diff options
Diffstat (limited to 'libs/openssl-3.6.0-beta1/ssl')
| -rw-r--r-- | libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf | 9 | ||||
| -rw-r--r-- | libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf.dist | 9 | ||||
| -rw-r--r-- | libs/openssl-3.6.0-beta1/ssl/misc/CA.pl | 383 | ||||
| -rw-r--r-- | libs/openssl-3.6.0-beta1/ssl/misc/tsget.pl | 200 | ||||
| -rw-r--r-- | libs/openssl-3.6.0-beta1/ssl/openssl.cnf | 390 | ||||
| -rw-r--r-- | libs/openssl-3.6.0-beta1/ssl/openssl.cnf.dist | 390 |
6 files changed, 0 insertions, 1381 deletions
diff --git a/libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf b/libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf deleted file mode 100644 index e643cfd..0000000 --- a/libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf +++ /dev/null @@ -1,9 +0,0 @@ -# This file specifies the Certificate Transparency logs -# that are to be trusted. - -# Google's list of logs can be found here: -# www.certificate-transparency.org/known-logs -# A Python program to convert the log list to OpenSSL's format can be -# found here: -# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py -# Use the "--openssl_output" flag. diff --git a/libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf.dist b/libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf.dist deleted file mode 100644 index e643cfd..0000000 --- a/libs/openssl-3.6.0-beta1/ssl/ct_log_list.cnf.dist +++ /dev/null @@ -1,9 +0,0 @@ -# This file specifies the Certificate Transparency logs -# that are to be trusted. - -# Google's list of logs can be found here: -# www.certificate-transparency.org/known-logs -# A Python program to convert the log list to OpenSSL's format can be -# found here: -# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py -# Use the "--openssl_output" flag. diff --git a/libs/openssl-3.6.0-beta1/ssl/misc/CA.pl b/libs/openssl-3.6.0-beta1/ssl/misc/CA.pl deleted file mode 100644 index 941ac02..0000000 --- a/libs/openssl-3.6.0-beta1/ssl/misc/CA.pl +++ /dev/null @@ -1,383 +0,0 @@ -#!/usr/bin/env perl -# Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -# -# Wrapper around the ca to make it easier to use -# -# WARNING: do not edit! -# Generated by makefile from ..\apps\CA.pl.in - -use strict; -use warnings; - -my $verbose = 1; -my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify"); - -my $openssl = $ENV{'OPENSSL'} // "openssl"; -$ENV{'OPENSSL'} = $openssl; -my @openssl = split_val($openssl); - -my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} // ""; -my @OPENSSL_CONFIG = split_val($OPENSSL_CONFIG); - -# Command invocations. -my @REQ = (@openssl, "req", @OPENSSL_CONFIG); -my @CA = (@openssl, "ca", @OPENSSL_CONFIG); -my @VERIFY = (@openssl, "verify"); -my @X509 = (@openssl, "x509"); -my @PKCS12 = (@openssl, "pkcs12"); - -# Default values for various configuration settings. -my $CATOP = "./demoCA"; -my $CAKEY = "cakey.pem"; -my $CAREQ = "careq.pem"; -my $CACERT = "cacert.pem"; -my $CACRL = "crl.pem"; -my @DAYS = qw(-days 365); -my @CADAYS = qw(-days 1095); # 3 years -my @EXTENSIONS = qw(-extensions v3_ca); -my @POLICY = qw(-policy policy_anything); -my $NEWKEY = "newkey.pem"; -my $NEWREQ = "newreq.pem"; -my $NEWCERT = "newcert.pem"; -my $NEWP12 = "newcert.p12"; - -# Commandline parsing -my %EXTRA; -my $WHAT = shift @ARGV // ""; -@ARGV = parse_extra(@ARGV); -my $RET = 0; - -sub split_val { - return split_val_win32(@_) if ($^O eq 'MSWin32'); - my ($val) = @_; - my (@ret, @frag); - - # Skip leading whitespace - $val =~ m{\A[ \t]*}ogc; - - # Unix shell-compatible split - # - # Handles backslash escapes outside quotes and - # in double-quoted strings. Parameter and - # command-substitution is silently ignored. - # Bare newlines outside quotes and (trailing) backslashes are disallowed. - - while (1) { - last if (pos($val) == length($val)); - - # The first char is never a SPACE or TAB. Possible matches are: - # 1. Ordinary string fragment - # 2. Single-quoted string - # 3. Double-quoted string - # 4. Backslash escape - # 5. Bare backlash or newline (rejected) - # - if ($val =~ m{\G([^'" \t\n\\]+)}ogc) { - # Ordinary string - push @frag, $1; - } elsif ($val =~ m{\G'([^']*)'}ogc) { - # Single-quoted string - push @frag, $1; - } elsif ($val =~ m{\G"}ogc) { - # Double-quoted string - push @frag, ""; - while (1) { - last if ($val =~ m{\G"}ogc); - if ($val =~ m{\G([^"\\]+)}ogcs) { - # literals - push @frag, $1; - } elsif ($val =~ m{\G.