| Network Working Group | C. Jennings |
| INTERNET DRAFT | Cisco Systems |
| <draft-jennings-sip-sec-flows-01> | February 2004 |
| Category: Standards Track | |
| Expires: August 2004 |
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire in August 2004.
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document shows call flows demonstrating the use of SIPS, TLS, and S/MIME in SIP. This draft provides information that helps implementers build interoperable SIP software. It is purely informational. To help facilitate interoperability testing, it includes certificates used in the example call flows and a CA certificate to create certificates for testing.
Warning - this is a very early draft of this document. The call flows in it have not been verified against multiple versions of the software and have reasonable odds of being wrong. Some known deficiencies with the draft are documented in section 4.
This work is being discussed on the sip@ietf.org mailing list.
1
Conventions
2
Introduction
3
Security Considerations
4
Known Problems
5
CA Certificates
6
Host Certificate
7
Callflow with Message over TLS
8
Callflow with TLS with Mutual Authentication
9
User Certificates
10
Callflow with Signed Message
11
Callflow with Encrypted Message
12
Callflow with Signed and Encrypted Message
13
Callflow with SRTP keying material in the SDP
14
Callflow with Secure REFER
15
Test Notes
16
Making Test Certificates
17
makeCA script
18
makeCert script
19
Certificates for Testing
20
Message Dumps
21
Open Issues
22
Still To Do
23
Acknowledgments
§
Normative References
§
Informative References
§
Author's Address
§
Full Copyright Statement
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1].
Several different groups are starting to implement the S/MIME portion of SIP. Over the last several interoperability events, it has become clear that it is difficult to write these systems without any test vectors or examples of "known good" messages to test against. Furthermore, testing at the events is often hampered by trying to get certificates signed by some common test root into the appropriate format for various clients. This document addresses both of these issues by providing detailed messages that give detailed examples that implemetors can use for comparison and that can also be used for testing. In addition, this document provides a common certificate that can be used for a CA to reduce the time it takes to set up a test at an interoperability event. The document also provides some hints and clarifications for implementers.
A simple SIP call flow using SIPS and TLS is shown in section 7. The certificates for the hosts used are shown in section 6 and the CA certificates used to sign these are shown in section 5.
The text from section 10 through section 12 shows some simple SIP call flows using S/MIME to sign and encrypt the body of the message. The user certificates used in these examples are shown in section 9 and are signed with the same CA certs.
A way to make certificates that can be used for interoperability testing is presented in section 16, along with methods for converting these to various formats.
In section 15, a partial list of things implementers should check that they do in order to implement a secure system is presented.
Binary copies of various messages in this draft that can be used for testing appear in section 20.
Implementers must never use any of the certificates provided in this document in anything but a test environment. Installing the CA root certificates used in this document as a trusted root in operational software would completely destroy the security of the system while giving the user the impression that the system was operating securely.
This document recommends some things that implementers might test or verify to improve the security of their implementations. It is impossible to make a comprehensive list of these, and this document only suggests some of the most common mistakes that have been seen at the SIPit interoperability events. Just because an implementation does everything this document recommends does not make it secure.
The S/MIME examples use 3DES, but AES is preferred.
This section lists known problems, deficencies, and mistakes in examples in this draft.
The certificate used by the CA to sign the other certificates is shown below. This is a X509v3 certificate. Note that the basic constraints allow it to be used as a CA.
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority
Validity
Not Before: Jul 18 12:21:52 2003 GMT
Not After : Jul 15 12:21:52 2013 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c3:22:1e:83:91:c5:03:2c:3c:8a:f4:11:14:c6:
4b:9d:fa:72:78:c6:b0:95:18:a7:e0:8c:79:ba:5d:
a4:ae:1e:21:2d:9d:f1:0b:1c:cf:bd:5b:29:b3:90:
13:73:66:92:6e:df:4c:b3:b3:1c:1f:2a:82:0a:ba:
07:4d:52:b0:f8:37:7b:e2:0a:27:30:70:dd:f9:2e:
03:ff:2a:76:cd:df:87:1a:bd:71:eb:e1:99:6a:c4:
7f:8e:74:a0:77:85:04:e9:41:ad:fc:03:b6:17:75:
aa:33:ea:0a:16:d9:fb:79:32:2e:f8:cf:4d:c6:34:
a3:ff:1b:d0:68:28:e1:9d:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
X509v3 Authority Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
96:6d:1b:ef:d5:91:93:45:7c:5b:1f:cf:c4:aa:47:52:0b:34:
a8:50:fa:ec:fa:b4:2a:47:4c:5d:41:a7:3d:c0:d6:3f:9e:56:
5b:91:1d:ce:a8:07:b3:1b:a4:9f:9a:49:6f:7f:e0:ce:83:94:
71:42:af:fe:63:a2:34:dc:b4:5e:a5:ce:ca:79:50:e9:6a:99:
4c:14:69:e9:7c:ab:22:6c:44:cc:8a:9c:33:6b:23:50:42:05:
1f:e1:c2:81:88:5f:ba:e5:47:bb:85:9b:83:25:ad:84:32:ff:
2a:5b:8b:70:12:11:83:61:c9:69:15:4f:58:a3:3c:92:d4:e8:
6f:52
The ASN.1 parse of the CA certificate is shown below.
0:l= 804 cons: SEQUENCE
4:l= 653 cons: SEQUENCE
8:l= 3 cons: cont [ 0 ]
10:l= 1 prim: INTEGER :02
13:l= 1 prim: INTEGER :00
16:l= 13 cons: SEQUENCE
18:l= 9 prim: OBJECT :sha1WithRSAEncryption
29:l= 0 prim: NULL
31:l= 112 cons: SEQUENCE
33:l= 11 cons: SET
35:l= 9 cons: SEQUENCE
37:l= 3 prim: OBJECT :countryName
42:l= 2 prim: PRINTABLESTRING :US
46:l= 19 cons: SET
48:l= 17 cons: SEQUENCE
50:l= 3 prim: OBJECT :stateOrProvinceName
55:l= 10 prim: PRINTABLESTRING :California
67:l= 17 cons: SET
69:l= 15 cons: SEQUENCE
71:l= 3 prim: OBJECT :localityName
76:l= 8 prim: PRINTABLESTRING :San Jose
86:l= 14 cons: SET
88:l= 12 cons: SEQUENCE
90:l= 3 prim: OBJECT :organizationName
95:l= 5 prim: PRINTABLESTRING :sipit
102:l= 41 cons: SET
104:l= 39 cons: SEQUENCE
106:l= 3 prim: OBJECT :organizationalUnitName
111:l= 32 prim: PRINTABLESTRING :
Sipit Test Certificate Authority
145:l= 30 cons: SEQUENCE
147:l= 13 prim: UTCTIME :030718122152Z
162:l= 13 prim: UTCTIME :130715122152Z
177:l= 112 cons: SEQUENCE
179:l= 11 cons: SET
181:l= 9 cons: SEQUENCE
183:l= 3 prim: OBJECT :countryName
188:l= 2 prim: PRINTABLESTRING :US
192:l= 19 cons: SET
194:l= 17 cons: SEQUENCE
196:l= 3 prim: OBJECT :stateOrProvinceName
201:l= 10 prim: PRINTABLESTRING :California
213:l= 17 cons: SET
215:l= 15 cons: SEQUENCE
217:l= 3 prim: OBJECT :localityName
222:l= 8 prim: PRINTABLESTRING :San Jose
232:l= 14 cons: SET
234:l= 12 cons: SEQUENCE
236:l= 3 prim: OBJECT :organizationName
241:l= 5 prim: PRINTABLESTRING :sipit
248:l= 41 cons: SET
250:l= 39 cons: SEQUENCE
252:l= 3 prim: OBJECT :organizationalUnitName
257:l= 32 prim: PRINTABLESTRING :
Sipit Test Certificate Authority
291:l= 159 cons: SEQUENCE
294:l= 13 cons: SEQUENCE
296:l= 9 prim: OBJECT :rsaEncryption
307:l= 0 prim: NULL
309:l= 141 prim: BIT STRING
00 30 81 89 02 81 81 00-c3 22 1e 83 91 c5 03 2c .0.......".....,
3c 8a f4 11 14 c6 4b 9d-fa 72 78 c6 b0 95 18 a7 <.....K..rx.....
e0 8c 79 ba 5d a4 ae 1e-21 2d 9d f1 0b 1c cf bd ..y.]...!-......
5b 29 b3 90 13 73 66 92-6e df 4c b3 b3 1c 1f 2a [)...sf.n.L....*
82 0a ba 07 4d 52 b0 f8-37 7b e2 0a 27 30 70 dd ....MR..7{..'0p.
f9 2e 03 ff 2a 76 cd df-87 1a bd 71 eb e1 99 6a ....*v.....q...j
c4 7f 8e 74 a0 77 85 04-e9 41 ad fc 03 b6 17 75 ...t.w...A.....u
aa 33 ea 0a 16 d9 fb 79-32 2e f8 cf 4d c6 34 a3 .3.....y2...M.4.
ff 1b d0 68 28 e1 9d e5-02 03 01 00 01 ...h(........
453:l= 205 cons: cont [ 3 ]
456:l= 202 cons: SEQUENCE
459:l= 29 cons: SEQUENCE
461:l= 3 prim: OBJECT :X509v3 Subject Key Identifier
466:l= 22 prim: OCTET STRING
04 14 6b 46 17 14 ea 94-76 25 80 54 6e 13 54 da ..kF....v%.Tn.T.
a1 e3 54 14 a1 b6 ..T...
490:l= 154 cons: SEQUENCE
493:l= 3 prim: OBJECT :X509v3 Authority Key Identifier
498:l= 146 prim: OCTET STRING
30 81 8f 80 14 6b 46 17-14 ea 94 76 25 80 54 6e 0....kF....v%.Tn
13 54 da a1 e3 54 14 a1-b6 a1 74 a4 72 30 70 31 .T...T....t.r0p1
0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0.
06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi
61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San
4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s
69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S
69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif
69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority.
01 .
0092 - <SPACES/NULS>
647:l= 12 cons: SEQUENCE
649:l= 3 prim: OBJECT :X509v3 Basic Constraints
654:l= 5 prim: OCTET STRING
30 03 01 01 ff 0....
661:l= 13 cons: SEQUENCE
663:l= 9 prim: OBJECT :sha1WithRSAEncryption
674:l= 0 prim: NULL
676:l= 129 prim: BIT STRING
00 96 6d 1b ef d5 91 93-45 7c 5b 1f cf c4 aa 47 ..m.....E|[....G
52 0b 34 a8 50 fa ec fa-b4 2a 47 4c 5d 41 a7 3d R.4.P....*GL]A.=
c0 d6 3f 9e 56 5b 91 1d-ce a8 07 b3 1b a4 9f 9a ..?.V[..........
