Network Working Group | C. Jennings |
INTERNET DRAFT | Cisco Systems |
<draft-jennings-sip-sec-flows-01> | February 2004 |
Category: Standards Track | |
Expires: August 2004 |
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire in August 2004.
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document shows call flows demonstrating the use of SIPS, TLS, and S/MIME in SIP. This draft provides information that helps implementers build interoperable SIP software. It is purely informational. To help facilitate interoperability testing, it includes certificates used in the example call flows and a CA certificate to create certificates for testing.
Warning - this is a very early draft of this document. The call flows in it have not been verified against multiple versions of the software and have reasonable odds of being wrong. Some known deficiencies with the draft are documented in section 4.
This work is being discussed on the sip@ietf.org mailing list.
1
Conventions
2
Introduction
3
Security Considerations
4
Known Problems
5
CA Certificates
6
Host Certificate
7
Callflow with Message over TLS
8
Callflow with TLS with Mutual Authentication
9
User Certificates
10
Callflow with Signed Message
11
Callflow with Encrypted Message
12
Callflow with Signed and Encrypted Message
13
Callflow with SRTP keying material in the SDP
14
Callflow with Secure REFER
15
Test Notes
16
Making Test Certificates
17
makeCA script
18
makeCert script
19
Certificates for Testing
20
Message Dumps
21
Open Issues
22
Still To Do
23
Acknowledgments
§
Normative References
§
Informative References
§
Author's Address
§
Full Copyright Statement
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1].
Several different groups are starting to implement the S/MIME portion of SIP. Over the last several interoperability events, it has become clear that it is difficult to write these systems without any test vectors or examples of "known good" messages to test against. Furthermore, testing at the events is often hampered by trying to get certificates signed by some common test root into the appropriate format for various clients. This document addresses both of these issues by providing detailed messages that give detailed examples that implemetors can use for comparison and that can also be used for testing. In addition, this document provides a common certificate that can be used for a CA to reduce the time it takes to set up a test at an interoperability event. The document also provides some hints and clarifications for implementers.
A simple SIP call flow using SIPS and TLS is shown in section 7. The certificates for the hosts used are shown in section 6 and the CA certificates used to sign these are shown in section 5.
The text from section 10 through section 12 shows some simple SIP call flows using S/MIME to sign and encrypt the body of the message. The user certificates used in these examples are shown in section 9 and are signed with the same CA certs.
A way to make certificates that can be used for interoperability testing is presented in section 16, along with methods for converting these to various formats.
In section 15, a partial list of things implementers should check that they do in order to implement a secure system is presented.
Binary copies of various messages in this draft that can be used for testing appear in section 20.
Implementers must never use any of the certificates provided in this document in anything but a test environment. Installing the CA root certificates used in this document as a trusted root in operational software would completely destroy the security of the system while giving the user the impression that the system was operating securely.
This document recommends some things that implementers might test or verify to improve the security of their implementations. It is impossible to make a comprehensive list of these, and this document only suggests some of the most common mistakes that have been seen at the SIPit interoperability events. Just because an implementation does everything this document recommends does not make it secure.
The S/MIME examples use 3DES, but AES is preferred.
This section lists known problems, deficencies, and mistakes in examples in this draft.
The certificate used by the CA to sign the other certificates is shown below. This is a X509v3 certificate. Note that the basic constraints allow it to be used as a CA.
Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 18 12:21:52 2003 GMT Not After : Jul 15 12:21:52 2013 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c3:22:1e:83:91:c5:03:2c:3c:8a:f4:11:14:c6: 4b:9d:fa:72:78:c6:b0:95:18:a7:e0:8c:79:ba:5d: a4:ae:1e:21:2d:9d:f1:0b:1c:cf:bd:5b:29:b3:90: 13:73:66:92:6e:df:4c:b3:b3:1c:1f:2a:82:0a:ba: 07:4d:52:b0:f8:37:7b:e2:0a:27:30:70:dd:f9:2e: 03:ff:2a:76:cd:df:87:1a:bd:71:eb:e1:99:6a:c4: 7f:8e:74:a0:77:85:04:e9:41:ad:fc:03:b6:17:75: aa:33:ea:0a:16:d9:fb:79:32:2e:f8:cf:4d:c6:34: a3:ff:1b:d0:68:28:e1:9d:e5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 X509v3 Authority Key Identifier: 6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 96:6d:1b:ef:d5:91:93:45:7c:5b:1f:cf:c4:aa:47:52:0b:34: a8:50:fa:ec:fa:b4:2a:47:4c:5d:41:a7:3d:c0:d6:3f:9e:56: 5b:91:1d:ce:a8:07:b3:1b:a4:9f:9a:49:6f:7f:e0:ce:83:94: 71:42:af:fe:63:a2:34:dc:b4:5e:a5:ce:ca:79:50:e9:6a:99: 4c:14:69:e9:7c:ab:22:6c:44:cc:8a:9c:33:6b:23:50:42:05: 1f:e1:c2:81:88:5f:ba:e5:47:bb:85:9b:83:25:ad:84:32:ff: 2a:5b:8b:70:12:11:83:61:c9:69:15:4f:58:a3:3c:92:d4:e8: 6f:52
The ASN.1 parse of the CA certificate is shown below.
