README.md
1## Test KeyStore data
2
3This directory contains the same certificate and private key stored in multiple
4PKCS#12 KeyStore files, each using a different PKCS#7 encryption scheme for the
5private key, for use in `KeyStorePkcs7FormatTest`.
6
7To generate the certificate and private key:
8
9```
10openssl req -x509 -nodes -days 36500 -subj "/CN=Test" -newkey rsa:1024 \
11 -out certificate.pem -keyout privkey.pem
12```
13
14### Tested formats
15
16All KeyStores have the password "password".
17
18#### Openssl version notes
19
20In the following commands `openssl1` refers to version 1.x of the
21`openssl` binary and `openssl3` refers to version 3.x.
22
23On most Linux installations openssl1 is still the default and you may need
24to build openssl3 from source.
25
26
27#### RC2 and 3DES
28
29Very old format, but still the default generated by openssl 1.x.
30
31* PKCS12 MAC: SHA-1
32* PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
33* Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
34
35(The "Encrypted data" scheme is for the outer layer encryption for the
36whole KeyStore and the "Shrouded Keybag" is the scheme used to encrypt
37the private key)
38
39```
40openssl1 pkcs12 -export -out pbe-rc2.p12 -in certificate.pem -inkey privkey.pem \
41 -passout pass:password
42```
43
44Can also be generated using:
45
46```
47openssl3 pkcs12 -legacy -export -out pbe-rc2.p12 -in certificate.pem -inkey privkey.pem \
48 -passout pass:password
49```
50
51which generates identical ASN.1 data.
52
53#### 3DES
54
55* PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
56* Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
57
58Essentially the same as above, but with 3DES encryption for both the certificate
59and the private key. All the pbe-3des-* files use this encryption but with
60variations on the MAC algorithm and are generated by the `mkstores.sh` script.
61
62#### PBES2
63
64All the pbes2-* files are generated with the `mkstores.sh` script which uses
65openssl3 to generate all supported variations of private key and certificate
66encryption (from the AES family) and overall MAC algorithm from the SHA-1 and
67SHA-2 family.
68
69#### SHA-3
70
71A file using SHA3-256 as its MAC algorithm. Used to trigger exceptions
72for testing. Created with:
73
74```
75openssl3 pkcs12 -export -out sha3.p12 -in certificate.pem -inkey privkey.pem \
76 -passout pass:password -macalg SHA3-256
77```
78