49 6f 7f e0 ce 83 94 71-42 af fe 63 a2 34 dc b4 Io.....qB..c.4..
5e a5 ce ca 79 50 e9 6a-99 4c 14 69 e9 7c ab 22 ^...yP.j.L.i.|."
6c 44 cc 8a 9c 33 6b 23-50 42 05 1f e1 c2 81 88 lD...3k#PB......
5f ba e5 47 bb 85 9b 83-25 ad 84 32 ff 2a 5b 8b _..G....%..2.*[.
70 12 11 83 61 c9 69 15-4f 58 a3 3c 92 d4 e8 6f p...a.i.OX.<...o
52 R
The certificate for the host b.example.com is shown below. Note that the Subject Alternative Name is set to b.example.com and is a DNS type.
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority
Validity
Not Before: Jul 20 20:46:16 2003 GMT
Not After : Jul 19 20:46:16 2004 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit,
CN=b.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e2:85:18:89:7b:67:2a:b8:67:ac:a5:f9:4e:42:
58:04:d8:3a:ae:bb:f6:87:c4:57:2e:5d:79:5f:15:
fb:32:7b:00:b1:10:64:19:2a:ed:3e:d9:19:7f:bd:
f4:aa:bd:94:b5:d3:19:9e:f2:b8:8c:56:28:dc:3d:
08:6e:29:2d:17:e5:b0:bb:da:2a:af:f8:e2:95:ce:
87:2f:da:9e:bc:bf:00:90:53:1f:47:c6:52:7f:f6:
0e:dc:af:cb:57:2a:7b:17:46:69:db:b1:62:e9:b3:
e3:aa:74:6b:bc:d5:65:bc:db:ea:1d:15:2b:1b:22:
bc:7b:23:6e:74:9f:01:62:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:b.example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
62:8E:28:DB:A2:BF:79:75:17:E1:48
FA:FE:10:61:A2:56:EF:63:74
X509v3 Authority Key Identifier:
keyid:6B:46:17:14:EA:94:76:25:80:54:6E
13:54:DA:A1:E3:54:14:A1:B6
DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority
serial:00
Signature Algorithm: sha1WithRSAEncryption
57:e2:12:67:d1:ca:d9:1c:8e:38:8f:83:f4:62:c2:9c:54:b1:
69:7e:32:29:d6:14:67:81:69:c4:11:95:07:af:2c:b0:61:67:
6a:17:6d:47:ea:ed:cd:43:ab:fb:a5:b8:25:84:44:9b:59:5a:
b8:9f:12:bb:7a:df:7b:84:ef:f7:3d:1c:3f:35:4b:41:0a:91:
62:49:1a:e4:92:0f:d5:79:00:01:33:7d:dd:1c:f0:1c:dc:95:
96:e8:d4:e5:59:d8:64:39:80:ca:08:1d:a4:c4:bd:52:fe:83:
24:ee:82:b2:3c:53:4d:58:b5:bf:2e:7d:59:a3:df:78:38:0b:
75:c4
The flow below shows the edited SSLDump output of the host a.example.com forming a TLS connection to b.example.com. In this example mutual authentication is not used. Note that the client proposed three protocol suites including the required TLS_RSA_WITH_AES_128_CBC_SHA. The certificate returned by the server contains a Subject Alternative Name that is set to b.example.com. A detailed discussion of TLS can be found in [9].
New TCP connection #1: a.example.com(5071) <-> b.example.com(5081)
1 1 0.0015 (0.0015) C>SV3.1(49) Handshake
ClientHello
Version 3.1
random[32]=
3f 1d 41 76 31 6f af f1 42 fa 7b 57 c7 79 49 2b
d4 21 9c be e9 8b 85 83 56 4b 36 cb f2 99 ef b2
cipher suites
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 2 0.4307 (0.4292) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
3f 1d 41 77 92 f5 55 a3 97 69 cf b5 7a 0a 3c 00
bc 0c 59 91 1c 6b 2b 4a 0e 98 40 21 a9 b5 4b 6f
session_id[32]=
10 3c 8c aa 75 d8 62 0b c3 5b ad 24 c1 7f 4f 80
25 b7 1c 40 a3 3c e1 85 0d b5 29 d3 15 40 51 d3
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
1 3 0.4307 (0.0000) S>CV3.1(822) Handshake
Certificate
Subject
C=US
ST=California
L=San Jose
O=sipit
CN=b.example.com
Issuer
C=US
ST=California
L=San Jose
O=sipit
OU=Sipit Test Certificate Authority
Serial 01
Extensions
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Basic Constraints
Extension: X509v3 Subject Key Identifier
Extension: X509v3 Authority Key Identifier
1 4 0.4307 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
1 5 0.4594 (0.0286) C>SV3.1(134) Handshake
ClientKeyExchange
1 6 0.5498 (0.0903) C>SV3.1(1) ChangeCipherSpec
1 7 0.5498 (0.0000) C>SV3.1(48) Handshake
1 8 0.5505 (0.0007) S>CV3.1(1) ChangeCipherSpec
1 9 0.5505 (0.0000) S>CV3.1(48) Handshake
Once the TLS session is set up, the following MESSAGE message is sent from a.example.com to b.example.com. Note that the URI has a SIPS URL and that the VIA indicates that TLS was used.
MESSAGE sips:bob@b.example.com:5081 SIP/2.0
To: <sips:bob@b.example.com:5081>
From: <sip:alice@example.com>;tag=2639484b
Via: SIP/2.0/TLS b.example.com:5071;
branch=z9hG4bK-c87542-240491824-1-c87542-
Call-ID: 7ba3572175b0f542
CSeq: 1 MESSAGE
Contact: <sips:alice@a.example.com:5071>
Max-Forwards: 70
Content-Type: text/plain
User-Agent: SIPimp.org/0.2.1 (curses)
Content-Length: 2
Hi
The response is sent from b.example.com to a.example.com over the same TLS connections. It is shown below.
SIP/2.0 200 OK
To: <sips:bob@b.example.com:5081>;tag=514db9e7
From: <sip:alice@example.com>;tag=2639484b
Via: SIP/2.0/UDP b.example.com;
branch=z9hG4bK-c87542-240491824-1-c87542-;received=127.0.0.1
Call-ID: 7ba3572175b0f542
CSeq: 1 MESSAGE
Contact: <sips:bob@b.example.com:5081>
Content-Length: 0
Alice's certificate is shown below. Note that it has a Subject Alternative Name of type email and is set to alice@a.example.com. In this example a.example.com is the domain for Alice, the message could be coming from a host called host1.a.example.com, and the AOR in the user certificate would still be the same.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority
Validity
Not Before: Jul 20 14:29:54 2003 GMT
Not After : Jul 19 14:29:54 2004 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit,
CN=alice@a.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f0:9f:91:9a:6d:6f:81:b9:9d:67:db:5f:be:95:
3a:29:8a:cc:73:dd:b9:7a:33:c8:f9:52:dd:99:13:
04:2b:f1:9b:c2:f5:93:72:7a:9b:e1:97:fc:c2:d2:
96:d0:76:db:b5:0e:47:b1:59:74:59:5b:b0:73:ad:
c8:64:bd:59:1c:67:1a:82:2f:c2:cf:53:87:d3:2b:
5a:dc:e6:3c:8c:27:a0:ab:6e:7f:4d:86:dd:2b:9b:
e3:69:3b:f0:aa:1b:ad:f2:ab:1e:44:46:b2:8a:ab:
85:2c:81:13:03:98:06:65:57:0c:ff:c3:4f:02:cb:
ed:79:e5:81:19:c7:02:e2:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:alice@a.example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
DE:0C:46:FC:B7:4C:CE:6B:73:99:22:C2:3D:A9:DE:53:EC:BF:69:66
X509v3 Authority Key Identifier:
keyid:6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority
serial:00
Signature Algorithm: sha1WithRSAEncryption
95:2c:fb:26:83:35:4a:3c:da:20:be:74:1a:1f:80:7f:27:61:
dc:27:f1:a9:7b:2e:a7:24:31:1f:f7:c9:77:cd:0f:bf:02:9b:
8d:d5:35:42:6d:90:60:30:4c:6b:f4:7f:11:4d:a0:3f:1e:9c:
d2:2b:e0:4b:4f:fc:fa:37:43:68:e2:d8:32:29:bd:6e:22:e6:
ef:0e:97:b0:d9:92:49:ae:46:95:38:ab:a5:11:de:fa:dc:1b:
ae:30:6b:48:2c:a3:c5:26:71:a6:23:58:a2:d2:57:4a:b1:ae:
d8:45:c6:9a:71:8b:01:e9:ac:95:5e:9a:2c:67:ae:c3:5d:2b:
7c:9d
Alice's private key is shown below.
0: 604 cons: SEQUENCE
4: 1 prim: INTEGER :00
7: 129 prim: INTEGER :
F09F919A6D6F81B99D67DB5FBE953A298ACC73DDB97A33C8F952DD9913042BF19B
C2F593727A9BE197FCC2D296D076DBB50E47B15974595BB073ADC864BD591C671A
822FC2CF5387D32B5ADCE63C8C27A0AB6E7F4D86DD2B9BE3693BF0AA1BADF2AB1E
4446B28AAB852C811303980665570CFFC34F02CBED79E58119C702E21B
139: 3 prim: INTEGER :010001
144: 128 prim: INTEGER :
4764C0F9D5E090D7F6E91AC0E4B638249D471E55BA3394EBDB7607C3E44D87904F
4BE03B586B229723D65E23C795A0BE7D90F81A99D518B248BF79DF8C6C55E4B135
6249D82F9B18C37525FA05D3562399E4912BC902FA92CF12D7AE653C3C0D851A4B
B3DF35E8722006460FC076E02D012D3CF233D1934100FEC7EAC72DE989
275: 65 prim: INTEGER :
FA5A76D62011E3A219B4D89CF2A392FF57A55BC4E1092EC67030E31ABEDC591485
C284250BC0195C33A92920B340B2636EBB880C3DC6E2748A6045A07FCC2E97
342: 65 prim: INTEGER :
F60CEC61DB985C1AE0F927E831AADA2E1DF889D135E91A49B662B8094CF140075A
9C782DF6A28F538D2C51CC4910CB02B159894FB597D17A3FB69DDD37099D1D
409: 64 prim: INTEGER :
53E735A495A2E9334E823986801B2A0CC186FDB681E4DDF44B6D56EF83BFBD6B0F
591D887CE3A89C2A042B707622DCA64E5A33424701FCAB2A2511B0B4A3ED89
475: 65 prim: INTEGER :
CBD8F91E39E888A65C2D103AF6AB2E07771D2A5101F115AE6C446D64873278719F
4872E8E1A4DC49C4742B70AC3815792DA598754965764F69E9C9F03460EAA1
542: 64 prim: INTEGER :
021CFC8DEC23F4B82BE937CD45B819AE8C5777BFF14C74F719FFBBF3EB567A563A
9B2256EC3563E764B269DC34BFEC772BE443484D974B8FF07C52D9BF95DC24
Bob's certificate is shown below. Bob is in the domain b.example.com.