0:l= 804 cons: SEQUENCE 4:l= 653 cons: SEQUENCE 8:l= 3 cons: cont [ 0 ] 10:l= 1 prim: INTEGER :02 13:l= 1 prim: INTEGER :00 16:l= 13 cons: SEQUENCE 18:l= 9 prim: OBJECT :sha1WithRSAEncryption 29:l= 0 prim: NULL 31:l= 112 cons: SEQUENCE 33:l= 11 cons: SET 35:l= 9 cons: SEQUENCE 37:l= 3 prim: OBJECT :countryName 42:l= 2 prim: PRINTABLESTRING :US 46:l= 19 cons: SET 48:l= 17 cons: SEQUENCE 50:l= 3 prim: OBJECT :stateOrProvinceName 55:l= 10 prim: PRINTABLESTRING :California 67:l= 17 cons: SET 69:l= 15 cons: SEQUENCE 71:l= 3 prim: OBJECT :localityName 76:l= 8 prim: PRINTABLESTRING :San Jose 86:l= 14 cons: SET 88:l= 12 cons: SEQUENCE 90:l= 3 prim: OBJECT :organizationName 95:l= 5 prim: PRINTABLESTRING :sipit 102:l= 41 cons: SET 104:l= 39 cons: SEQUENCE 106:l= 3 prim: OBJECT :organizationalUnitName 111:l= 32 prim: PRINTABLESTRING : Sipit Test Certificate Authority 145:l= 30 cons: SEQUENCE 147:l= 13 prim: UTCTIME :030718122152Z 162:l= 13 prim: UTCTIME :130715122152Z 177:l= 112 cons: SEQUENCE 179:l= 11 cons: SET 181:l= 9 cons: SEQUENCE 183:l= 3 prim: OBJECT :countryName 188:l= 2 prim: PRINTABLESTRING :US 192:l= 19 cons: SET 194:l= 17 cons: SEQUENCE 196:l= 3 prim: OBJECT :stateOrProvinceName 201:l= 10 prim: PRINTABLESTRING :California 213:l= 17 cons: SET 215:l= 15 cons: SEQUENCE 217:l= 3 prim: OBJECT :localityName 222:l= 8 prim: PRINTABLESTRING :San Jose 232:l= 14 cons: SET 234:l= 12 cons: SEQUENCE 236:l= 3 prim: OBJECT :organizationName 241:l= 5 prim: PRINTABLESTRING :sipit 248:l= 41 cons: SET 250:l= 39 cons: SEQUENCE 252:l= 3 prim: OBJECT :organizationalUnitName 257:l= 32 prim: PRINTABLESTRING : Sipit Test Certificate Authority 291:l= 159 cons: SEQUENCE 294:l= 13 cons: SEQUENCE 296:l= 9 prim: OBJECT :rsaEncryption 307:l= 0 prim: NULL 309:l= 141 prim: BIT STRING 00 30 81 89 02 81 81 00-c3 22 1e 83 91 c5 03 2c .0......."....., 3c 8a f4 11 14 c6 4b 9d-fa 72 78 c6 b0 95 18 a7 <.....K..rx..... e0 8c 79 ba 5d a4 ae 1e-21 2d 9d f1 0b 1c cf bd ..y.]...!-...... 5b 29 b3 90 13 73 66 92-6e df 4c b3 b3 1c 1f 2a [)...sf.n.L....* 82 0a ba 07 4d 52 b0 f8-37 7b e2 0a 27 30 70 dd ....MR..7{..'0p. f9 2e 03 ff 2a 76 cd df-87 1a bd 71 eb e1 99 6a ....*v.....q...j c4 7f 8e 74 a0 77 85 04-e9 41 ad fc 03 b6 17 75 ...t.w...A.....u aa 33 ea 0a 16 d9 fb 79-32 2e f8 cf 4d c6 34 a3 .3.....y2...M.4. ff 1b d0 68 28 e1 9d e5-02 03 01 00 01 ...h(........ 453:l= 205 cons: cont [ 3 ] 456:l= 202 cons: SEQUENCE 459:l= 29 cons: SEQUENCE 461:l= 3 prim: OBJECT :X509v3 Subject Key Identifier 466:l= 22 prim: OCTET STRING 04 14 6b 46 17 14 ea 94-76 25 80 54 6e 13 54 da ..kF....v%.Tn.T. a1 e3 54 14 a1 b6 ..T... 490:l= 154 cons: SEQUENCE 493:l= 3 prim: OBJECT :X509v3 Authority Key Identifier 498:l= 146 prim: OCTET STRING 30 81 8f 80 14 6b 46 17-14 ea 94 76 25 80 54 6e 0....kF....v%.Tn 13 54 da a1 e3 54 14 a1-b6 a1 74 a4 72 30 70 31 .T...T....t.r0p1 0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0. 06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi 61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San 4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s 69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S 69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif 69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority. 01 . 0092 - <SPACES/NULS> 647:l= 12 cons: SEQUENCE 649:l= 3 prim: OBJECT :X509v3 Basic Constraints 654:l= 5 prim: OCTET STRING 30 03 01 01 ff 0.... 661:l= 13 cons: SEQUENCE 663:l= 9 prim: OBJECT :sha1WithRSAEncryption 674:l= 0 prim: NULL 676:l= 129 prim: BIT STRING 00 96 6d 1b ef d5 91 93-45 7c 5b 1f cf c4 aa 47 ..m.....E|[....G 52 0b 34 a8 50 fa ec fa-b4 2a 47 4c 5d 41 a7 3d R.4.P....*GL]A.= c0 d6 3f 9e 56 5b 91 1d-ce a8 07 b3 1b a4 9f 9a ..?.V[.......... 49 6f 7f e0 ce 83 94 71-42 af fe 63 a2 34 dc b4 Io.....qB..c.4.. 5e a5 ce ca 79 50 e9 6a-99 4c 14 69 e9 7c ab 22 ^...yP.j.L.i.|." 6c 44 cc 8a 9c 33 6b 23-50 42 05 1f e1 c2 81 88 lD...3k#PB...... 5f ba e5 47 bb 85 9b 83-25 ad 84 32 ff 2a 5b 8b _..G....%..2.*[. 70 12 11 83 61 c9 69 15-4f 58 a3 3c 92 d4 e8 6f p...a.i.OX.<...o 52 R
The certificate for the host b.example.com is shown below. Note that the Subject Alternative Name is set to b.example.com and is a DNS type.
Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 20 20:46:16 2003 GMT Not After : Jul 19 20:46:16 2004 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=b.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e2:85:18:89:7b:67:2a:b8:67:ac:a5:f9:4e:42: 58:04:d8:3a:ae:bb:f6:87:c4:57:2e:5d:79:5f:15: fb:32:7b:00:b1:10:64:19:2a:ed:3e:d9:19:7f:bd: f4:aa:bd:94:b5:d3:19:9e:f2:b8:8c:56:28:dc:3d: 08:6e:29:2d:17:e5:b0:bb:da:2a:af:f8:e2:95:ce: 87:2f:da:9e:bc:bf:00:90:53:1f:47:c6:52:7f:f6: 0e:dc:af:cb:57:2a:7b:17:46:69:db:b1:62:e9:b3: e3:aa:74:6b:bc:d5:65:bc:db:ea:1d:15:2b:1b:22: bc:7b:23:6e:74:9f:01:62:b9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:b.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 62:8E:28:DB:A2:BF:79:75:17:E1:48 FA:FE:10:61:A2:56:EF:63:74 X509v3 Authority Key Identifier: keyid:6B:46:17:14:EA:94:76:25:80:54:6E 13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 Signature Algorithm: sha1WithRSAEncryption 57:e2:12:67:d1:ca:d9:1c:8e:38:8f:83:f4:62:c2:9c:54:b1: 69:7e:32:29:d6:14:67:81:69:c4:11:95:07:af:2c:b0:61:67: 6a:17:6d:47:ea:ed:cd:43:ab:fb:a5:b8:25:84:44:9b:59:5a: b8:9f:12:bb:7a:df:7b:84:ef:f7:3d:1c:3f:35:4b:41:0a:91: 62:49:1a:e4:92:0f:d5:79:00:01:33:7d:dd:1c:f0:1c:dc:95: 96:e8:d4:e5:59:d8:64:39:80:ca:08:1d:a4:c4:bd:52:fe:83: 24:ee:82:b2:3c:53:4d:58:b5:bf:2e:7d:59:a3:df:78:38:0b: 75:c4
The flow below shows the edited SSLDump output of the host a.example.com forming a TLS connection to b.example.com. In this example mutual authentication is not used. Note that the client proposed three protocol suites including the required TLS_RSA_WITH_AES_128_CBC_SHA. The certificate returned by the server contains a Subject Alternative Name that is set to b.example.com. A detailed discussion of TLS can be found in [9].