(["\`\$\\])}ogc) { - # backslash-escaped special - push @frag, $1; - } elsif ($val =~ m{\G.(.)}ogcs) { - # backslashed non-special - push @frag, "\\$1" unless $1 eq "\n"; - } else { - die sprintf("Malformed quoted string: %s\n", $val); - } - } - } elsif ($val =~ m{\G\\(.)}ogc) { - # Backslash is unconditional escape outside quoted strings - push @frag, $1 unless $1 eq "\n"; - } else { - die sprintf("Bare backslash or newline in: '%s'\n", $val); - } - # Done if at SPACE, TAB or end, otherwise continue current fragment - # - next unless ($val =~ m{\G(?:[ \t]+|\z)}ogcs); - push @ret, join("", splice(@frag)) if (@frag > 0); - } - # Handle final fragment - push @ret, join("", splice(@frag)) if (@frag > 0); - return @ret; -} - -sub split_val_win32 { - my ($val) = @_; - my (@ret, @frag); - - # Skip leading whitespace - $val =~ m{\A[ \t]*}ogc; - - # Windows-compatible split - # See: "Parsing C++ command-line arguments" in: - # https://learn.microsoft.com/en-us/cpp/cpp/main-function-command-line-args?view=msvc-170 - # - # Backslashes are special only when followed by a double-quote - # Pairs of double-quotes make a single double-quote. - # Closing double-quotes may be omitted. - - while (1) { - last if (pos($val) == length($val)); - - # The first char is never a SPACE or TAB. - # 1. Ordinary string fragment - # 2. Double-quoted string - # 3. Backslashes preceding a double-quote - # 4. Literal backslashes - # 5. Bare newline (rejected) - # - if ($val =~ m{\G([^" \t\n\\]+)}ogc) { - # Ordinary string - push @frag, $1; - } elsif ($val =~ m{\G"}ogc) { - # Double-quoted string - push @frag, ""; - while (1) { - if ($val =~ m{\G("+)}ogc) { - # Two double-quotes make one literal double-quote - my $l = length($1); - push @frag, q{"} x int($l/2) if ($l > 1); - next if ($l % 2 == 0); - last; - } - if ($val =~ m{\G([^"\\]+)}ogc) { - push @frag, $1; - } elsif ($val =~ m{\G((?>[\\]+))(?=")}ogc) { - # Backslashes before a double-quote are escapes - my $l = length($1); - push @frag, q{\\} x int($l / 2); - if ($l % 2 == 1) { - ++pos($val); - push @frag, q{"}; - } - } elsif ($val =~ m{\G((?:(?>[\\]+)[^"\\]+)+)}ogc) { - # Backslashes not before a double-quote are not special - push @frag, $1; - } else { - # Tolerate missing closing double-quote - last; - } - } - } elsif ($val =~ m{\G((?>[\\]+))(?=")}ogc) { - my $l = length($1); - push @frag, q{\\} x int($l / 2); - if ($l % 2 == 1) { - ++pos($val); - push @frag, q{"}; - } - } elsif ($val =~ m{\G([\\]+)}ogc) { - # Backslashes not before a double-quote are not special - push @frag, $1; - } else { - die sprintf("Bare newline in: '%s'\n", $val); - } - # Done if at SPACE, TAB or end, otherwise continue current fragment - # - next unless ($val =~ m{\G(?:[ \t]+|\z)}ogcs); - push @ret, join("", splice(@frag)) if (@frag > 0); - } - # Handle final fragment - push @ret, join("", splice(@frag)) if (@frag); - return @ret; -} - -# Split out "-extra-CMD value", and return new |@ARGV|. Fill in -# |EXTRA{CMD}| with list of values. -sub parse_extra -{ - my @args; - foreach ( @OPENSSL_CMDS ) { - $EXTRA{$_} = []; - } - while (@_) { - my $arg = shift(@_); - if ( $arg !~ m{^-extra-(\w+)$} ) { - push @args, split_val($arg); - next; - } - $arg = $1; - die "Unknown \"-extra-${arg}\" option, exiting\n" - unless grep { $arg eq $_ } @OPENSSL_CMDS; - die "Missing \"-extra-${arg}\" option value, exiting\n" - unless (@_ > 0); - push @{$EXTRA{$arg}}, split_val(shift(@_)); - } - return @args; -} - - -# See if reason for a CRL entry is valid; exit if not. -sub crl_reason_ok -{ - my $r = shift; - - if ($r eq 'unspecified' || $r eq 'keyCompromise' - || $r eq 'CACompromise' || $r eq 'affiliationChanged' - || $r eq 'superseded' || $r eq 'cessationOfOperation' - || $r eq 'certificateHold' || $r eq 'removeFromCRL') { - return 1; - } - print STDERR "Invalid CRL reason; must be one of:\n"; - print STDERR " unspecified, keyCompromise, CACompromise,\n"; - print STDERR " affiliationChanged, superseded, cessationOfOperation\n"; - print STDERR " certificateHold, removeFromCRL"; - exit 1; -} - -# Copy a PEM-format file; return like exit status (zero means ok) -sub copy_pemfile -{ - my ($infile, $outfile, $bound) = @_; - my $found = 0; - - open IN, $infile || die "Cannot open $infile, $!"; - open OUT, ">$outfile" || die "Cannot write to $outfile, $!"; - while (<IN>) { - $found = 1 if /^-----BEGIN.