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority
Validity
Not Before: Jul 20 14:30:06 2003 GMT
Not After : Jul 19 14:30:06 2004 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit,
CN=bob@b.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b0:ef:02:43:fd:59:28:0b:d3:59:ff:e6:66:3a:
a7:30:b0:e5:11:54:c0:d7:e9:8a:51:a7:2b:30:94:
98:ef:bb:f9:8a:95:a6:ca:5e:e3:7a:af:a2:2a:f9:
b4:5e:b0:8a:e1:ab:0d:c4:67:9b:2f:10:b1:c8:71:
28:0b:0d:36:75:46:30:f9:17:39:d0:c8:e2:14:ac:
ec:bb:ba:3d:d1:a7:50:13:83:3e:d3:75:67:87:ef:
36:a5:5d:b3:23:71:29:15:94:e8:50:3c:f8:7b:a7:
0c:ce:f0:be:92:6b:d8:03:c3:e6:fb:25:78:ea:5c:
18:76:36:06:ba:2e:78:cf:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:bob@b.example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
B5:B2:6C:07:9B:79:19:9B:64:FB:9F:37:F7:7A:60:BC:1D:40:25:DA
X509v3 Authority Key Identifier:
keyid:6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority
serial:00
Signature Algorithm: sha1WithRSAEncryption
9c:99:39:e7:19:59:96:06:46:74:b5:b7:98:1a:cc:f5:a3:e6:
55:6c:3c:e9:b0:7a:a3:0a:1a:ea:32:c9:51:e5:da:7e:ac:24:
1b:cb:b4:7d:ae:b5:70:ba:26:0f:34:81:d6:7d:e5:c6:76:11:
44:7f:26:90:ff:0a:9f:6a:8e:d2:f8:34:7b:7d:21:66:53:9d:
1b:1c:74:d5:72:95:8d:76:fe:68:88:f2:c4:79:d2:df:d0:7a:
4e:6c:e7:2d:f0:1f:7e:03:7a:14:21:56:6c:f0:cb:04:c8:c2:
63:0d:24:52:1f:e4:b8:aa:21:65:0f:75:e3:76:9b:35:48:0f:
b4:ab
Bob's private key is shown below.
0: 605 cons: SEQUENCE
4: 1 prim: INTEGER :00
7: 129 prim: INTEGER :
B0EF0243FD59280BD359FFE6663AA730B0E51154C0D7E98A51A72B309498EFBBF9
8A95A6CA5EE37AAFA22AF9B45EB08AE1AB0DC4679B2F10B1C871280B0D36754630
F91739D0C8E214ACECBBBA3DD1A75013833ED3756787EF36A55DB32371291594E8
503CF87BA70CCEF0BE926BD803C3E6FB2578EA5C18763606BA2E78CF3D
139: 3 prim: INTEGER :010001
144: 128 prim: INTEGER :
06B0A2D74B4709BA98BD386DCFC3BBFA9D55ABF8166A938C05565ACDB570AAEFE2
9998DAFB9FE6DE06B20D09F005FC8AE3C981F5C12D1EF474A46D92E40815DCFD36
860631EF92CB2F30AB746A0CF80428CC544C51A04F08AF1773E53F88FC4031DF32
68B82476A1875DBB9212AAA6373AF6600F37053B3417E957D7D9633D49
275: 65 prim: INTEGER :
DB1765DB11C76D7CC0A50E60CFA66025EC971C0F6D797D2166B7578F8DC1401E87
B3D448135B2FB74ABD3EEDB41B0EE538D587A88D08D018C2971C298F88971F
342: 65 prim: INTEGER :
CEBD8090AAD98D86986FBB1E38C1CB0FAA1951D625A9333BF4F52E53AE2405878B
AB54179A1964F02BEF17B2E25F922BDA097E7B282ADF8AD8DEC962012D1A23
409: 64 prim: INTEGER :
3EF3CF298E473E577D4730057344FC158990B5D85CFD6E8DFD64AAFD2D9F1C9C69
23ABD875EF5A9B91172590C99288CA26757C805ADDF0655CEC6C8428A0F7C3
475: 65 prim: INTEGER :
9D23529623162AC9341230C29ED745D5C92F6791829CA1B19FD5BFF9A0B20675E9
46372B9D5851ED6F2752F707B326B2280EF15100CDDD8D769B97ABE342F9CB
542: 65 prim: INTEGER :
84D65C4EBCC1B95AA42AA2AD2ECDDC58809316CC4793A889C24828E04F386B1277
8DA68B57E7891E6780D5FD1A028B207D7C7D9AE40CDD9F9059BDEB2EF098BF
Example Signed Message. The value on the Content-Type line has been broken across lines to fit on the page but it should not be.
MESSAGE sip:bob@b.example.com SIP/2.0
To: <sip:bob@b.example.com>
From: <sip:alice@a.example.com>;tag=1b2f5769
Via: SIP/2.0/UDP
127.0.0.1:5070;branch=z9hG4bK-c87542-730075406-1--c87542-;rport
Call-ID: 22b4f26d6be23a0e
CSeq: 1 MESSAGE
Contact: <sip:alice@a.example.com:5070>
Max-Forwards: 70
Content-Type: multipart/signed;boundary=65b6563f5e8ef632;\
micalg=sha1;protocol=application/pkcs7-signature
User-Agent: SIPimp.org/0.2.2 (curses)
Content-Length: 1653
--65b6563f5e8ef632
Content-Type: text/plain
Content-Transfer-Encoding: binary
Hi
--65b6563f5e8ef632
Content-Type: application/pkcs7-signature;name=smime.p7s
Content-Disposition: attachment;handling=required;filename=smime.p7s
Content-Transfer-Encoding: binary
*******************
* BINARY BLOB 1 *
*******************
--65b6563f5e8ef632--
It is important to note that the data the signature is computed across includes the header and is:
Content-Type: text/plain Content-Transfer-Encoding: binary Hi
The response follows. The Via line has been split across lines for formatting but it should not be.
SIP/2.0 200 OK
To: <sip:bob@b.example.com>;tag=6b167ed8
From: <sip:alice@a.example.com>;tag=1b2f5769
Via: SIP/2.0/UDP
127.0.0.1:5070;branch=z9hG4bK-c87542-730075406-1--c87542-;\
rport=5070;received=127.0.0.1
Call-ID: 22b4f26d6be23a0e
CSeq: 1 MESSAGE
Contact: <sip:bob@b.example.com:5060>
Content-Length: 0
ASN.1 parse of binary blob 1. Note that at address 30, the hash for the signature is specified as sha1.
0: SEQUENCE
4: OBJECT :pkcs7-signedData
15: cont [ 0 ]
19: SEQUENCE
23: INTEGER :01
26: SET
28: SEQUENCE
30: OBJECT :sha1
37: NULL
39: SEQUENCE
41: OBJECT :pkcs7-data
52: cont [ 0 ]
56: SEQUENCE
60: SEQUENCE
64: cont [ 0 ]
66: INTEGER :02
69: INTEGER :55018102490073
78: SEQUENCE
80: OBJECT :sha1WithRSAEncryption
91: NULL
93: SEQUENCE
95: SET
97: SEQUENCE
99: OBJECT :countryName
104: PRINTABLESTRING :US
108: SET
110: SEQUENCE
112: OBJECT :stateOrProvinceName
117: PRINTABLESTRING :California
129: SET
131: SEQUENCE
133: OBJECT :localityName
138: PRINTABLESTRING :San Jose
148: SET
150: SEQUENCE
152: OBJECT :organizationName
157: PRINTABLESTRING :sipit
164: SET
166: SEQUENCE
168: OBJECT :organizationalUnitName
173: PRINTABLESTRING :Sipit Test Certificate Authority
207: SEQUENCE
209: UTCTIME :031014202459Z
224: UTCTIME :061013202459Z
239: SEQUENCE
241: SET
243: SEQUENCE
245: OBJECT :countryName
250: PRINTABLESTRING :US
254: SET
256: SEQUENCE
258: OBJECT :stateOrProvinceName
263: PRINTABLESTRING :California
275: SET
277: SEQUENCE
279: OBJECT :localityName
284: PRINTABLESTRING :San Jose
294: SET
296: SEQUENCE
298: OBJECT :organizationName
303: PRINTABLESTRING :sipit
310: SET
312: SEQUENCE
314: OBJECT :commonName
319: T61STRING :alice@a.example.com
340: SEQUENCE
343: SEQUENCE
345: OBJECT :rsaEncryption
356: NULL
358: BIT STRING
502: cont [ 3 ]
505: SEQUENCE
508: SEQUENCE
510: OBJECT :X509v3 Subject Alternative Name
515: OCTET STRING
540: SEQUENCE
542: OBJECT :X509v3 Basic Constraints
547: OCTET STRING
551: SEQUENCE
553: OBJECT :X509v3 Subject Key Identifier
558: OCTET STRING
582: SEQUENCE
585: OBJECT :X509v3 Authority Key Identifier
590: OCTET STRING
739: SEQUENCE
741: OBJECT :sha1WithRSAEncryption
752: NULL
754: BIT STRING
886: SET
890: SEQUENCE
894: INTEGER :01
897: SEQUENCE
899: SEQUENCE
901: SET
903: SEQUENCE
905: OBJECT :countryName
910: PRINTABLESTRING :US
914: SET
916: SEQUENCE
918: OBJECT :stateOrProvinceName
923: PRINTABLESTRING :California
935: SET
937: SEQUENCE
939: OBJECT :localityName
944: PRINTABLESTRING :San Jose
954: SET
956: SEQUENCE
958: OBJECT :organizationName
963: PRINTABLESTRING :sipit
970: SET
972: SEQUENCE
974: OBJECT :organizationalUnitName
979: PRINTABLESTRING :Sipit Test Certificate Authority
1013: INTEGER :55018102490073
1022: SEQUENCE
1024: OBJECT :sha1
1031: NULL
1033: cont [ 0 ]
1036: SEQUENCE
1038: OBJECT :contentType
1049: SET
1051: OBJECT :pkcs7-data
1062: SEQUENCE
1064: OBJECT :signingTime
1075: SET
1077: UTCTIME :031015000907Z
1092: SEQUENCE
1094: OBJECT :messageDigest
1105: SET
1107: OCTET STRING
1129: SEQUENCE
1131: OBJECT :S/MIME Capabilities
1142: SET
1144: SEQUENCE
1146: SEQUENCE
1148: OBJECT :des-ede3-cbc
1158: SEQUENCE
1160: OBJECT :rc2-cbc
1170: INTEGER :80
1174: SEQUENCE
1176: OBJECT :rc2-cbc
1186: INTEGER :40
1189: SEQUENCE
1191: OBJECT :des-cbc
1198: SEQUENCE
1200: OBJECT :rc2-cbc
1210: INTEGER :28
1213: SEQUENCE
1215: OBJECT :rsaEncryption
1226: NULL
1228: OCTET STRING
MESSAGE sip:bob@b.example.com SIP/2.0
To: <sip:bob@b.example.com>
From: <sip:alice@a.example.com>;tag=4bba1f0d
Via: SIP/2.0/UDP
127.0.0.1:5070;branch=z9hG4bK-c87542-558422834-1--c87542-;rport
Call-ID: 132bb895019d4536
CSeq: 1 MESSAGE
Contact: <sip:alice@a.example.com:5070>
Max-Forwards: 70
Content-Disposition: attachment;handling=required;filename=smime.p7
Content-Type:
application/pkcs7-mime;smime-type=enveloped-data;name=smime.p7m
User-Agent: SIPimp.org/0.2.2 (curses)
Content-Length: 385
*****************
* BINARY BLOB 2 *
*****************
The Response. The Via is split across lines for formatting but is not split in the real message.