New TCP connection #1: a.example.com(5071) <-> b.example.com(5081) 1 1 0.0015 (0.0015) C>SV3.1(49) Handshake ClientHello Version 3.1 random[32]= 3f 1d 41 76 31 6f af f1 42 fa 7b 57 c7 79 49 2b d4 21 9c be e9 8b 85 83 56 4b 36 cb f2 99 ef b2 cipher suites TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 1 2 0.4307 (0.4292) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 3f 1d 41 77 92 f5 55 a3 97 69 cf b5 7a 0a 3c 00 bc 0c 59 91 1c 6b 2b 4a 0e 98 40 21 a9 b5 4b 6f session_id[32]= 10 3c 8c aa 75 d8 62 0b c3 5b ad 24 c1 7f 4f 80 25 b7 1c 40 a3 3c e1 85 0d b5 29 d3 15 40 51 d3 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL 1 3 0.4307 (0.0000) S>CV3.1(822) Handshake Certificate Subject C=US ST=California L=San Jose O=sipit CN=b.example.com Issuer C=US ST=California L=San Jose O=sipit OU=Sipit Test Certificate Authority Serial 01 Extensions Extension: X509v3 Subject Alternative Name Extension: X509v3 Basic Constraints Extension: X509v3 Subject Key Identifier Extension: X509v3 Authority Key Identifier 1 4 0.4307 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 1 5 0.4594 (0.0286) C>SV3.1(134) Handshake ClientKeyExchange 1 6 0.5498 (0.0903) C>SV3.1(1) ChangeCipherSpec 1 7 0.5498 (0.0000) C>SV3.1(48) Handshake 1 8 0.5505 (0.0007) S>CV3.1(1) ChangeCipherSpec 1 9 0.5505 (0.0000) S>CV3.1(48) Handshake
Once the TLS session is set up, the following MESSAGE message is sent from a.example.com to b.example.com. Note that the URI has a SIPS URL and that the VIA indicates that TLS was used.
MESSAGE sips:bob@b.example.com:5081 SIP/2.0 To: <sips:bob@b.example.com:5081> From: <sip:alice@example.com>;tag=2639484b Via: SIP/2.0/TLS b.example.com:5071; branch=z9hG4bK-c87542-240491824-1-c87542- Call-ID: 7ba3572175b0f542 CSeq: 1 MESSAGE Contact: <sips:alice@a.example.com:5071> Max-Forwards: 70 Content-Type: text/plain User-Agent: SIPimp.org/0.2.1 (curses) Content-Length: 2 Hi
The response is sent from b.example.com to a.example.com over the same TLS connections. It is shown below.
SIP/2.0 200 OK To: <sips:bob@b.example.com:5081>;tag=514db9e7 From: <sip:alice@example.com>;tag=2639484b Via: SIP/2.0/UDP b.example.com; branch=z9hG4bK-c87542-240491824-1-c87542-;received=127.0.0.1 Call-ID: 7ba3572175b0f542 CSeq: 1 MESSAGE Contact: <sips:bob@b.example.com:5081> Content-Length: 0
Alice's certificate is shown below. Note that it has a Subject Alternative Name of type email and is set to alice@a.example.com. In this example a.example.com is the domain for Alice, the message could be coming from a host called host1.a.example.com, and the AOR in the user certificate would still be the same.
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 20 14:29:54 2003 GMT Not After : Jul 19 14:29:54 2004 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=alice@a.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f0:9f:91:9a:6d:6f:81:b9:9d:67:db:5f:be:95: 3a:29:8a:cc:73:dd:b9:7a:33:c8:f9:52:dd:99:13: 04:2b:f1:9b:c2:f5:93:72:7a:9b:e1:97:fc:c2:d2: 96:d0:76:db:b5:0e:47:b1:59:74:59:5b:b0:73:ad: c8:64:bd:59:1c:67:1a:82:2f:c2:cf:53:87:d3:2b: 5a:dc:e6:3c:8c:27:a0:ab:6e:7f:4d:86:dd:2b:9b: e3:69:3b:f0:aa:1b:ad:f2:ab:1e:44:46:b2:8a:ab: 85:2c:81:13:03:98:06:65:57:0c:ff:c3:4f:02:cb: ed:79:e5:81:19:c7:02:e2:1b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:alice@a.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: DE:0C:46:FC:B7:4C:CE:6B:73:99:22:C2:3D:A9:DE:53:EC:BF:69:66 X509v3 Authority Key Identifier: keyid:6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 Signature Algorithm: sha1WithRSAEncryption 95:2c:fb:26:83:35:4a:3c:da:20:be:74:1a:1f:80:7f:27:61: dc:27:f1:a9:7b:2e:a7:24:31:1f:f7:c9:77:cd:0f:bf:02:9b: 8d:d5:35:42:6d:90:60:30:4c:6b:f4:7f:11:4d:a0:3f:1e:9c: d2:2b:e0:4b:4f:fc:fa:37:43:68:e2:d8:32:29:bd:6e:22:e6: ef:0e:97:b0:d9:92:49:ae:46:95:38:ab:a5:11:de:fa:dc:1b: ae:30:6b:48:2c:a3:c5:26:71:a6:23:58:a2:d2:57:4a:b1:ae: d8:45:c6:9a:71:8b:01:e9:ac:95:5e:9a:2c:67:ae:c3:5d:2b: 7c:9d
Alice's private key is shown below.
0: 604 cons: SEQUENCE 4: 1 prim: INTEGER :00 7: 129 prim: INTEGER : F09F919A6D6F81B99D67DB5FBE953A298ACC73DDB97A33C8F952DD9913042BF19B C2F593727A9BE197FCC2D296D076DBB50E47B15974595BB073ADC864BD591C671A 822FC2CF5387D32B5ADCE63C8C27A0AB6E7F4D86DD2B9BE3693BF0AA1BADF2AB1E 4446B28AAB852C811303980665570CFFC34F02CBED79E58119C702E21B 139: 3 prim: INTEGER :010001 144: 128 prim: INTEGER : 4764C0F9D5E090D7F6E91AC0E4B638249D471E55BA3394EBDB7607C3E44D87904F 4BE03B586B229723D65E23C795A0BE7D90F81A99D518B248BF79DF8C6C55E4B135 6249D82F9B18C37525FA05D3562399E4912BC902FA92CF12D7AE653C3C0D851A4B B3DF35E8722006460FC076E02D012D3CF233D1934100FEC7EAC72DE989 275: 65 prim: INTEGER : FA5A76D62011E3A219B4D89CF2A392FF57A55BC4E1092EC67030E31ABEDC591485 C284250BC0195C33A92920B340B2636EBB880C3DC6E2748A6045A07FCC2E97 342: 65 prim: INTEGER : F60CEC61DB985C1AE0F927E831AADA2E1DF889D135E91A49B662B8094CF140075A 9C782DF6A28F538D2C51CC4910CB02B159894FB597D17A3FB69DDD37099D1D 409: 64 prim: INTEGER : 53E735A495A2E9334E823986801B2A0CC186FDB681E4DDF44B6D56EF83BFBD6B0F 591D887CE3A89C2A042B707622DCA64E5A33424701FCAB2A2511B0B4A3ED89 475: 65 prim: INTEGER : CBD8F91E39E888A65C2D103AF6AB2E07771D2A5101F115AE6C446D64873278719F 4872E8E1A4DC49C4742B70AC3815792DA598754965764F69E9C9F03460EAA1 542: 64 prim: INTEGER : 021CFC8DEC23F4B82BE937CD45B819AE8C5777BFF14C74F719FFBBF3EB567A563A 9B2256EC3563E764B269DC34BFEC772BE443484D974B8FF07C52D9BF95DC24
Bob's certificate is shown below. Bob is in the domain b.example.com.
Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 20 14:30:06 2003 GMT Not After : Jul 19 14:30:06 2004 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=bob@b.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b0:ef:02:43:fd:59:28:0b:d3:59:ff:e6:66:3a: a7:30:b0:e5:11:54:c0:d7:e9:8a:51:a7:2b:30:94: 98:ef:bb:f9:8a:95:a6:ca:5e:e3:7a:af:a2:2a:f9: b4:5e:b0:8a:e1:ab:0d:c4:67:9b:2f:10:b1:c8:71: 28:0b:0d:36:75:46:30:f9:17:39:d0:c8:e2:14:ac: ec:bb:ba:3d:d1:a7:50:13:83:3e:d3:75:67:87:ef: 36:a5:5d:b3:23:71:29:15:94:e8:50:3c:f8:7b:a7: 0c:ce:f0:be:92:6b:d8:03:c3:e6:fb:25:78:ea:5c: 18:76:36:06:ba:2e:78:cf:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:bob@b.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B5:B2:6C:07:9B:79:19:9B:64:FB:9F:37:F7:7A:60:BC:1D:40:25:DA X509v3 Authority Key Identifier: keyid:6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 Signature Algorithm: sha1WithRSAEncryption 9c:99:39:e7:19:59:96:06:46:74:b5:b7:98:1a:cc:f5:a3:e6: 55:6c:3c:e9:b0:7a:a3:0a:1a:ea:32:c9:51:e5:da:7e:ac:24: 1b:cb:b4:7d:ae:b5:70:ba:26:0f:34:81:d6:7d:e5:c6:76:11: 44:7f:26:90:ff:0a:9f:6a:8e:d2:f8:34:7b:7d:21:66:53:9d: 1b:1c:74:d5:72:95:8d:76:fe:68:88:f2:c4:79:d2:df:d0:7a: 4e:6c:e7:2d:f0:1f:7e:03:7a:14:21:56:6c:f0:cb:04:c8:c2: 63:0d:24:52:1f:e4:b8:aa:21:65:0f:75:e3:76:9b:35:48:0f: b4:ab
Bob's private key is shown below.
0: 605 cons: SEQUENCE 4: 1 prim: INTEGER :00 7: 129 prim: INTEGER : B0EF0243FD59280BD359FFE6663AA730B0E51154C0D7E98A51A72B309498EFBBF9 8A95A6CA5EE37AAFA22AF9B45EB08AE1AB0DC4679B2F10B1C871280B0D36754630 F91739D0C8E214ACECBBBA3DD1A75013833ED3756787EF36A55DB32371291594E8 503CF87BA70CCEF0BE926BD803C3E6FB2578EA5C18763606BA2E78CF3D 139: 3 prim: INTEGER :010001 144: 128 prim: INTEGER : 06B0A2D74B4709BA98BD386DCFC3BBFA9D55ABF8166A938C05565ACDB570AAEFE2 9998DAFB9FE6DE06B20D09F005FC8AE3C981F5C12D1EF474A46D92E40815DCFD36 860631EF92CB2F30AB746A0CF80428CC544C51A04F08AF1773E53F88FC4031DF32 68B82476A1875DBB9212AAA6373AF6600F37053B3417E957D7D9633D49 275: 65 prim: INTEGER : DB1765DB11C76D7CC0A50E60CFA66025EC971C0F6D797D2166B7578F8DC1401E87 B3D448135B2FB74ABD3EEDB41B0EE538D587A88D08D018C2971C298F88971F 342: 65 prim: INTEGER : CEBD8090AAD98D86986FBB1E38C1CB0FAA1951D625A9333BF4F52E53AE2405878B AB54179A1964F02BEF17B2E25F922BDA097E7B282ADF8AD8DEC962012D1A23 409: 64 prim: INTEGER : 3EF3CF298E473E577D4730057344FC158990B5D85CFD6E8DFD64AAFD2D9F1C9C69 23ABD875EF5A9B91172590C99288CA26757C805ADDF0655CEC6C8428A0F7C3 475: 65 prim: INTEGER : 9D23529623162AC9341230C29ED745D5C92F6791829CA1B19FD5BFF9A0B20675E9 46372B9D5851ED6F2752F707B326B2280EF15100CDDD8D769B97ABE342F9CB 542: 65 prim: INTEGER : 84D65C4EBCC1B95AA42AA2AD2ECDDC58809316CC4793A889C24828E04F386B1277 8DA68B57E7891E6780D5FD1A028B207D7C7D9AE40CDD9F9059BDEB2EF098BF
Example Signed Message. The value on the Content-Type line has been broken across lines to fit on the page but it should not be.
MESSAGE sip:bob@b.example.com SIP/2.0 To: <sip:bob@b.example.com> From: <sip:alice@a.example.com>;tag=1b2f5769 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-730075406-1--c87542-;rport Call-ID: 22b4f26d6be23a0e CSeq: 1 MESSAGE Contact: <sip:alice@a.example.com:5070> Max-Forwards: 70 Content-Type: multipart/signed;boundary=65b6563f5e8ef632;\ micalg=sha1;protocol=application/pkcs7-signature User-Agent: SIPimp.org/0.2.2 (curses) Content-Length: 1653 --65b6563f5e8ef632 Content-Type: text/plain Content-Transfer-Encoding: binary Hi --65b6563f5e8ef632 Content-Type: application/pkcs7-signature;name=smime.p7s Content-Disposition: attachment;handling=required;filename=smime.p7s Content-Transfer-Encoding: binary ******************* * BINARY BLOB 1 * ******************* --65b6563f5e8ef632--
It is important to note that the data the signature is computed across includes the header and is:
Content-Type: text/plain Content-Transfer-Encoding: binary Hi
The response follows. The Via line has been split across lines for formatting but it should not be.
SIP/2.0 200 OK To: <sip:bob@b.example.com>;tag=6b167ed8 From: <sip:alice@a.example.com>;tag=1b2f5769 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-730075406-1--c87542-;\ rport=5070;received=127.0.0.1 Call-ID: 22b4f26d6be23a0e CSeq: 1 MESSAGE Contact: <sip:bob@b.example.com:5060> Content-Length: 0
ASN.1 parse of binary blob 1. Note that at address 30, the hash for the signature is specified as sha1.