*$bound/; - print OUT $_ if $found; - $found = 2, last if /^-----END.*$bound/; - } - close IN; - close OUT; - return $found == 2 ? 0 : 1; -} - -# Wrapper around system; useful for debugging. Returns just the exit status -sub run -{ - my ($cmd, @args) = @_; - print "====\n$cmd @args\n" if $verbose; - my $status = system {$cmd} $cmd, @args; - print "==> $status\n====\n" if $verbose; - return $status >> 8; -} - - -if ( $WHAT =~ /^(-\?|-h|-help)$/ ) { - print STDERR <<EOF; -Usage: - CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter] - CA.pl -pkcs12 [certname] - CA.pl -verify certfile ... - CA.pl -revoke certfile [reason] -EOF - exit 0; -} - -if ($WHAT eq '-newcert' ) { - # create a certificate - $RET = run(@REQ, qw(-new -x509 -keyout), $NEWKEY, "-out", $NEWCERT, @DAYS, @{$EXTRA{req}}); - print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0; -} elsif ($WHAT eq '-precert' ) { - # create a pre-certificate - $RET = run(@REQ, qw(-x509 -precert -keyout), $NEWKEY, "-out", $NEWCERT, @DAYS, @{$EXTRA{req}}); - print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0; -} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) { - # create a certificate request - $RET = run(@REQ, "-new", (defined $1 ? ($1,) : ()), "-keyout", $NEWKEY, "-out", $NEWREQ, @{$EXTRA{req}}); - print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0; -} elsif ($WHAT eq '-newca' ) { - # create the directory hierarchy - my @dirs = ( "${CATOP}", "${CATOP}/certs", "${CATOP}/crl", - "${CATOP}/newcerts", "${CATOP}/private" ); - die "${CATOP}/index.txt exists.\nRemove old sub-tree to proceed," - if -f "${CATOP}/index.txt"; - die "${CATOP}/serial exists.\nRemove old sub-tree to proceed," - if -f "${CATOP}/serial"; - foreach my $d ( @dirs ) { - if ( -d $d ) { - warn "Directory $d exists" if -d $d; - } else { - mkdir $d or die "Can't mkdir $d, $!"; - } - } - - open OUT, ">${CATOP}/index.txt"; - close OUT; - open OUT, ">${CATOP}/crlnumber"; - print OUT "01\n"; - close OUT; - # ask user for existing CA certificate - print "CA certificate filename (or enter to create)\n"; - my $FILE; - $FILE = "" unless defined($FILE = <STDIN>); - $FILE =~ s{\R$}{}; - if ($FILE ne "") { - copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); - copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); - } else { - print "Making CA certificate ...\n"; - $RET = run(@REQ, qw(-new -keyout), "${CATOP}/private/$CAKEY", - "-out", "${CATOP}/$CAREQ", @{$EXTRA{req}}); - $RET = run(@CA, qw(-create_serial -out), "${CATOP}/$CACERT", @CADAYS, - qw(-batch -keyfile), "${CATOP}/private/$CAKEY", "-selfsign", - @EXTENSIONS, "-infiles", "${CATOP}/$CAREQ", @{$EXTRA{ca}}) - if $RET == 0; - print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0; - } -} elsif ($WHAT eq '-pkcs12' ) { - my $cname = $ARGV[0]; - $cname = "My Certificate" unless defined $cname; - $RET = run(@PKCS12, "-in", $NEWCERT, "-inkey", $NEWKEY, - "-certfile", "${CATOP}/$CACERT", "-out", $NEWP12, - qw(-export -name), $cname, @{$EXTRA{pkcs12}}); - print "PKCS#12 file is in $NEWP12\n" if $RET == 0; -} elsif ($WHAT eq '-xsign' ) { - $RET = run(@CA, @POLICY, "-infiles", $NEWREQ, @{$EXTRA{ca}}); -} elsif ($WHAT eq '-sign' ) { - $RET = run(@CA, @POLICY, "-out", $NEWCERT, - "-infiles", $NEWREQ, @{$EXTRA{ca}}); - print "Signed certificate is in $NEWCERT\n" if $RET == 0; -} elsif ($WHAT eq '-signCA' ) { - $RET = run(@CA, @POLICY, "-out", $NEWCERT, @EXTENSIONS, - "-infiles", $NEWREQ, @{$EXTRA{ca}}); - print "Signed CA certificate is in $NEWCERT\n" if $RET == 0; -} elsif ($WHAT eq '-signcert' ) { - $RET = run(@X509, qw(-x509toreq -in), $NEWREQ, "-signkey", $NEWREQ, - qw(-out tmp.pem), @{$EXTRA{x509}}); - $RET = run(@CA, @POLICY, "-out", $NEWCERT, - qw(-infiles tmp.pem), @{$EXTRA{ca}}) if $RET == 0; - print "Signed certificate is in $NEWCERT\n" if $RET == 0; -} elsif ($WHAT eq '-verify' ) { - my @files = @ARGV ? @ARGV : ( $NEWCERT ); - foreach my $file (@files) { - my $status = run(@VERIFY, "-CAfile", "${CATOP}/$CACERT", $file, @{$EXTRA{verify}}); - $RET = $status if $status != 0; - } -} elsif ($WHAT eq '-crl' ) { - $RET = run(@CA, qw(-gencrl -out), "${CATOP}/crl/$CACRL", @{$EXTRA{ca}}); - print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0; -} elsif ($WHAT eq '-revoke' ) { - my $cname = $ARGV[0]; - if (!defined $cname) { - print "Certificate filename is required; reason optional.