SIP/2.0 200 OK
To: <sip:bob@b.example.com>;tag=330805f5
From: <sip:alice@a.example.com>;tag=4bba1f0d
Via: SIP/2.0/UDP
127.0.0.1:5070;branch=z9hG4bK-c87542-558422834-1--c87542-;\
rport=5070;received=127.0.0.1
Call-ID: 132bb895019d4536
CSeq: 1 MESSAGE
Contact: <sip:bob@b.example.com:5060>
Content-Length: 0
ASN.1 parse of Binary Blob 2. Note that at address 323, the encryption is set to des-ebe3-cbc.
0: SEQUENCE
4: OBJECT :pkcs7-envelopedData
15: cont [ 0 ]
19: SEQUENCE
23: INTEGER :00
26: SET
30: SEQUENCE
34: INTEGER :00
37: SEQUENCE
39: SEQUENCE
41: SET
43: SEQUENCE
45: OBJECT :countryName
50: PRINTABLESTRING :US
54: SET
56: SEQUENCE
58: OBJECT :stateOrProvinceName
63: PRINTABLESTRING :California
75: SET
77: SEQUENCE
79: OBJECT :localityName
84: PRINTABLESTRING :San Jose
94: SET
96: SEQUENCE
98: OBJECT :organizationName
103: PRINTABLESTRING :sipit
110: SET
112: SEQUENCE
114: OBJECT :organizationalUnitName
119: PRINTABLESTRING :Sipit Test Certificate Authority
153: INTEGER :55018102490072
162: SEQUENCE
164: OBJECT :rsaEncryption
175: NULL
177: OCTET STRING
308: SEQUENCE
310: OBJECT :pkcs7-data
321: SEQUENCE
323: OBJECT :des-ede3-cbc
333: OCTET STRING
343: cont [ 0 ]
Example Signed and Encrypted Message
In the example below, one of the headers is contained in a box and is split across two lines. This was only done to make it fit in the RFC format. This header should not have the box around it and should be on one line with no whitespace between the "mime;" and the "smime-type". Note that Content-Type is split across lines for formatting but is not split in the real message.
MESSAGE sip:bob@b.example.com SIP/2.0
To: <sip:bob@b.example.com>
From: <sip:alice@a.example.com>;tag=1d8673a3
Via: SIP/2.0/UDP
127.0.0.1:5070;branch=z9hG4bK-c87542-488884104-1--c87542-;rport
Call-ID: 450c8b112715a732
CSeq: 1 MESSAGE
Contact: <sip:alice@a.example.com:5070>
Max-Forwards: 70
Content-Type: multipart/signed;boundary=75b3d73b4e24d3f6;\
micalg=sha1;protocol=application/pkcs7-signature
User-Agent: SIPimp.org/0.2.2 (curses)
Content-Length: 2158
--75b3d73b4e24d3f6
|---See note about stuff in this box---------------------|
|Content-Type: application/pkcs7-mime; |
| smime-type=enveloped-data;name=smime.p7m |
|--------------------------------------------------------|
Content-Disposition: attachment;handling=required;filename=smime.p7
Content-Transfer-Encoding: binary
*****************
* BINARY BLOB 3 *
*****************
--75b3d73b4e24d3f6
Content-Type: application/pkcs7-signature;name=smime.p7s
Content-Disposition: attachment;handling=required;filename=smime.p7s
Content-Transfer-Encoding: binary
*****************
* BINARY BLOB 4 *
*****************
--75b3d73b4e24d3f6--
Response back. Note that the Via is split across lines for formatting.
SIP/2.0 200 OK
To: <sip:bob@b.example.com>;tag=40d7131b
From: <sip:alice@a.example.com>;tag=1d8673a3
Via: SIP/2.0/UDP
127.0.0.1:5070;branch=z9hG4bK-c87542-488884104-1--c87542-;\
rport=5070;received=127.0.0.1
Call-ID: 450c8b112715a732
CSeq: 1 MESSAGE
Contact: <sip:bob@b.example.com:5060>
Content-Length: 0
0: SEQUENCE
4: OBJECT :pkcs7-envelopedData
15: cont [ 0 ]
19: SEQUENCE
23: INTEGER :00
26: SET
30: SEQUENCE
34: INTEGER :00
37: SEQUENCE
39: SEQUENCE
41: SET
43: SEQUENCE
45: OBJECT :countryName
50: PRINTABLESTRING :US
54: SET
56: SEQUENCE
58: OBJECT :stateOrProvinceName
63: PRINTABLESTRING :California
75: SET
77: SEQUENCE
79: OBJECT :localityName
84: PRINTABLESTRING :San Jose
94: SET
96: SEQUENCE
98: OBJECT :organizationName
103: PRINTABLESTRING :sipit
110: SET
112: SEQUENCE
114: OBJECT :organizationalUnitName
119: PRINTABLESTRING :Sipit Test Certificate Authority
153: INTEGER :55018102490072
162: SEQUENCE
164: OBJECT :rsaEncryption
175: NULL
177: OCTET STRING
308: SEQUENCE
310: OBJECT :pkcs7-data
321: SEQUENCE
323: OBJECT :des-ede3-cbc
333: OCTET STRING
343: cont [ 0 ]
0: SEQUENCE
4: OBJECT :pkcs7-signedData
15: cont [ 0 ]
19: SEQUENCE
23: INTEGER :01
26: SET
28: SEQUENCE
30: OBJECT :sha1
37: NULL
39: SEQUENCE
41: OBJECT :pkcs7-data
52: cont [ 0 ]
56: SEQUENCE
60: SEQUENCE
64: cont [ 0 ]
66: INTEGER :02
69: INTEGER :55018102490073
78: SEQUENCE
80: OBJECT :sha1WithRSAEncryption
91: NULL
93: SEQUENCE
95: SET
97: SEQUENCE
99: OBJECT :countryName
104: PRINTABLESTRING :US
108: SET
110: SEQUENCE
112: OBJECT :stateOrProvinceName
117: PRINTABLESTRING :California
129: SET
131: SEQUENCE
133: OBJECT :localityName
138: PRINTABLESTRING :San Jose
148: SET
150: SEQUENCE
152: OBJECT :organizationName
157: PRINTABLESTRING :sipit
164: SET
166: SEQUENCE
168: OBJECT :organizationalUnitName
173: PRINTABLESTRING :Sipit Test Certificate Authority
207: SEQUENCE
209: UTCTIME :031014202459Z
224: UTCTIME :061013202459Z
239: SEQUENCE
241: SET
243: SEQUENCE
245: OBJECT :countryName
250: PRINTABLESTRING :US
254: SET
256: SEQUENCE
258: OBJECT :stateOrProvinceName
263: PRINTABLESTRING :California
275: SET
277: SEQUENCE
279: OBJECT :localityName
284: PRINTABLESTRING :San Jose
294: SET
296: SEQUENCE
298: OBJECT :organizationName
303: PRINTABLESTRING :sipit
310: SET
312: SEQUENCE
314: OBJECT :commonName
319: T61STRING :alice@a.example.com
340: SEQUENCE
343: SEQUENCE
345: OBJECT :rsaEncryption
356: NULL
358: BIT STRING
502: cont [ 3 ]
505: SEQUENCE
508: SEQUENCE
510: OBJECT :X509v3 Subject Alternative Name
515: OCTET STRING
540: SEQUENCE
542: OBJECT :X509v3 Basic Constraints
547: OCTET STRING
551: SEQUENCE
553: OBJECT :X509v3 Subject Key Identifier
558: OCTET STRING
582: SEQUENCE
585: OBJECT :X509v3 Authority Key Identifier
590: OCTET STRING
739: SEQUENCE
741: OBJECT :sha1WithRSAEncryption
752: NULL
754: BIT STRING
886: SET
890: SEQUENCE
894: INTEGER :01
897: SEQUENCE
899: SEQUENCE
901: SET
903: SEQUENCE
905: OBJECT :countryName
910: PRINTABLESTRING :US
914: SET
916: SEQUENCE
918: OBJECT :stateOrProvinceName
923: PRINTABLESTRING :California
935: SET
937: SEQUENCE
939: OBJECT :localityName
944: PRINTABLESTRING :San Jose
954: SET
956: SEQUENCE
958: OBJECT :organizationName
963: PRINTABLESTRING :sipit
970: SET
972: SEQUENCE
974: OBJECT :organizationalUnitName
979: PRINTABLESTRING :Sipit Test Certificate Authority
1013: INTEGER :55018102490073
1022: SEQUENCE
1024: OBJECT :sha1
1031: NULL
1033: cont [ 0 ]
1036: SEQUENCE
1038: OBJECT :contentType
1049: SET
1051: OBJECT :pkcs7-data
1062: SEQUENCE
1064: OBJECT :signingTime
1075: SET
1077: UTCTIME :031015000922Z
1092: SEQUENCE
1094: OBJECT :messageDigest
1105: SET
1107: OCTET STRING
1129: SEQUENCE
1131: OBJECT :S/MIME Capabilities
1142: SET
1144: SEQUENCE
1146: SEQUENCE
1148: OBJECT :des-ede3-cbc
1158: SEQUENCE
1160: OBJECT :rc2-cbc
1170: INTEGER :80
1174: SEQUENCE
1176: OBJECT :rc2-cbc
1186: INTEGER :40
1189: SEQUENCE
1191: OBJECT :des-cbc
1198: SEQUENCE
1200: OBJECT :rc2-cbc
1210: INTEGER :28
1213: SEQUENCE
1215: OBJECT :rsaEncryption
1226: NULL
1228: OCTET STRING
This section describes some common interoperability problems. Implementers should verify their clients do the correct things and perhaps make their clients forgiving in what they receive, or at least produce reasonable error messages with other software that does have these problems.
