:a0
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME
            Netscape Comment:
                OpenSSL Generated Test Client Certificate
            X509v3 Subject Key Identifier:
                F9:2D:FA:4E:44:43:10:77:64:BD:FD:9A:E9:76:6B:7E:58:79:AA:BC
            X509v3 Authority Key Identifier:

keyid:1C:C6:91:94:25:C2:F1:8C:A9:4B:97:58:F0:89:7E:09:DB:E6:78:DE
                DirName:/C=XX/ST=World
                serial:20:04:02:16:09:06:00:00:01

            Authority Information Access:
                OCSP - URI:http://127.0.0.1:20080
                OCSP - URI:http://127.0.0.1:20081

    Signature Algorithm: sha1WithRSAEncryption
         a0:02:44:5d:f9:a4:92:62:a7:2f:14:be:40:b5:18:99:2a:4e:
         a4:39:d2:44:52:fa:03:3f:c4:46:cd:0f:c1:41:fb:25:07:02:
         01:0e:0d:15:a6:7b:33:ce:00:8e:38:28:15:f0:ac:7b:81:1c:
         04:16:b8:c9:bd:96:2f:b7:8a:b9:77:f5:bf:70:96:27:1e:ce:
         82:80:eb:1f:64:6d:2f:4b:9c:97:eb:e1:0a:f3:f7:de:00:f1:
         a7:cf:0f:12:13:d1:d8:2a:da:fa:52:46:f0:82:94:07:b6:36:
         27:b8:3e:af:2a:32:76:81:d8:e3:53:f0:96:90:4d:50:c5:9e:
         1d:dc



More information about the ssh_x509 mailing list