\n"; - exit 1; - } - my @reason; - @reason = ("-crl_reason", $ARGV[1]) - if defined $ARGV[1] && crl_reason_ok($ARGV[1]); - $RET = run(@CA, "-revoke", $cname, @reason, @{$EXTRA{ca}}); -} else { - print STDERR "Unknown arg \"$WHAT\"\n"; - print STDERR "Use -help for help.\n"; - exit 1; -} - -exit $RET; diff --git a/libs/openssl-3.6.0-beta1/ssl/misc/tsget.pl b/libs/openssl-3.6.0-beta1/ssl/misc/tsget.pl deleted file mode 100644 index c55b18e..0000000 --- a/libs/openssl-3.6.0-beta1/ssl/misc/tsget.pl +++ /dev/null @@ -1,200 +0,0 @@ -#!/usr/bin/env perl -# Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. -# Copyright (c) 2002 The OpenTSA Project. All rights reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -use strict; -use IO::Handle; -use Getopt::Std; -use File::Basename; -use WWW::Curl::Easy; - -use vars qw(%options); - -# Callback for reading the body. -sub read_body { - my ($maxlength, $state) = @_; - my $return_data = ""; - my $data_len = length ${$state->{data}}; - if ($state->{bytes} < $data_len) { - $data_len = $data_len - $state->{bytes}; - $data_len = $maxlength if $data_len > $maxlength; - $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; - $state->{bytes} += $data_len; - } - return $return_data; -} - -# Callback for writing the body into a variable. -sub write_body { - my ($data, $pointer) = @_; - ${$pointer} .= $data; - return length($data); -} - -# Initialise a new Curl object. -sub create_curl { - my $url = shift; - - # Create Curl object. - my $curl = WWW::Curl::Easy::new(); - - # Error-handling related options. - $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; - $curl->setopt(CURLOPT_FAILONERROR, 1); - $curl->setopt(CURLOPT_USERAGENT, - "OpenTSA tsget.pl/openssl-3.6.0-beta1"); - - # Options for POST method. - $curl->setopt(CURLOPT_UPLOAD, 1); - $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); - $curl->setopt(CURLOPT_HTTPHEADER, - ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply,application/timestamp-response"]); - $curl->setopt(CURLOPT_READFUNCTION, \&read_body); - $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); - - # Options for getting the result. - $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body); - - # SSL related options. - $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); - $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. - $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. - $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); - $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); - $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); - $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C}); - $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P}); - $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r}); - $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g}); - - # Setting destination. - $curl->setopt(CURLOPT_URL, $url); - - return $curl; -} - -# Send a request and returns the body back. -sub get_timestamp { - my $curl = shift; - my $body = shift; - my $ts_body; - local $::error_buf; - - # Error-handling related options. - $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf"); - - # Options for POST method. - $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0}); - $curl->setopt(CURLOPT_INFILESIZE, length(${$body})); - - # Options for getting the result. - $curl->setopt(CURLOPT_FILE, \$ts_body); - - # Send the request... - my $error_code = $curl->perform(); - my $error_string; - if ($error_code != 0) { - my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); - $error_string = "could not get timestamp"; - $error_string .= ", http code: $http_code" unless $http_code == 0; - $error_string .= ", curl code: $error_code"; - $error_string .