A common problem in interoperability is that some SIP clients do not support TLS and only do SSLv3. Check that the client does use TLS.
Many SIP clients were found to accept expired certificates with no warning or error.
TLS and S/MIME can provide the identity of the peer that a client is communicating with in the Subject Alternative Name in the certificate. The software must check that this name corresponds to the identity the server is trying to contact. If a client is trying to set up a TLS connection to good.example.com and it gets a TLS connection set up with a server that presents a valid certificate but with the name evil.example.com, it must generate an error or warning of some type. Similarly with S/MIME, if a user is trying to communicate with bob@b.example.com, the Subject Alternate Name field in the certificate must match the AOR for bob.
Some implementations used binary MIME encodings while others used base64. There is no reason not to use binary - check that your implementation sends binary and preferably receives both.
These scripts allow you to make certificates for test purposes. The certificates will all share a common CA root so that everyone running these scripts can have interoperable certificates. WARNING - these certificates are totally insecure and are for test purposes only. All the CA created by this script share the same private key to facilitate interoperability testing, but this totally breaks the security since the private key of the CA is well known.
The instructions assume a Unix-like environment with openssl installed, but openssl does work in Windows too. Make sure you have openssl installed by trying to run "openssl". Run the makeCA script found in section 17; this creates a subdirectory called demoCA. If the makeCA script cannot find where your openssl is installed you will have to set an environment variable called OPENSSLDIR to whatever directory contains the file openssl.cnf. You can find this with a "locate openssl.cnf". You are not ready to make certificates.
To create certs for use with TLS, run the makeCert script found in section 18 with the fully qualified domain name of the proxy you are making the certificate for. For example, "makeCert host.example.net". This will generate a private key and a certificate. The private key will be left in a file named host.example.net_key.pem in pem format. The certificate will be in host.example.net_cert.pem. Some programs expect both the certificate and private key combined together in a PKCS12 format file. This is created by the script and left in a file named host.example.net.p12. Some programs expect this file to have a .pfx extension instead of .p12 - just rename the file if needed.
A second argument indicating the number of days for which the certificate should be valid can be passed to the makeCert script. It is possible to make an expired certificate using the command "makeCert host.example.net 0".
Anywhere that a password is used to protect a certificate, the password is set to the string "password".
The root certificate for the CA is in the file demoCA/cacert.pem and a PKCS#7 version of it is in demoCA/cacert.p7c.
For things that need DER format certificates, a certificate can be converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER".
Some programs expect certificates in PKCS#7 format (with a file extension of .p7c). You can convert these from PEM format with to PKCS#7 with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/cacert.pem -outform DER -out cert.p7c"
IE, Outlook, and Netscape can import and export .p12 files and .p7c files. You can convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in cert.p7c -inform DER -outform PEM -out cert.pem".
The private key can be converted to pkcs8 format with "openssl pkcs8 -in a_key.pem -topk8 -outform DER -out a_key.p8c"
In general, a TLS client will just need the root certificate of the CA. A TLS server will need its private key and its certificate. These could be in two PEM files or one .p12 file. An S/MIME program will need its private key and certificate, the root certificate of the CA, and the certificate for every other user it communicates with.
When validating a chain of certificates, make sure that the basic constraints on any non leaf node allow the certificate to be used for a CA. For example, if the domain example.com issues a certificate for alice@example.com, Alice should not be able to use this to sign a certificate for bob@example.com.
#!/bin/sh
#set -x
rm -rf demoCA
mkdir demoCA
mkdir demoCA/certs
mkdir demoCA/crl
mkdir demoCA/newcerts
mkdir demoCA/private
#echo "01" > demoCA/serial
hexdump -n 4 -e '4/1 "%04d"' /dev/random > demoCA/serial
touch demoCA/index.txt
# You may need to modify this for where your default file is
# you can find where yours in by typing "openssl ca"
CONF=${OPENSSLDIR:=/usr/local/ssl}/openssl.cnf
if [ ! -f $CONF ]; then
echo "Can not find file $CONF - set your OPENSSLDIR variable"
fi
cp $CONF openssl.cnf
cat >> openssl.cnf <<EOF
[ cj_cert ]
subjectAltName=\${ENV::ALTNAME}
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
EOF
cat > demoCA/private/cakey.pem <<EOF
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4B47A0A73ADE342E
aHmlPa+ZrOV6v+Jk0SClxzpxoG3j0ZuyoVkF9rzq2bZkzVBKLU6xhWwjMDqwA8dH
3fCRLhMGIUVnmymXYhTW9svI1gpFxMBQHJcKpV/SmgFn/fbYk98Smo2izHOniIiu
NOu2zr+bMiaBphOAZ/OCtVUxUOoBDKN9lR39UCDOgkEQzp9Vbw7l736yu5H9GMHP
JtGLJyx3RhS3TvLfLAJZhjm/wZ/9QM8GjyJEiDhMQRJVeIZGvv4Yr1u6yYHiHfjX
tX2eds8Luc83HbSvjAyjnkLtJsAZ/8cFzrd7pjFzbogLdWuil+kpkkf5h1uzh7oa
um0M1EXBE4tcDHsfg1iqEsDMIei/U+/rWfk1PrzYlklwZp8S03vulkDm1fT76W7d
mRBg4+CrHA6qYn6EPWB37OBtfEqAfINnIcI1dWzso9A0bTPD4EJO0JA0PcZ/2JgT
PaKySgooHQ8AHNQebelch6M5LFExpaOADJKrqauKcc2HeUxXaYIpac5/7drIl3io
UloqUnMlGa3eLP7BZIMsZKCfHZ8oqwU4g6mmmJath2gODRDx3mfhH6yaimDL7v4i
SAIIkrEHXfSyovrTJymfSfQtYxUraVZDqax6oj/eGllRxliGfMLYG9ceU+yU/8FN
LE7P+Cs19H5tHHzx1LlieaK43u/XvbXHlB5mqL/fZdkUIBJsjbBVx0HR8eQl2CH9
YJDMOPLADecwHoyKA0AY59oN9d41oF7yZtN9KwNdslROYH7mNJlqMMenhXCLN+Nz
vVU5/7/ugZFhZqfS46c1WdmSvuqpDp7TBtMeaH/PXjysBr0iZffOxQ==
-----END RSA PRIVATE KEY-----
EOF
cat > demoCA/cacert.pem <<EOF
-----BEGIN CERTIFICATE-----
MIIDJDCCAo2gAwIBAgIBADANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0wMzA3MTgxMjIxNTJaFw0xMzA3MTUxMjIxNTJaMHAxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDIh6DkcUDLDyK9BEUxkud
+nJ4xrCVGKfgjHm6XaSuHiEtnfELHM+9WymzkBNzZpJu30yzsxwfKoIKugdNUrD4
N3viCicwcN35LgP/KnbN34cavXHr4ZlqxH+OdKB3hQTpQa38A7YXdaoz6goW2ft5
Mi74z03GNKP/G9BoKOGd5QIDAQABo4HNMIHKMB0GA1UdDgQWBBRrRhcU6pR2JYBU
bhNU2qHjVBShtjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0
pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
CFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQCWbRvv1ZGTRXxbH8/EqkdSCzSoUPrs+rQqR0xdQac9wNY/nlZbkR3O
qAezG6Sfmklvf+DOg5RxQq/+Y6I03LRepc7KeVDpaplMFGnpfKsibETMipwzayNQ
QgUf4cKBiF+65Ue7hZuDJa2EMv8qW4twEhGDYclpFU9YozyS1OhvUg==
-----END CERTIFICATE-----
EOF
# uncomment the following lines to generate your own key pair
#openssl req -newkey rsa:1024 -passin pass:password \
# -passout pass:password \
# -sha1 -x509 -keyout demoCA/private/cakey.pem \
# -out demoCA/cacert.pem -days 3650 <<EOF
#US
#California
#San Jose
#sipit
#Sipit Test Certificate Authority
#
#
#EOF
openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
-outform DER -out demoCA/cacert.p7c
#!/bin/sh
#set -x
if [ $# == 1 ]; then
DAYS=1095
elif [ $# == 2 ]; then
DAYS=$2
else
echo "Usage: makeCert test.example.org [days]"
echo " makeCert alice@example.org [days]"
echo "days is how long the certifiace is valid"
echo "days set to 0 generates an invalid certificate"
exit 0
fi
ADDR=$1
echo "making cert for ${ADDR}"
rm -f ${ADDR}_*.pem
rm -f ${ADDR}.p12
case ${ADDR} in
*:*) TYPE="URI" ;;
*@*) TYPE="email" ;;
*) TYPE="DNS" ;;
esac
rm -f demoCA/index.txt
touch demoCA/index.txt
rm -f demoCA/newcerts/*
#setenv ALTNAME "URI:${ADDR}"
#setenv ALTNAME "email:${ADDR}"
#setenv ALTNAME "DNS:${ADDR}"
ALTNAME="$TYPE:${ADDR}"
export ALTNAME
openssl genrsa -out ${ADDR}_key.pem 1024
openssl req -new -sha1 -key ${ADDR}_key.pem \
-out ${ADDR}_req.pem -days ${DAYS} <<EOF
US
California
San Jose
sipit
${ADDR}
EOF
if [ $DAYS == 0 ]; then
openssl ca -extensions cj_cert -config openssl.cnf \
-passin pass:password -policy policy_anything \
-md sha1 -batch -notext -out ${ADDR}_cert.pem \
-startdate 990101000000Z \
-enddate 000101000000Z \
-infiles ${ADDR}_req.pem
else
openssl ca -extensions cj_cert -config openssl.cnf \
-passin pass:password -policy policy_anything \
-md sha1 -days ${DAYS} -batch -notext \
-out ${ADDR}_cert.pem \
-infiles ${ADDR}_req.pem
fi
openssl pkcs12 -passin pass:password \
-passout pass:password -export \
-out ${ADDR}.p12 -in ${ADDR}_cert.pem \
-inkey ${ADDR}_key.pem -name TheName \
-certfile demoCA/cacert.pem
openssl x509 -in ${ADDR}_cert.pem -noout -text
This section contains various certificates used for testing in PEM format.
