Add build instructions for CRTs and keys using P-256
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 4449691..2732c30 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -15,6 +15,7 @@
FAKETIME ?= faketime
MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req
+MBEDTLS_GEN_KEY ?= $(PWD)/../../programs/pkey/gen_key
## Build the generated test data. Note that since the final outputs
## are committed to the repository, this target should do nothing on a
@@ -146,6 +147,42 @@
$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
all_final += cli-rsa.key.der
+test-ca3.key.pem:
+ $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
+test-ca3.key.der: test-ca3.key.pem
+ $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
+test-ca3.csr: test-ca3.key.der
+ $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256
+test-ca3.crt.pem: test-ca3.csr test-ca3.key.der
+ $(MBEDTLS_CERT_WRITE) request_file=test-ca3.csr selfsign=1 issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" is_ca=1 md=SHA256 issuer_key=test-ca3.key.der output_file=$@
+test-ca3.crt.der: test-ca3.crt.pem
+ $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
+all_final += test-ca3.key.pem test-ca3.key.der test-ca3.csr test-ca3.crt.pem test-ca3.crt.der
+
+cli3.key.pem:
+ $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
+cli3.key.der: cli3.key.pem
+ $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
+cli3.csr: cli3.key.der
+ $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CRT2 Secp256r1, O=MbedTLS, C=UK" md=SHA256
+cli3.crt.pem: cli3.csr test-ca3.key.der
+ $(MBEDTLS_CERT_WRITE) request_file=cli3.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@
+cli3.crt.der: cli3.crt.pem
+ $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
+all_final += cli3.key.pem cli3.key.der cli3.csr cli3.crt.pem cli3.crt.der
+
+server11.key.pem:
+ $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@
+server11.key.der: server11.key.pem
+ $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@
+server11.csr: server11.key.der
+ $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=localhost, O=MbedTLS, C=UK" md=SHA256
+server11.crt.pem: server11.csr test-ca3.key.der
+ $(MBEDTLS_CERT_WRITE) request_file=server11.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@
+server11.crt.der: server11.crt.pem
+ $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@
+all_final += server11.key.pem server11.key.der server11.csr server11.crt.pem server11.crt.der
+
test_ca_int_rsa1 = test-int-ca.crt
server7.csr: server7.key
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
index 6f54ed0..388865b 100644
--- a/tests/data_files/Readme-x509.txt
+++ b/tests/data_files/Readme-x509.txt
@@ -11,6 +11,8 @@
- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
uses an EC key with NIST P-384 (aka secp384r1)
variants used to test the keyUsage extension
+- test-ca3.crt aka "CN=TestCASecp256r1, O=MbedTLS, C=UK"
+ uses an EC key with NIST P-256 (aka secp256r1)
The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
Two intermediate CAs are signed by them:
@@ -40,6 +42,7 @@
- name or pattern
- issuing CA: 1 -> test-ca.crt
2 -> test-ca2.crt
+ 3 -> test-ca3.crt
I1 -> test-int-ca.crt
I2 -> test-int-ca2.crt
I3 -> test-int-ca3.crt
@@ -57,6 +60,7 @@
- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
- cli2.crt: 2 E: basic
+- cli3.crt: 3 E, secp256r1 curve
- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
the RSA test CA.
- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
@@ -102,6 +106,7 @@
_int3_int-ca2.crt: S10 + I3 + I2
_int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
_int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
+ - server11.crt: 3 E, secp256r1 curve
Certificate revocation lists
----------------------------