= " ($::error_buf)" if defined($::error_buf); - } else { - my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply" - && lc($ct) ne "application/timestamp-response") { - $error_string = "unexpected content type returned: $ct"; - } - } - return ($ts_body, $error_string); - -} - -# Print usage information and exists. -sub usage { - - print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] "; - print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] "; - print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] "; - print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n"; - exit 1; -} - -# ---------------------------------------------------------------------- -# Main program -# ---------------------------------------------------------------------- - -# Getting command-line options (default comes from TSGET environment variable). -my $getopt_arg = "h:e:o:vdk:p:c:C:P:r:g:"; -if (exists $ENV{TSGET}) { - my @old_argv = @ARGV; - @ARGV = split /\s+/, $ENV{TSGET}; - getopts($getopt_arg, \%options) or usage; - @ARGV = @old_argv; -} -getopts($getopt_arg, \%options) or usage; - -# Checking argument consistency. -if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o})) - || (@ARGV > 1 && exists($options{o}))) { - print STDERR "Inconsistent command line options.\n"; - usage; -} -# Setting defaults. -@ARGV = ("-") unless @ARGV != 0; -$options{e} = ".tsr" unless defined($options{e}); - -# Processing requests. -my $curl = create_curl $options{h}; -undef $/; # For reading whole files. -REQUEST: foreach (@ARGV) { - my $input = $_; - my ($base, $path) = fileparse($input, '\.[^.]*'); - my $output_base = $base . $options{e}; - my $output = defined($options{o}) ? $options{o} : $path . $output_base; - - STDERR->printflush("$input: ") if $options{v}; - # Read request. - my $body; - if ($input eq "-") { - # Read the request from STDIN; - $body = <STDIN>; - } else { - # Read the request from file. - open INPUT, "<" . $input - or warn("$input: could not open input file: $!\n"), next REQUEST; - $body = <INPUT>; - close INPUT - or warn("$input: could not close input file: $!\n"), next REQUEST; - } - - # Send request. - STDERR->printflush("sending request") if $options{v}; - - my ($ts_body, $error) = get_timestamp $curl, \$body; - if (defined($error)) { - die "$input: fatal error: $error\n"; - } - STDERR->printflush(", reply received") if $options{v}; - - # Write response. - if ($output eq "-") { - # Write to STDOUT. - print $ts_body; - } else { - # Write to file. - open OUTPUT, ">", $output - or warn("$output: could not open output file: $!\n"), next REQUEST; - print OUTPUT $ts_body; - close OUTPUT - or warn("$output: could not close output file: $!\n"), next REQUEST; - } - STDERR->printflush(", $output written.\n") if $options{v}; -} -$curl->cleanup(); diff --git a/libs/openssl-3.6.0-beta1/ssl/openssl.cnf b/libs/openssl-3.6.0-beta1/ssl/openssl.cnf deleted file mode 100644 index abace0e..0000000 --- a/libs/openssl-3.6.0-beta1/ssl/openssl.cnf +++ /dev/null @@ -1,390 +0,0 @@ -# -# OpenSSL example configuration file. -# See doc/man5/config.pod for more info. -# -# This is mostly being used for generation of certificate requests, -# but may be used for auto loading of providers - -# Note that you can include other files from the main configuration -# file using the .include directive. -#.include filename - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . - -# Use this in order to automatically load providers. -openssl_conf = openssl_init - -# Comment out the next line to ignore configuration errors -config_diagnostics = 1 - -# Extra OBJECT IDENTIFIER info: -# oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] -# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -# Policies used by the TSA examples. -tsa_policy1 = 1.2.3.4.1 -tsa_policy2 = 1.2.3.4.5.6 -tsa_policy3 = 1.2.3.4.5.7 - -# For FIPS -# Optionally include a file that is generated by the OpenSSL fipsinstall -# application. This file contains configuration data required by the OpenSSL -# fips provider. It contains a named section e.g. [fips_sect] which is -# referenced from the [provider_sect] below. -# Refer to the OpenSSL security policy for more information. -# .include fipsmodule.cnf - -[openssl_init] -providers = provider_sect - -# List of providers to load -[provider_sect] -default = default_sect -# The fips section name should match the section name inside the -# included fipsmodule.cnf. -# fips = fips_sect - -# If no providers are activated explicitly, the default one is activated implicitly. -# See man 7 OSSL_PROVIDER-default for more details. -# -# If you add a section explicitly activating any other provider(s), you most -# probably need to explicitly activate the default provider, otherwise it -# becomes unavailable in openssl. As a consequence applications depending on -# OpenSSL may not work correctly which could lead to significant system -# problems including inability to remotely access the system. -[default_sect] -# activate = 1 - - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several certs with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem # The private key - -x509_extensions = usr_cert # The extensions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString (PKIX recommendation before 2004) -# utf8only: only UTF8Strings (PKIX recommendation after 2004). -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. -string_mask = utf8only - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer - -basicConstraints = critical,CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always - -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo - -#################################################################### -[ tsa ] - -default_tsa = tsa_config1 # the default TSA section - -[ tsa_config1 ] - -# These are used by the TSA reply generation only. -dir = ./demoCA # TSA root directory -serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing -signer_cert = $dir/tsacert.pem # The TSA signing certificate - # (optional) -certs = $dir/cacert.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -signer_digest = sha256 # Signing digest to use. (Optional) -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -clock_precision_digits = 0 # number of digits after dot. (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) -ess_cert_id_alg = sha256 # algorithm to compute certificate - # identifier (optional, default: sha256) - -[insta] # CMP using Insta Demo CA -# Message transfer -server = pki.certificate.fi:8700 -# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 -# tls_use = 0 -path = pkix/ - -# Server authentication -recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer -ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature -unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected -extracertsout = insta.extracerts.pem - -# Client authentication -ref = 3078 # user identification -secret = pass:insta # can be used for both client and server side - -# Generic message options -cmd = ir # default operation, can be overridden on cmd line with, e.g., kur - -# Certificate enrollment -subject = "/CN=openssl-cmp-test" -newkey = insta.priv.pem -out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature -certout = insta.cert.pem - -[pbm] # Password-based protection for Insta CA -# Server and client authentication -ref = $insta::ref # 3078 -secret = $insta::secret # pass:insta - -[signature] # Signature-based protection for Insta CA -# Server authentication -trusted = $insta::out_trusted # apps/insta.ca.crt - -# Client authentication -secret = # disable PBM -key = $insta::newkey # insta.priv.pem -cert = $insta::certout # insta.cert.pem - -[ir] -cmd = ir - -[cr] -cmd = cr - -[kur] -# Certificate update -cmd = kur -oldcert = $insta::certout # insta.cert.pem - -[rr] -# Certificate revocation -cmd = rr -oldcert = $insta::certout # insta.cert.pem diff --git a/libs/openssl-3.6.0-beta1/ssl/openssl.cnf.dist b/libs/openssl-3.6.0-beta1/ssl/openssl.cnf.dist deleted file mode 100644 index abace0e..0000000 --- a/libs/openssl-3.6.0-beta1/ssl/openssl.cnf.dist +++ /dev/null @@ -1,390 +0,0 @@ -# -# OpenSSL example configuration file. -# See doc/man5/config.pod for more info. -# -# This is mostly being used for generation of certificate requests, -# but may be used for auto loading of providers - -# Note that you can include other files from the main configuration -# file using the .include directive. -#.include filename - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . - -# Use this in order to automatically load providers. -openssl_conf = openssl_init - -# Comment out the next line to ignore configuration errors -config_diagnostics = 1 - -# Extra OBJECT IDENTIFIER info: -# oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] -# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -# Policies used by the TSA examples. -tsa_policy1 = 1.2.3.4.1 -tsa_policy2 = 1.2.3.4.5.6 -tsa_policy3 = 1.2.3.4.5.7 - -# For FIPS -# Optionally include a file that is generated by the OpenSSL fipsinstall -# application. This file contains configuration data required by the OpenSSL -# fips provider. It contains a named section e.g. [fips_sect] which is -# referenced from the [provider_sect] below. -# Refer to the OpenSSL security policy for more information. -# .include fipsmodule.cnf - -[openssl_init] -providers = provider_sect - -# List of providers to load -[provider_sect] -default = default_sect -# The fips section name should match the section name inside the -# included fipsmodule.cnf. -# fips = fips_sect - -# If no providers are activated explicitly, the default one is activated implicitly. -# See man 7 OSSL_PROVIDER-default for more details. -# -# If you add a section explicitly activating any other provider(s), you most -# probably need to explicitly activate the default provider, otherwise it -# becomes unavailable in openssl. As a consequence applications depending on -# OpenSSL may not work correctly which could lead to significant system -# problems including inability to remotely access the system. -[default_sect] -# activate = 1 - - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several certs with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem # The private key - -x509_extensions = usr_cert # The extensions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString (PKIX recommendation before 2004) -# utf8only: only UTF8Strings (PKIX recommendation after 2004). -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. -string_mask = utf8only - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer - -basicConstraints = critical,CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always - -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo - -#################################################################### -[ tsa ] - -default_tsa = tsa_config1 # the default TSA section - -[ tsa_config1 ] - -# These are used by the TSA reply generation only. -dir = ./demoCA # TSA root directory -serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing -signer_cert = $dir/tsacert.pem # The TSA signing certificate - # (optional) -certs = $dir/cacert.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -signer_digest = sha256 # Signing digest to use. (Optional) -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -clock_precision_digits = 0 # number of digits after dot. (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) -ess_cert_id_alg = sha256 # algorithm to compute certificate - # identifier (optional, default: sha256) - -[insta] # CMP using Insta Demo CA -# Message transfer -server = pki.certificate.fi:8700 -# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 -# tls_use = 0 -path = pkix/ - -# Server authentication -recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer -ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature -unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected -extracertsout = insta.extracerts.pem - -# Client authentication -ref = 3078 # user identification -secret = pass:insta # can be used for both client and server side - -# Generic message options -cmd = ir # default operation, can be overridden on cmd line with, e.g., kur - -# Certificate enrollment -subject = "/CN=openssl-cmp-test" -newkey = insta.priv.pem -out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature -certout = insta.cert.pem - -[pbm] # Password-based protection for Insta CA -# Server and client authentication -ref = $insta::ref # 3078 -secret = $insta::secret # pass:insta - -[signature] # Signature-based protection for Insta CA -# Server authentication -trusted = $insta::out_trusted # apps/insta.ca.crt - -# Client authentication -secret = # disable PBM -key = $insta::newkey # insta.priv.pem -cert = $insta::certout # insta.cert.pem - -[ir] -cmd = ir - -[cr] -cmd = cr - -[kur] -# Certificate update -cmd = kur -oldcert = $insta::certout # insta.cert.pem - -[rr] -# Certificate revocation -cmd = rr -oldcert = $insta::certout # insta.cert.pem |