-----BEGIN CERTIFICATE----- MIIDNDCCAp2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAxNDI5NTRaFw0wNDA3MTkxNDI5NTRaMGMxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxHDAaBgNVBAMUE2FsaWNlQGEuZXhhbXBsZS5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAPCfkZptb4G5nWfbX76VOimKzHPduXozyPlS3ZkT BCvxm8L1k3J6m+GX/MLSltB227UOR7FZdFlbsHOtyGS9WRxnGoIvws9Th9MrWtzm PIwnoKtuf02G3Sub42k78KobrfKrHkRGsoqrhSyBEwOYBmVXDP/DTwLL7XnlgRnH AuIbAgMBAAGjgeowgecwHgYDVR0RBBcwFYETYWxpY2VAYS5leGFtcGxlLmNvbTAJ BgNVHRMEAjAAMB0GA1UdDgQWBBTeDEb8t0zOa3OZIsI9qd5T7L9pZjCBmgYDVR0j BIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp dHmCAQAwDQYJKoZIhvcNAQEFBQADgYEAlSz7JoM1SjzaIL50Gh+Afydh3CfxqXsu pyQxH/fJd80PvwKbjdU1Qm2QYDBMa/R/EU2gPx6c0ivgS0/8+jdDaOLYMim9biLm 7w6XsNmSSa5GlTirpRHe+twbrjBrSCyjxSZxpiNYotJXSrGu2EXGmnGLAemslV6a LGeuw10rfJ0= -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDwn5GabW+BuZ1n21++lTopisxz3bl6M8j5Ut2ZEwQr8ZvC9ZNy epvhl/zC0pbQdtu1DkexWXRZW7BzrchkvVkcZxqCL8LPU4fTK1rc5jyMJ6Crbn9N ht0rm+NpO/CqG63yqx5ERrKKq4UsgRMDmAZlVwz/w08Cy+155YEZxwLiGwIDAQAB AoGAR2TA+dXgkNf26RrA5LY4JJ1HHlW6M5Tr23YHw+RNh5BPS+A7WGsilyPWXiPH laC+fZD4GpnVGLJIv3nfjGxV5LE1YknYL5sYw3Ul+gXTViOZ5JEryQL6ks8S165l PDwNhRpLs9816HIgBkYPwHbgLQEtPPIz0ZNBAP7H6sct6YkCQQD6WnbWIBHjohm0 2Jzyo5L/V6VbxOEJLsZwMOMavtxZFIXChCULwBlcM6kpILNAsmNuu4gMPcbidIpg RaB/zC6XAkEA9gzsYduYXBrg+SfoMaraLh34idE16RpJtmK4CUzxQAdanHgt9qKP U40sUcxJEMsCsVmJT7WX0Xo/tp3dNwmdHQJAU+c1pJWi6TNOgjmGgBsqDMGG/baB 5N30S21W74O/vWsPWR2IfOOonCoEK3B2ItymTlozQkcB/KsqJRGwtKPtiQJBAMvY +R456IimXC0QOvarLgd3HSpRAfEVrmxEbWSHMnhxn0hy6OGk3EnEdCtwrDgVeS2l mHVJZXZPaenJ8DRg6qECQAIc/I3sI/S4K+k3zUW4Ga6MV3e/8Ux09xn/u/PrVnpW OpsiVuw1Y+dksmncNL/sdyvkQ0hNl0uP8HxS2b+V3CQ= -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAxNDMwMDZaFw0wNDA3MTkxNDMwMDZaMGExCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxGjAYBgNVBAMUEWJvYkBiLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQCw7wJD/VkoC9NZ/+ZmOqcwsOURVMDX6YpRpyswlJjv u/mKlabKXuN6r6Iq+bResIrhqw3EZ5svELHIcSgLDTZ1RjD5FznQyOIUrOy7uj3R p1ATgz7TdWeH7zalXbMjcSkVlOhQPPh7pwzO8L6Sa9gDw+b7JXjqXBh2Nga6LnjP PQIDAQABo4HoMIHlMBwGA1UdEQQVMBOBEWJvYkBiLmV4YW1wbGUuY29tMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFLWybAebeRmbZPufN/d6YLwdQCXaMIGaBgNVHSMEgZIw gY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNp cGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIB ADANBgkqhkiG9w0BAQUFAAOBgQCcmTnnGVmWBkZ0tbeYGsz1o+ZVbDzpsHqjChrq MslR5dp+rCQby7R9rrVwuiYPNIHWfeXGdhFEfyaQ/wqfao7S+DR7fSFmU50bHHTV cpWNdv5oiPLEedLf0HpObOct8B9+A3oUIVZs8MsEyMJjDSRSH+S4qiFlD3Xjdps1 SA+0qw== -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCw7wJD/VkoC9NZ/+ZmOqcwsOURVMDX6YpRpyswlJjvu/mKlabK XuN6r6Iq+bResIrhqw3EZ5svELHIcSgLDTZ1RjD5FznQyOIUrOy7uj3Rp1ATgz7T dWeH7zalXbMjcSkVlOhQPPh7pwzO8L6Sa9gDw+b7JXjqXBh2Nga6LnjPPQIDAQAB AoGABrCi10tHCbqYvThtz8O7+p1Vq/gWapOMBVZazbVwqu/imZja+5/m3gayDQnw BfyK48mB9cEtHvR0pG2S5AgV3P02hgYx75LLLzCrdGoM+AQozFRMUaBPCK8Xc+U/ iPxAMd8yaLgkdqGHXbuSEqqmNzr2YA83BTs0F+lX19ljPUkCQQDbF2XbEcdtfMCl DmDPpmAl7JccD215fSFmt1ePjcFAHoez1EgTWy+3Sr0+7bQbDuU41YeojQjQGMKX HCmPiJcfAkEAzr2AkKrZjYaYb7seOMHLD6oZUdYlqTM79PUuU64kBYeLq1QXmhlk 8CvvF7LiX5Ir2gl+eygq34rY3sliAS0aIwJAPvPPKY5HPld9RzAFc0T8FYmQtdhc /W6N/WSq/S2fHJxpI6vYde9am5EXJZDJkojKJnV8gFrd8GVc7GyEKKD3wwJBAJ0j UpYjFirJNBIwwp7XRdXJL2eRgpyhsZ/Vv/mgsgZ16UY3K51YUe1vJ1L3B7MmsigO 8VEAzd2NdpuXq+NC+csCQQCE1lxOvMG5WqQqoq0uzdxYgJMWzEeTqInCSCjgTzhr EneNpotX54keZ4DV/RoCiyB9fH2a5Azdn5BZvesu8Ji/ -----END RSA PRIVATE KEY-----
Certificate for a.example.com.
-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAyMDQ4MzRaFw0wNDA3MTkyMDQ4MzRaMF0xCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxFjAUBgNVBAMTDWEuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBANBefMrebLeKyXpAVfyUhfB1MRZXMZdICIfCG0Wmxr5tmTct B/rI9i3QROQOkF0rPJL4bHEpz7ufQCdlvcPCkOuq5Wr5ojwz9IM0XKByFBfBqo0E yzmDsHV0Y/W0gLr/YLoYQwi4Q2Ht7Geqw9H1Oo2v3h6HkrWMBYrRDbE0/RtTAgMB AAGjgeQwgeEwGAYDVR0RBBEwD4INYS5leGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G A1UdDgQWBBTRQ//VNy9mLk1uNNNd83dCdgT/tzCBmgYDVR0jBIGSMIGPgBRrRhcU 6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZI hvcNAQEFBQADgYEAIVMSP3A3c21zqlGAqpbgQrkU7sNzn8eCmpW85T6kqWPPDj4r gi7Fvy20vp3PoWQ2pUTtk+yES06TLk4i08UZP5HIQllcljJQEciMazQrd5aHkGvL HRt0DfivNEzwSkuEEDHA87rDN+RDwj2x+q/OZ3OzyCa9VsqSvbQIoQ0QXDg= -----END CERTIFICATE-----
Private key for a.example.com.
-----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQDQXnzK3my3isl6QFX8lIXwdTEWVzGXSAiHwhtFpsa+bZk3LQf6 yPYt0ETkDpBdKzyS+GxxKc+7n0AnZb3DwpDrquVq+aI8M/SDNFygchQXwaqNBMs5 g7B1dGP1tIC6/2C6GEMIuENh7exnqsPR9TqNr94eh5K1jAWK0Q2xNP0bUwIDAQAB AoGALtyBLlLVmnWxGDht3i887DY/Auo7Me22VWnXHlQCsIMPiTQsbj9R9j23sJ6B 4yI9LkSGhvDDUkvfbrzX77XLR3zbrdtHuMZpQYB7eR0mLi1QPKf7zX4FFPdPfJek ufgq7IJPEh1tZYhKSGYJPAzZRQSAX/NOSKMhQLYiwaJ5bRECQQD6zRL/vPAhAJc7 O0DyFsTBdvFGzT2GlQdhhAw9fpMICsR7Ury7VRR5z57zUZVgJU2AkEqYTmZyxsBg NE0EcYurAkEA1LA9UMyvOw6aFVrwx6YBUt7L794aqky5HiyHHreC6VabkZYycnUN EpJtzWO2+rzPiL84snRM2dDmjeYyO5LG+QJAbb01xvjhCU+83In8zPDxfsWQpS5A 8ZZb+GtS/8VWiHpNprh5JG8B2priLg1QkxU/aDW6rhH/+dDFdFLuMDeOqQJAH1mK 8Cn7ej0AwT0SWJtDfq+QZ97ZF1kPwD7X+9MY3MQDUkZNUUmnj6E9xhR4mCTUgleN R+CUo1aDZU8VAGr2IQJAZcnfTUjSZ13K9ifREeaLRbvQbKnaRtDV5JH6oi9Aqixb 3l5MEAXHFjdxuS9fWjVrtAhj3R5imeFbFYl32enb3w== -----END RSA PRIVATE KEY-----
Certificate for b.example.com.