0: SEQUENCE 4: OBJECT :pkcs7-signedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :01 26: SET 28: SEQUENCE 30: OBJECT :sha1 37: NULL 39: SEQUENCE 41: OBJECT :pkcs7-data 52: cont [ 0 ] 56: SEQUENCE 60: SEQUENCE 64: cont [ 0 ] 66: INTEGER :02 69: INTEGER :55018102490073 78: SEQUENCE 80: OBJECT :sha1WithRSAEncryption 91: NULL 93: SEQUENCE 95: SET 97: SEQUENCE 99: OBJECT :countryName 104: PRINTABLESTRING :US 108: SET 110: SEQUENCE 112: OBJECT :stateOrProvinceName 117: PRINTABLESTRING :California 129: SET 131: SEQUENCE 133: OBJECT :localityName 138: PRINTABLESTRING :San Jose 148: SET 150: SEQUENCE 152: OBJECT :organizationName 157: PRINTABLESTRING :sipit 164: SET 166: SEQUENCE 168: OBJECT :organizationalUnitName 173: PRINTABLESTRING :Sipit Test Certificate Authority 207: SEQUENCE 209: UTCTIME :031014202459Z 224: UTCTIME :061013202459Z 239: SEQUENCE 241: SET 243: SEQUENCE 245: OBJECT :countryName 250: PRINTABLESTRING :US 254: SET 256: SEQUENCE 258: OBJECT :stateOrProvinceName 263: PRINTABLESTRING :California 275: SET 277: SEQUENCE 279: OBJECT :localityName 284: PRINTABLESTRING :San Jose 294: SET 296: SEQUENCE 298: OBJECT :organizationName 303: PRINTABLESTRING :sipit 310: SET 312: SEQUENCE 314: OBJECT :commonName 319: T61STRING :alice@a.example.com 340: SEQUENCE 343: SEQUENCE 345: OBJECT :rsaEncryption 356: NULL 358: BIT STRING 502: cont [ 3 ] 505: SEQUENCE 508: SEQUENCE 510: OBJECT :X509v3 Subject Alternative Name 515: OCTET STRING 540: SEQUENCE 542: OBJECT :X509v3 Basic Constraints 547: OCTET STRING 551: SEQUENCE 553: OBJECT :X509v3 Subject Key Identifier 558: OCTET STRING 582: SEQUENCE 585: OBJECT :X509v3 Authority Key Identifier 590: OCTET STRING 739: SEQUENCE 741: OBJECT :sha1WithRSAEncryption 752: NULL 754: BIT STRING 886: SET 890: SEQUENCE 894: INTEGER :01 897: SEQUENCE 899: SEQUENCE 901: SET 903: SEQUENCE 905: OBJECT :countryName 910: PRINTABLESTRING :US 914: SET 916: SEQUENCE 918: OBJECT :stateOrProvinceName 923: PRINTABLESTRING :California 935: SET 937: SEQUENCE 939: OBJECT :localityName 944: PRINTABLESTRING :San Jose 954: SET 956: SEQUENCE 958: OBJECT :organizationName 963: PRINTABLESTRING :sipit 970: SET 972: SEQUENCE 974: OBJECT :organizationalUnitName 979: PRINTABLESTRING :Sipit Test Certificate Authority 1013: INTEGER :55018102490073 1022: SEQUENCE 1024: OBJECT :sha1 1031: NULL 1033: cont [ 0 ] 1036: SEQUENCE 1038: OBJECT :contentType 1049: SET 1051: OBJECT :pkcs7-data 1062: SEQUENCE 1064: OBJECT :signingTime 1075: SET 1077: UTCTIME :031015000907Z 1092: SEQUENCE 1094: OBJECT :messageDigest 1105: SET 1107: OCTET STRING 1129: SEQUENCE 1131: OBJECT :S/MIME Capabilities 1142: SET 1144: SEQUENCE 1146: SEQUENCE 1148: OBJECT :des-ede3-cbc 1158: SEQUENCE 1160: OBJECT :rc2-cbc 1170: INTEGER :80 1174: SEQUENCE 1176: OBJECT :rc2-cbc 1186: INTEGER :40 1189: SEQUENCE 1191: OBJECT :des-cbc 1198: SEQUENCE 1200: OBJECT :rc2-cbc 1210: INTEGER :28 1213: SEQUENCE 1215: OBJECT :rsaEncryption 1226: NULL 1228: OCTET STRING
MESSAGE sip:bob@b.example.com SIP/2.0 To: <sip:bob@b.example.com> From: <sip:alice@a.example.com>;tag=4bba1f0d Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-558422834-1--c87542-;rport Call-ID: 132bb895019d4536 CSeq: 1 MESSAGE Contact: <sip:alice@a.example.com:5070> Max-Forwards: 70 Content-Disposition: attachment;handling=required;filename=smime.p7 Content-Type: application/pkcs7-mime;smime-type=enveloped-data;name=smime.p7m User-Agent: SIPimp.org/0.2.2 (curses) Content-Length: 385 ***************** * BINARY BLOB 2 * *****************
The Response. The Via is split across lines for formatting but is not split in the real message.
SIP/2.0 200 OK To: <sip:bob@b.example.com>;tag=330805f5 From: <sip:alice@a.example.com>;tag=4bba1f0d Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-558422834-1--c87542-;\ rport=5070;received=127.0.0.1 Call-ID: 132bb895019d4536 CSeq: 1 MESSAGE Contact: <sip:bob@b.example.com:5060> Content-Length: 0
ASN.1 parse of Binary Blob 2. Note that at address 323, the encryption is set to des-ebe3-cbc.
0: SEQUENCE 4: OBJECT :pkcs7-envelopedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :00 26: SET 30: SEQUENCE 34: INTEGER :00 37: SEQUENCE 39: SEQUENCE 41: SET 43: SEQUENCE 45: OBJECT :countryName 50: PRINTABLESTRING :US 54: SET 56: SEQUENCE 58: OBJECT :stateOrProvinceName 63: PRINTABLESTRING :California 75: SET 77: SEQUENCE 79: OBJECT :localityName 84: PRINTABLESTRING :San Jose 94: SET 96: SEQUENCE 98: OBJECT :organizationName 103: PRINTABLESTRING :sipit 110: SET 112: SEQUENCE 114: OBJECT :organizationalUnitName 119: PRINTABLESTRING :Sipit Test Certificate Authority 153: INTEGER :55018102490072 162: SEQUENCE 164: OBJECT :rsaEncryption 175: NULL 177: OCTET STRING 308: SEQUENCE 310: OBJECT :pkcs7-data 321: SEQUENCE 323: OBJECT :des-ede3-cbc 333: OCTET STRING 343: cont [ 0 ]
Example Signed and Encrypted Message
In the example below, one of the headers is contained in a box and is split across two lines. This was only done to make it fit in the RFC format. This header should not have the box around it and should be on one line with no whitespace between the "mime;" and the "smime-type". Note that Content-Type is split across lines for formatting but is not split in the real message.
MESSAGE sip:bob@b.example.com SIP/2.0 To: <sip:bob@b.example.com> From: <sip:alice@a.example.com>;tag=1d8673a3 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-488884104-1--c87542-;rport Call-ID: 450c8b112715a732 CSeq: 1 MESSAGE Contact: <sip:alice@a.example.com:5070> Max-Forwards: 70 Content-Type: multipart/signed;boundary=75b3d73b4e24d3f6;\ micalg=sha1;protocol=application/pkcs7-signature User-Agent: SIPimp.org/0.2.2 (curses) Content-Length: 2158 --75b3d73b4e24d3f6 |---See note about stuff in this box---------------------| |Content-Type: application/pkcs7-mime; | | smime-type=enveloped-data;name=smime.p7m | |--------------------------------------------------------| Content-Disposition: attachment;handling=required;filename=smime.p7 Content-Transfer-Encoding: binary ***************** * BINARY BLOB 3 * ***************** --75b3d73b4e24d3f6 Content-Type: application/pkcs7-signature;name=smime.p7s Content-Disposition: attachment;handling=required;filename=smime.p7s Content-Transfer-Encoding: binary ***************** * BINARY BLOB 4 * ***************** --75b3d73b4e24d3f6--
Response back. Note that the Via is split across lines for formatting.