-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAyMDQ2MTZaFw0wNDA3MTkyMDQ2MTZaMF0xCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxFjAUBgNVBAMTDWIuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAOKFGIl7Zyq4Z6yl+U5CWATYOq679ofEVy5deV8V+zJ7ALEQ ZBkq7T7ZGX+99Kq9lLXTGZ7yuIxWKNw9CG4pLRflsLvaKq/44pXOhy/anry/AJBT H0fGUn/2Dtyvy1cqexdGaduxYumz46p0a7zVZbzb6h0VKxsivHsjbnSfAWK5AgMB AAGjgeQwgeEwGAYDVR0RBBEwD4INYi5leGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G A1UdDgQWBBRijijbor95dRfhSPr+EGGiVu9jdDCBmgYDVR0jBIGSMIGPgBRrRhcU 6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZI hvcNAQEFBQADgYEAV+ISZ9HK2RyOOI+D9GLCnFSxaX4yKdYUZ4FpxBGVB68ssGFn ahdtR+rtzUOr+6W4JYREm1lauJ8Su3rfe4Tv9z0cPzVLQQqRYkka5JIP1XkAATN9 3RzwHNyVlujU5VnYZDmAyggdpMS9Uv6DJO6CsjxTTVi1vy59WaPfeDgLdcQ= -----END CERTIFICATE-----
Private key for b.example.com.
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDihRiJe2cquGespflOQlgE2Dquu/aHxFcuXXlfFfsyewCxEGQZ Ku0+2Rl/vfSqvZS10xme8riMVijcPQhuKS0X5bC72iqv+OKVzocv2p68vwCQUx9H xlJ/9g7cr8tXKnsXRmnbsWLps+OqdGu81WW82+odFSsbIrx7I250nwFiuQIDAQAB AoGAYkyP0VmT854Cn5GHFscDm1aaYKmA2noBu0UlHnZThByMuEn8pk9SlStxPVYZ jt6mYiExxSBfpcbeBHUX63ZC8oLD4/EaM8Yr5kCIG0yE/Up6KBstgj2oxRktBCtd /CZh4MV5eOedAk8+WKIeecFiRTWXLB/ebdvNipLwXQvVuuECQQD5AOU7Oq6xw+MW 5Bw2B/MwABEw+uG28CObpUiN1T6tAMk9mElHCNlankSVdmAdVoEdLcBWiyWcsebm KRFbepa3AkEA6OJ5UkMiU95snEmascO0wIz3odbwE7/zV998JkM5XCd/3z95xx7/ UNcBe6m3KpfZ9H0e97TvT3+KObdPR2PiDwJBAK4MWy6gYRWud6A7iCCYQ/sMQPf8 lSMbDbiwulsxcCLbRs8AEFBPtiXqNMRIPvyix5MOtL+JeZvimiPNFu3bbVcCQAKO EYSsheDjrM9eI1tV6VK/eSwGXqXo0jOhmQwWarevG0EIwj5EAcsSQMrphr/p4JNF GCThkEqP/KU7dJw05VMCQQDeny9hAo5oNGkGQx9oWn7RJWXt3+NfmjXJbYPdWqr9 M5rJ2zH5J2L5yk/hjbUwbpMMfS8i8qGc4wryOy4XFvzL -----END RSA PRIVATE KEY-----
This section contains base64 encoded versions of the SIP messages in this draft. They can be encoded and used as test vectors, and they contain all the correct CRLF sequences. A command like "openssl base64 -d -in foo.b64 -out foo" will convert the base64 data to a SIP message that contains everything after the UDP header. This can be used with a net cat program like nc to send test messages to programs.
The following is the base64 of the signed message.
TUVTU0FHRSBzaXA6Ym9iQGIuZXhhbXBsZS5jb20gU0lQLzIuMA0KVG86IDxzaXA6 Ym9iQGIuZXhhbXBsZS5jb20+DQpGcm9tOiA8c2lwOmFsaWNlQGEuZXhhbXBsZS5j b20+O3RhZz0xYjJmNTc2OQ0KVmlhOiBTSVAvMi4wL1VEUCAxMjcuMC4wLjE6NTA3 MDticmFuY2g9ejloRzRiSy1jODc1NDItNzMwMDc1NDA2LTEtLWM4NzU0Mi07cnBv cnQNCkNhbGwtSUQ6IDIyYjRmMjZkNmJlMjNhMGUNCkNTZXE6IDEgTUVTU0FHRQ0K Q29udGFjdDogPHNpcDphbGljZUBhLmV4YW1wbGUuY29tOjUwNzA+DQpNYXgtRm9y d2FyZHM6IDcwDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9zaWduZWQ7Ym91bmRh cnk9NjViNjU2M2Y1ZThlZjYzMjttaWNhbGc9c2hhMTtwcm90b2NvbD1hcHBsaWNh dGlvbi9wa2NzNy1zaWduYXR1cmUNClVzZXItQWdlbnQ6IFNJUGltcC5vcmcvMC4y LjIgKGN1cnNlcykNCkNvbnRlbnQtTGVuZ3RoOiAxNjUzDQoNCi0tNjViNjU2M2Y1 ZThlZjYzMg0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluDQpDb250ZW50LVRyYW5z ZmVyLUVuY29kaW5nOiBiaW5hcnkNCg0KSGkNCi0tNjViNjU2M2Y1ZThlZjYzMg0K Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wa2NzNy1zaWduYXR1cmU7bmFtZT1z bWltZS5wN3MNCkNvbnRlbnQtRGlzcG9zaXRpb246IGF0dGFjaG1lbnQ7aGFuZGxp bmc9cmVxdWlyZWQ7ZmlsZW5hbWU9c21pbWUucDdzDQpDb250ZW50LVRyYW5zZmVy LUVuY29kaW5nOiBiaW5hcnkNCg0KMIIFSwYJKoZIhvcNAQcCoIIFPDCCBTgCAQEx CzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAz4wggM6MIICo6ADAgECAgdVAYEC SQBzMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNV BAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAzMTAxNDIw MjQ1OVoXDTA2MTAxMzIwMjQ1OVowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEcMBoG A1UEAxQTYWxpY2VAYS5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAoYw/gUYHZ5v+xKL+8axvOOrIFH5JruQqzcL6BbvktjPXnETrJKcQOedb 75xEKqrTd1MDqm9AXJuF1xG0zYf0aWHEzUWTxKUgSQwMBYzaFErpjrgjE0U5zRlM vbzK10AqGtgzFgq4LS//WXme0Zj7qbIpqMif15plDIg/UjKq518CAwEAAaOB6jCB 5zAeBgNVHREEFzAVgRNhbGljZUBhLmV4YW1wbGUuY29tMAkGA1UdEwQCMAAwHQYD VR0OBBYEFPvBYLvWCgb7Xzy3lSsw3OZteAheMIGaBgNVHSMEgZIwgY+AFGtGFxTq lHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs aWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYD VQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIBADANBgkqhkiG 9w0BAQUFAAOBgQBfex+PEk9VKHhNqgTZtPcdkYgleGBdsvK5vZR+AmMzjhDZns/N VTIct1N4RLZ2l4ZySQ5/y28H0GjNO5G8bDbQLpOdvJ/bivpQ2BUit9PQ1lFWGhOv o0hsygux6XVMyogp8re6eNJgAhN4WxNkDjkmn06BaiIzlsncW7Neb7dTyDGCAdUw ggHRAgEBMHswcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAP BgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQg VGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCB1UBgQJJAHMwCQYFKw4DAhoFAKCB sTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzEw MTUwMDA5MDdaMCMGCSqGSIb3DQEJBDEWBBRweIiRmownAI3QcTrAOjUZBJolPDBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEF AASBgBGmL7aacdLrQbLav67qW9vawNWCEjIVefaK8/QSMy+J+TQX6FCThi45uDwU MezrzxTroNCZhJPVf45inWrqG3h8SK2fIUBSbYdwdpb1QlMbbrygsb2Ea85mNVO/ upIk2YgSiz3Z796y2NV4sqB1go2rmVtLKPAWVrFoML86Wk6xDQotLTY1YjY1NjNm NWU4ZWY2MzItLQ==
The base64 of the response was:
U0lQLzIuMCAyMDAgT0sNClRvOiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tPjt0YWc9 NmIxNjdlZDgNCkZyb206IDxzaXA6YWxpY2VAYS5leGFtcGxlLmNvbT47dGFnPTFi MmY1NzY5DQpWaWE6IFNJUC8yLjAvVURQIDEyNy4wLjAuMTo1MDcwO2JyYW5jaD16 OWhHNGJLLWM4NzU0Mi03MzAwNzU0MDYtMS0tYzg3NTQyLTtycG9ydD01MDcwO3Jl Y2VpdmVkPTEyNy4wLjAuMQ0KQ2FsbC1JRDogMjJiNGYyNmQ2YmUyM2EwZQ0KQ1Nl cTogMSBNRVNTQUdFDQpDb250YWN0OiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tOjUw NjA+DQpDb250ZW50LUxlbmd0aDogMA0KDQo=
The following is the base64 of the encrypted message.
TUVTU0FHRSBzaXA6Ym9iQGIuZXhhbXBsZS5jb20gU0lQLzIuMA0KVG86IDxzaXA6 Ym9iQGIuZXhhbXBsZS5jb20+DQpGcm9tOiA8c2lwOmFsaWNlQGEuZXhhbXBsZS5j b20+O3RhZz00YmJhMWYwZA0KVmlhOiBTSVAvMi4wL1VEUCAxMjcuMC4wLjE6NTA3 MDticmFuY2g9ejloRzRiSy1jODc1NDItNTU4NDIyODM0LTEtLWM4NzU0Mi07cnBv cnQNCkNhbGwtSUQ6IDEzMmJiODk1MDE5ZDQ1MzYNCkNTZXE6IDEgTUVTU0FHRQ0K Q29udGFjdDogPHNpcDphbGljZUBhLmV4YW1wbGUuY29tOjUwNzA+DQpNYXgtRm9y d2FyZHM6IDcwDQpDb250ZW50LURpc3Bvc2l0aW9uOiBhdHRhY2htZW50O2hhbmRs aW5nPXJlcXVpcmVkO2ZpbGVuYW1lPXNtaW1lLnA3DQpDb250ZW50LVR5cGU6IGFw cGxpY2F0aW9uL3BrY3M3LW1pbWU7c21pbWUtdHlwZT1lbnZlbG9wZWQtZGF0YTtu YW1lPXNtaW1lLnA3bQ0KVXNlci1BZ2VudDogU0lQaW1wLm9yZy8wLjIuMiAoY3Vy c2VzKQ0KQ29udGVudC1MZW5ndGg6IDM4NQ0KDQowggF9BgkqhkiG9w0BBwOgggFu MIIBagIBADGCARYwggESAgEAMHswcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCB1UBgQJJAHIw DQYJKoZIhvcNAQEBBQAEgYCUvSKVQO7kymKOszSmBP8WBx1Q4Y/Lb9C52Lo5ze9+ mzthE+09Yf5iCzecZZ208jJ0LuXsfg81meW+RXxjLd9eoEKbcN2NmWVw3TU1GNck Ubr3lICk4pP10M3CH/+qVj/6CRVBvQJteCE7ANyWSd0hbFeu2aBfh1Uboea45yY2 qzBLBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJyyY8coGB9SgCiP8VFLHeq5gTx+ pr4tR390slx3dSBzPvDH9SyOWMELstFhlkedC+aL
The base64 of the response was:
U0lQLzIuMCAyMDAgT0sNClRvOiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tPjt0YWc9 MzMwODA1ZjUNCkZyb206IDxzaXA6YWxpY2VAYS5leGFtcGxlLmNvbT47dGFnPTRi YmExZjBkDQpWaWE6IFNJUC8yLjAvVURQIDEyNy4wLjAuMTo1MDcwO2JyYW5jaD16 OWhHNGJLLWM4NzU0Mi01NTg0MjI4MzQtMS0tYzg3NTQyLTtycG9ydD01MDcwO3Jl Y2VpdmVkPTEyNy4wLjAuMQ0KQ2FsbC1JRDogMTMyYmI4OTUwMTlkNDUzNg0KQ1Nl cTogMSBNRVNTQUdFDQpDb250YWN0OiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tOjUw NjA+DQpDb250ZW50LUxlbmd0aDogMA0KDQo=
The following is the base64 of the signed and encrypted message.
TUVTU0FHRSBzaXA6Ym9iQGIuZXhhbXBsZS5jb20gU0lQLzIuMA0KVG86IDxzaXA6 Ym9iQGIuZXhhbXBsZS5jb20+DQpGcm9tOiA8c2lwOmFsaWNlQGEuZXhhbXBsZS5j b20+O3RhZz0xZDg2NzNhMw0KVmlhOiBTSVAvMi4wL1VEUCAxMjcuMC4wLjE6NTA3 MDticmFuY2g9ejloRzRiSy1jODc1NDItNDg4ODg0MTA0LTEtLWM4NzU0Mi07cnBv cnQNCkNhbGwtSUQ6IDQ1MGM4YjExMjcxNWE3MzINCkNTZXE6IDEgTUVTU0FHRQ0K Q29udGFjdDogPHNpcDphbGljZUBhLmV4YW1wbGUuY29tOjUwNzA+DQpNYXgtRm9y d2FyZHM6IDcwDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9zaWduZWQ7Ym91bmRh cnk9NzViM2Q3M2I0ZTI0ZDNmNjttaWNhbGc9c2hhMTtwcm90b2NvbD1hcHBsaWNh dGlvbi9wa2NzNy1zaWduYXR1cmUNClVzZXItQWdlbnQ6IFNJUGltcC5vcmcvMC4y LjIgKGN1cnNlcykNCkNvbnRlbnQtTGVuZ3RoOiAyMTU4DQoNCi0tNzViM2Q3M2I0 ZTI0ZDNmNg0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wa2NzNy1taW1lO3Nt aW1lLXR5cGU9ZW52ZWxvcGVkLWRhdGE7bmFtZT1zbWltZS5wN20NCkNvbnRlbnQt RGlzcG9zaXRpb246IGF0dGFjaG1lbnQ7aGFuZGxpbmc9cmVxdWlyZWQ7ZmlsZW5h bWU9c21pbWUucDcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJpbmFyeQ0K DQowggF9BgkqhkiG9w0BBwOgggFuMIIBagIBADGCARYwggESAgEAMHswcDELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl MQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0 ZSBBdXRob3JpdHkCB1UBgQJJAHIwDQYJKoZIhvcNAQEBBQAEgYBbH0sWpjlXVG3S OdYb8BXnJx/x/SiFhNbfvEUpPNgX5/CT+xtEoUvftXcHNb7BIUP1l52lXq0fyxRU TLxgGY2uAaMsWxJkQ2JwcZKlpIg/w+llcKxr3iLhAnZ5g68TTDOQbET8Xr77NiIh uOufuTthKvUQ6H/NDNbd6wY5Tlrl5zBLBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcE CK6ldx+VV8mYgCgzKJcCCnt7e8ToqY/Id+dfAm81r/zVDZRTMP+cpiUplPmlDolL e47xDQotLTc1YjNkNzNiNGUyNGQzZjYNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRp b24vcGtjczctc2lnbmF0dXJlO25hbWU9c21pbWUucDdzDQpDb250ZW50LURpc3Bv c2l0aW9uOiBhdHRhY2htZW50O2hhbmRsaW5nPXJlcXVpcmVkO2ZpbGVuYW1lPXNt aW1lLnA3cw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmluYXJ5DQoNCjCC BUsGCSqGSIb3DQEHAqCCBTwwggU4AgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0B BwGgggM+MIIDOjCCAqOgAwIBAgIHVQGBAkkAczANBgkqhkiG9w0BAQUFADBwMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj YXRlIEF1dGhvcml0eTAeFw0wMzEwMTQyMDI0NTlaFw0wNjEwMTMyMDI0NTlaMGMx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4g Sm9zZTEOMAwGA1UEChMFc2lwaXQxHDAaBgNVBAMUE2FsaWNlQGEuZXhhbXBsZS5j b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKGMP4FGB2eb/sSi/vGsbzjq yBR+Sa7kKs3C+gW75LYz15xE6ySnEDnnW++cRCqq03dTA6pvQFybhdcRtM2H9Glh xM1Fk8SlIEkMDAWM2hRK6Y64IxNFOc0ZTL28ytdAKhrYMxYKuC0v/1l5ntGY+6my KajIn9eaZQyIP1IyqudfAgMBAAGjgeowgecwHgYDVR0RBBcwFYETYWxpY2VAYS5l eGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0GA1UdDgQWBBT7wWC71goG+188t5UrMNzm bXgIXjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0pHIwcDEL MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK b3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZp Y2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQADgYEAX3sfjxJPVSh4TaoE 2bT3HZGIJXhgXbLyub2UfgJjM44Q2Z7PzVUyHLdTeES2dpeGckkOf8tvB9BozTuR vGw20C6Tnbyf24r6UNgVIrfT0NZRVhoTr6NIbMoLsel1TMqIKfK3unjSYAITeFsT ZA45Jp9OgWoiM5bJ3FuzXm+3U8gxggHVMIIB0QIBATB7MHAxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y aXR5AgdVAYECSQBzMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDMxMDE1MDAwOTIyWjAjBgkqhkiG9w0BCQQx FgQUFLTFVme+Oh3uIw7w3GTqTnmdRLAwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYAoI2BmK6Iv3cbIFJSCkgxQC0f9 yvYT9E0c9MEj1eSEMyG+0iFcxzxmvsnNNVRYub13SU2fPmlHAPWLm80reOWuXbKR kJinPgs3bbwWBH+xSzmLSiYAWXK/ZlVZtlQcJWL9bQ6DOy7HmaqbthMe007HUR8j pwqyKeskUIz9kzQ5bA0KLS03NWIzZDczYjRlMjRkM2Y2LS0=
The base64 of the response was:
U0lQLzIuMCAyMDAgT0sNClRvOiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tPjt0YWc9 NDBkNzEzMWINCkZyb206IDxzaXA6YWxpY2VAYS5leGFtcGxlLmNvbT47dGFnPTFk ODY3M2EzDQpWaWE6IFNJUC8yLjAvVURQIDEyNy4wLjAuMTo1MDcwO2JyYW5jaD16 OWhHNGJLLWM4NzU0Mi00ODg4ODQxMDQtMS0tYzg3NTQyLTtycG9ydD01MDcwO3Jl Y2VpdmVkPTEyNy4wLjAuMQ0KQ2FsbC1JRDogNDUwYzhiMTEyNzE1YTczMg0KQ1Nl cTogMSBNRVNTQUdFDQpDb250YWN0OiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tOjUw NjA+DQpDb250ZW50LUxlbmd0aDogMA0KDQo=
Is the encrypted and signed example in this draft correct with respect to what the signature in a detached signature is computed over?
The examples here attach the sender's certificates - is this how we want to go? Need more text on when or should or should not do this.
Need to added Accept with multipart to all examples. Might also want to request congestion safety on all of them.
The examples here attach the sender's certificates - is that how we want to go? Need more text on when or should or should not do this.
Examples showing keywrap stuff.
Would be nice to add an example showing encrypted SDP with SRTP key examples.
Would be nice to add an example showing securing a REFER.
Many thanks to the developers of all the open source software used to create these call flows. This includes the underling crypto and TLS software used from openssl.org, the SIP stack from www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org. The TLS flow dumps were done with SSLDump from http://www.rtfm.com/ssldump. The book SSL and TLS [9] was a huge help in developing the code for these flows and is a great resource for anyone trying to implement TLS with SIP.
Thanks to Dan Wing and Robert Sparks for catching many silly mistakes and Tat Chan who caught a key problem in what the signature was being computed over.
| [1] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
| [2] | Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and Schooler, E., "SIP: Session Initiation Protocol", RFC 3261, June 2002. |
| [3] | Housley, R., Polk, W., Ford, W. and Solo, D., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. |
| [4] | Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L. and Repka, L., "S/MIME Version 2 Message Specification", RFC 2311, March 1998. |
| [5] | Dierks, T., Allen, C., Treese, W., Karlton, P.L., Freier, A.O. and Kocher, P.C., "The TLS Protocol Version 1.0", RFC 2246, January 1999. |
| [6] | Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)", RFC 3268, June 2002. |
| [7] | Ramsdell, B, "S/MIME Version 3.1 Message Specification", Internet-Draft draft-ietf-smime-rfc2633bis-03, January 2003. |
| [8] | Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C. and Gurle, D., "Session Initiation Protocol (SIP) Extension for Instant Messaging", RFC 3428, December 2002. |
| [9] | Rescorla, E.K., "SSL and TLS - Designing and Building Secure Systems", 2001. |
| Cullen Jennings | |
| Cisco Systems | |
| 170 West Tasman Drive Mailstop SJC-21/2 |
|
| San Jose, CA 95134 | |
| USA | |
| Phone: | +1 408 902-3341 |
| EMail: | fluffy@cisco.com |
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Funding for the RFC editor function is currently provided by the Internet Society.