SIP/2.0 200 OK To: <sip:bob@b.example.com>;tag=40d7131b From: <sip:alice@a.example.com>;tag=1d8673a3 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-488884104-1--c87542-;\ rport=5070;received=127.0.0.1 Call-ID: 450c8b112715a732 CSeq: 1 MESSAGE Contact: <sip:bob@b.example.com:5060> Content-Length: 0
0: SEQUENCE 4: OBJECT :pkcs7-envelopedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :00 26: SET 30: SEQUENCE 34: INTEGER :00 37: SEQUENCE 39: SEQUENCE 41: SET 43: SEQUENCE 45: OBJECT :countryName 50: PRINTABLESTRING :US 54: SET 56: SEQUENCE 58: OBJECT :stateOrProvinceName 63: PRINTABLESTRING :California 75: SET 77: SEQUENCE 79: OBJECT :localityName 84: PRINTABLESTRING :San Jose 94: SET 96: SEQUENCE 98: OBJECT :organizationName 103: PRINTABLESTRING :sipit 110: SET 112: SEQUENCE 114: OBJECT :organizationalUnitName 119: PRINTABLESTRING :Sipit Test Certificate Authority 153: INTEGER :55018102490072 162: SEQUENCE 164: OBJECT :rsaEncryption 175: NULL 177: OCTET STRING 308: SEQUENCE 310: OBJECT :pkcs7-data 321: SEQUENCE 323: OBJECT :des-ede3-cbc 333: OCTET STRING 343: cont [ 0 ]
0: SEQUENCE 4: OBJECT :pkcs7-signedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :01 26: SET 28: SEQUENCE 30: OBJECT :sha1 37: NULL 39: SEQUENCE 41: OBJECT :pkcs7-data 52: cont [ 0 ] 56: SEQUENCE 60: SEQUENCE 64: cont [ 0 ] 66: INTEGER :02 69: INTEGER :55018102490073 78: SEQUENCE 80: OBJECT :sha1WithRSAEncryption 91: NULL 93: SEQUENCE 95: SET 97: SEQUENCE 99: OBJECT :countryName 104: PRINTABLESTRING :US 108: SET 110: SEQUENCE 112: OBJECT :stateOrProvinceName 117: PRINTABLESTRING :California 129: SET 131: SEQUENCE 133: OBJECT :localityName 138: PRINTABLESTRING :San Jose 148: SET 150: SEQUENCE 152: OBJECT :organizationName 157: PRINTABLESTRING :sipit 164: SET 166: SEQUENCE 168: OBJECT :organizationalUnitName 173: PRINTABLESTRING :Sipit Test Certificate Authority 207: SEQUENCE 209: UTCTIME :031014202459Z 224: UTCTIME :061013202459Z 239: SEQUENCE 241: SET 243: SEQUENCE 245: OBJECT :countryName 250: PRINTABLESTRING :US 254: SET 256: SEQUENCE 258: OBJECT :stateOrProvinceName 263: PRINTABLESTRING :California 275: SET 277: SEQUENCE 279: OBJECT :localityName 284: PRINTABLESTRING :San Jose 294: SET 296: SEQUENCE 298: OBJECT :organizationName 303: PRINTABLESTRING :sipit 310: SET 312: SEQUENCE 314: OBJECT :commonName 319: T61STRING :alice@a.example.com 340: SEQUENCE 343: SEQUENCE 345: OBJECT :rsaEncryption 356: NULL 358: BIT STRING 502: cont [ 3 ] 505: SEQUENCE 508: SEQUENCE 510: OBJECT :X509v3 Subject Alternative Name 515: OCTET STRING 540: SEQUENCE 542: OBJECT :X509v3 Basic Constraints 547: OCTET STRING 551: SEQUENCE 553: OBJECT :X509v3 Subject Key Identifier 558: OCTET STRING 582: SEQUENCE 585: OBJECT :X509v3 Authority Key Identifier 590: OCTET STRING 739: SEQUENCE 741: OBJECT :sha1WithRSAEncryption 752: NULL 754: BIT STRING 886: SET 890: SEQUENCE 894: INTEGER :01 897: SEQUENCE 899: SEQUENCE 901: SET 903: SEQUENCE 905: OBJECT :countryName 910: PRINTABLESTRING :US 914: SET 916: SEQUENCE 918: OBJECT :stateOrProvinceName 923: PRINTABLESTRING :California 935: SET 937: SEQUENCE 939: OBJECT :localityName 944: PRINTABLESTRING :San Jose 954: SET 956: SEQUENCE 958: OBJECT :organizationName 963: PRINTABLESTRING :sipit 970: SET 972: SEQUENCE 974: OBJECT :organizationalUnitName 979: PRINTABLESTRING :Sipit Test Certificate Authority 1013: INTEGER :55018102490073 1022: SEQUENCE 1024: OBJECT :sha1 1031: NULL 1033: cont [ 0 ] 1036: SEQUENCE 1038: OBJECT :contentType 1049: SET 1051: OBJECT :pkcs7-data 1062: SEQUENCE 1064: OBJECT :signingTime 1075: SET 1077: UTCTIME :031015000922Z 1092: SEQUENCE 1094: OBJECT :messageDigest 1105: SET 1107: OCTET STRING 1129: SEQUENCE 1131: OBJECT :S/MIME Capabilities 1142: SET 1144: SEQUENCE 1146: SEQUENCE 1148: OBJECT :des-ede3-cbc 1158: SEQUENCE 1160: OBJECT :rc2-cbc 1170: INTEGER :80 1174: SEQUENCE 1176: OBJECT :rc2-cbc 1186: INTEGER :40 1189: SEQUENCE 1191: OBJECT :des-cbc 1198: SEQUENCE 1200: OBJECT :rc2-cbc 1210: INTEGER :28 1213: SEQUENCE 1215: OBJECT :rsaEncryption 1226: NULL 1228: OCTET STRING
This section describes some common interoperability problems. Implementers should verify their clients do the correct things and perhaps make their clients forgiving in what they receive, or at least produce reasonable error messages with other software that does have these problems.
A common problem in interoperability is that some SIP clients do not support TLS and only do SSLv3. Check that the client does use TLS.
Many SIP clients were found to accept expired certificates with no warning or error.
TLS and S/MIME can provide the identity of the peer that a client is communicating with in the Subject Alternative Name in the certificate. The software must check that this name corresponds to the identity the server is trying to contact. If a client is trying to set up a TLS connection to good.example.com and it gets a TLS connection set up with a server that presents a valid certificate but with the name evil.example.com, it must generate an error or warning of some type. Similarly with S/MIME, if a user is trying to communicate with bob@b.example.com, the Subject Alternate Name field in the certificate must match the AOR for bob.
Some implementations used binary MIME encodings while others used base64. There is no reason not to use binary - check that your implementation sends binary and preferably receives both.
These scripts allow you to make certificates for test purposes. The certificates will all share a common CA root so that everyone running these scripts can have interoperable certificates. WARNING - these certificates are totally insecure and are for test purposes only. All the CA created by this script share the same private key to facilitate interoperability testing, but this totally breaks the security since the private key of the CA is well known.
The instructions assume a Unix-like environment with openssl installed, but openssl does work in Windows too. Make sure you have openssl installed by trying to run "openssl". Run the makeCA script found in section 17; this creates a subdirectory called demoCA. If the makeCA script cannot find where your openssl is installed you will have to set an environment variable called OPENSSLDIR to whatever directory contains the file openssl.cnf. You can find this with a "locate openssl.cnf". You are not ready to make certificates.
To create certs for use with TLS, run the makeCert script found in section 18 with the fully qualified domain name of the proxy you are making the certificate for. For example, "makeCert host.example.net". This will generate a private key and a certificate. The private key will be left in a file named host.example.net_key.pem in pem format. The certificate will be in host.example.net_cert.pem. Some programs expect both the certificate and private key combined together in a PKCS12 format file. This is created by the script and left in a file named host.example.net.p12. Some programs expect this file to have a .pfx extension instead of .p12 - just rename the file if needed.
A second argument indicating the number of days for which the certificate should be valid can be passed to the makeCert script. It is possible to make an expired certificate using the command "makeCert host.example.net 0".
Anywhere that a password is used to protect a certificate, the password is set to the string "password".
The root certificate for the CA is in the file demoCA/cacert.pem and a PKCS#7 version of it is in demoCA/cacert.p7c.
For things that need DER format certificates, a certificate can be converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER".
Some programs expect certificates in PKCS#7 format (with a file extension of .p7c). You can convert these from PEM format with to PKCS#7 with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/cacert.pem -outform DER -out cert.p7c"
IE, Outlook, and Netscape can import and export .p12 files and .p7c files. You can convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in cert.p7c -inform DER -outform PEM -out cert.pem".
The private key can be converted to pkcs8 format with "openssl pkcs8 -in a_key.pem -topk8 -outform DER -out a_key.p8c"
In general, a TLS client will just need the root certificate of the CA. A TLS server will need its private key and its certificate. These could be in two PEM files or one .p12 file. An S/MIME program will need its private key and certificate, the root certificate of the CA, and the certificate for every other user it communicates with.
When validating a chain of certificates, make sure that the basic constraints on any non leaf node allow the certificate to be used for a CA. For example, if the domain example.com issues a certificate for alice@example.com, Alice should not be able to use this to sign a certificate for bob@example.com.
#!/bin/sh #set -x rm -rf demoCA mkdir demoCA mkdir demoCA/certs mkdir demoCA/crl mkdir demoCA/newcerts mkdir demoCA/private #echo "01" > demoCA/serial hexdump -n 4 -e '4/1 "%04d"' /dev/random > demoCA/serial touch demoCA/index.txt # You may need to modify this for where your default file is # you can find where yours in by typing "openssl ca" CONF=${OPENSSLDIR:=/usr/local/ssl}/openssl.cnf if [ ! -f $CONF ]; then echo "Can not find file $CONF - set your OPENSSLDIR variable" fi cp $CONF openssl.cnf cat >> openssl.cnf <<EOF [ cj_cert ] subjectAltName=\${ENV::ALTNAME} basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always EOF cat > demoCA/private/cakey.pem <<EOF -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,4B47A0A73ADE342E aHmlPa+ZrOV6v+Jk0SClxzpxoG3j0ZuyoVkF9rzq2bZkzVBKLU6xhWwjMDqwA8dH 3fCRLhMGIUVnmymXYhTW9svI1gpFxMBQHJcKpV/SmgFn/fbYk98Smo2izHOniIiu NOu2zr+bMiaBphOAZ/OCtVUxUOoBDKN9lR39UCDOgkEQzp9Vbw7l736yu5H9GMHP JtGLJyx3RhS3TvLfLAJZhjm/wZ/9QM8GjyJEiDhMQRJVeIZGvv4Yr1u6yYHiHfjX tX2eds8Luc83HbSvjAyjnkLtJsAZ/8cFzrd7pjFzbogLdWuil+kpkkf5h1uzh7oa um0M1EXBE4tcDHsfg1iqEsDMIei/U+/rWfk1PrzYlklwZp8S03vulkDm1fT76W7d mRBg4+CrHA6qYn6EPWB37OBtfEqAfINnIcI1dWzso9A0bTPD4EJO0JA0PcZ/2JgT PaKySgooHQ8AHNQebelch6M5LFExpaOADJKrqauKcc2HeUxXaYIpac5/7drIl3io UloqUnMlGa3eLP7BZIMsZKCfHZ8oqwU4g6mmmJath2gODRDx3mfhH6yaimDL7v4i SAIIkrEHXfSyovrTJymfSfQtYxUraVZDqax6oj/eGllRxliGfMLYG9ceU+yU/8FN LE7P+Cs19H5tHHzx1LlieaK43u/XvbXHlB5mqL/fZdkUIBJsjbBVx0HR8eQl2CH9 YJDMOPLADecwHoyKA0AY59oN9d41oF7yZtN9KwNdslROYH7mNJlqMMenhXCLN+Nz vVU5/7/ugZFhZqfS46c1WdmSvuqpDp7TBtMeaH/PXjysBr0iZffOxQ== -----END RSA PRIVATE KEY----- EOF cat > demoCA/cacert.pem <<EOF -----BEGIN CERTIFICATE----- MIIDJDCCAo2gAwIBAgIBADANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MTgxMjIxNTJaFw0xMzA3MTUxMjIxNTJaMHAxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y aXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDIh6DkcUDLDyK9BEUxkud +nJ4xrCVGKfgjHm6XaSuHiEtnfELHM+9WymzkBNzZpJu30yzsxwfKoIKugdNUrD4 N3viCicwcN35LgP/KnbN34cavXHr4ZlqxH+OdKB3hQTpQa38A7YXdaoz6goW2ft5 Mi74z03GNKP/G9BoKOGd5QIDAQABo4HNMIHKMB0GA1UdDgQWBBRrRhcU6pR2JYBU bhNU2qHjVBShtjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0 pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT CFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBD ZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQUFAAOBgQCWbRvv1ZGTRXxbH8/EqkdSCzSoUPrs+rQqR0xdQac9wNY/nlZbkR3O qAezG6Sfmklvf+DOg5RxQq/+Y6I03LRepc7KeVDpaplMFGnpfKsibETMipwzayNQ QgUf4cKBiF+65Ue7hZuDJa2EMv8qW4twEhGDYclpFU9YozyS1OhvUg== -----END CERTIFICATE----- EOF # uncomment the following lines to generate your own key pair #openssl req -newkey rsa:1024 -passin pass:password \ # -passout pass:password \ # -sha1 -x509 -keyout demoCA/private/cakey.pem \ # -out demoCA/cacert.pem -days 3650 <<EOF #US #California #San Jose #sipit #Sipit Test Certificate Authority # # #EOF openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \ -outform DER -out demoCA/cacert.p7c
#!/bin/sh #set -x if [ $# == 1 ]; then DAYS=1095 elif [ $# == 2 ]; then DAYS=$2 else echo "Usage: makeCert test.example.org [days]" echo " makeCert alice@example.org [days]" echo "days is how long the certifiace is valid" echo "days set to 0 generates an invalid certificate" exit 0 fi ADDR=$1 echo "making cert for ${ADDR}" rm -f ${ADDR}_*.pem rm -f ${ADDR}.p12 case ${ADDR} in *:*) TYPE="URI" ;; *@*) TYPE="email" ;; *) TYPE="DNS" ;; esac rm -f demoCA/index.txt touch demoCA/index.txt rm -f demoCA/newcerts/* #setenv ALTNAME "URI:${ADDR}" #setenv ALTNAME "email:${ADDR}" #setenv ALTNAME "DNS:${ADDR}" ALTNAME="$TYPE:${ADDR}" export ALTNAME openssl genrsa -out ${ADDR}_key.pem 1024 openssl req -new -sha1 -key ${ADDR}_key.pem \ -out ${ADDR}_req.pem -days ${DAYS} <<EOF US California San Jose sipit ${ADDR} EOF if [ $DAYS == 0 ]; then openssl ca -extensions cj_cert -config openssl.cnf \ -passin pass:password -policy policy_anything \ -md sha1 -batch -notext -out ${ADDR}_cert.pem \ -startdate 990101000000Z \ -enddate 000101000000Z \ -infiles ${ADDR}_req.pem else openssl ca -extensions cj_cert -config openssl.cnf \ -passin pass:password -policy policy_anything \ -md sha1 -days ${DAYS} -batch -notext \ -out ${ADDR}_cert.pem \ -infiles ${ADDR}_req.pem fi openssl pkcs12 -passin pass:password \ -passout pass:password -export \ -out ${ADDR}.p12 -in ${ADDR}_cert.pem \ -inkey ${ADDR}_key.pem -name TheName \ -certfile demoCA/cacert.pem openssl x509 -in ${ADDR}_cert.pem -noout -text
This section contains various certificates used for testing in PEM format.
-----BEGIN CERTIFICATE----- MIIDNDCCAp2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAxNDI5NTRaFw0wNDA3MTkxNDI5NTRaMGMxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxHDAaBgNVBAMUE2FsaWNlQGEuZXhhbXBsZS5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAPCfkZptb4G5nWfbX76VOimKzHPduXozyPlS3ZkT BCvxm8L1k3J6m+GX/MLSltB227UOR7FZdFlbsHOtyGS9WRxnGoIvws9Th9MrWtzm PIwnoKtuf02G3Sub42k78KobrfKrHkRGsoqrhSyBEwOYBmVXDP/DTwLL7XnlgRnH AuIbAgMBAAGjgeowgecwHgYDVR0RBBcwFYETYWxpY2VAYS5leGFtcGxlLmNvbTAJ BgNVHRMEAjAAMB0GA1UdDgQWBBTeDEb8t0zOa3OZIsI9qd5T7L9pZjCBmgYDVR0j BIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp dHmCAQAwDQYJKoZIhvcNAQEFBQADgYEAlSz7JoM1SjzaIL50Gh+Afydh3CfxqXsu pyQxH/fJd80PvwKbjdU1Qm2QYDBMa/R/EU2gPx6c0ivgS0/8+jdDaOLYMim9biLm 7w6XsNmSSa5GlTirpRHe+twbrjBrSCyjxSZxpiNYotJXSrGu2EXGmnGLAemslV6a LGeuw10rfJ0= -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDwn5GabW+BuZ1n21++lTopisxz3bl6M8j5Ut2ZEwQr8ZvC9ZNy epvhl/zC0pbQdtu1DkexWXRZW7BzrchkvVkcZxqCL8LPU4fTK1rc5jyMJ6Crbn9N ht0rm+NpO/CqG63yqx5ERrKKq4UsgRMDmAZlVwz/w08Cy+155YEZxwLiGwIDAQAB AoGAR2TA+dXgkNf26RrA5LY4JJ1HHlW6M5Tr23YHw+RNh5BPS+A7WGsilyPWXiPH laC+fZD4GpnVGLJIv3nfjGxV5LE1YknYL5sYw3Ul+gXTViOZ5JEryQL6ks8S165l PDwNhRpLs9816HIgBkYPwHbgLQEtPPIz0ZNBAP7H6sct6YkCQQD6WnbWIBHjohm0 2Jzyo5L/V6VbxOEJLsZwMOMavtxZFIXChCULwBlcM6kpILNAsmNuu4gMPcbidIpg RaB/zC6XAkEA9gzsYduYXBrg+SfoMaraLh34idE16RpJtmK4CUzxQAdanHgt9qKP U40sUcxJEMsCsVmJT7WX0Xo/tp3dNwmdHQJAU+c1pJWi6TNOgjmGgBsqDMGG/baB 5N30S21W74O/vWsPWR2IfOOonCoEK3B2ItymTlozQkcB/KsqJRGwtKPtiQJBAMvY +R456IimXC0QOvarLgd3HSpRAfEVrmxEbWSHMnhxn0hy6OGk3EnEdCtwrDgVeS2l mHVJZXZPaenJ8DRg6qECQAIc/I3sI/S4K+k3zUW4Ga6MV3e/8Ux09xn/u/PrVnpW OpsiVuw1Y+dksmncNL/sdyvkQ0hNl0uP8HxS2b+V3CQ= -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- MIIDMDCCApmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAxNDMwMDZaFw0wNDA3MTkxNDMwMDZaMGExCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxGjAYBgNVBAMUEWJvYkBiLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQCw7wJD/VkoC9NZ/+ZmOqcwsOURVMDX6YpRpyswlJjv u/mKlabKXuN6r6Iq+bResIrhqw3EZ5svELHIcSgLDTZ1RjD5FznQyOIUrOy7uj3R p1ATgz7TdWeH7zalXbMjcSkVlOhQPPh7pwzO8L6Sa9gDw+b7JXjqXBh2Nga6LnjP PQIDAQABo4HoMIHlMBwGA1UdEQQVMBOBEWJvYkBiLmV4YW1wbGUuY29tMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFLWybAebeRmbZPufN/d6YLwdQCXaMIGaBgNVHSMEgZIw gY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNp cGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIB ADANBgkqhkiG9w0BAQUFAAOBgQCcmTnnGVmWBkZ0tbeYGsz1o+ZVbDzpsHqjChrq MslR5dp+rCQby7R9rrVwuiYPNIHWfeXGdhFEfyaQ/wqfao7S+DR7fSFmU50bHHTV cpWNdv5oiPLEedLf0HpObOct8B9+A3oUIVZs8MsEyMJjDSRSH+S4qiFlD3Xjdps1 SA+0qw== -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCw7wJD/VkoC9NZ/+ZmOqcwsOURVMDX6YpRpyswlJjvu/mKlabK XuN6r6Iq+bResIrhqw3EZ5svELHIcSgLDTZ1RjD5FznQyOIUrOy7uj3Rp1ATgz7T dWeH7zalXbMjcSkVlOhQPPh7pwzO8L6Sa9gDw+b7JXjqXBh2Nga6LnjPPQIDAQAB AoGABrCi10tHCbqYvThtz8O7+p1Vq/gWapOMBVZazbVwqu/imZja+5/m3gayDQnw BfyK48mB9cEtHvR0pG2S5AgV3P02hgYx75LLLzCrdGoM+AQozFRMUaBPCK8Xc+U/ iPxAMd8yaLgkdqGHXbuSEqqmNzr2YA83BTs0F+lX19ljPUkCQQDbF2XbEcdtfMCl DmDPpmAl7JccD215fSFmt1ePjcFAHoez1EgTWy+3Sr0+7bQbDuU41YeojQjQGMKX HCmPiJcfAkEAzr2AkKrZjYaYb7seOMHLD6oZUdYlqTM79PUuU64kBYeLq1QXmhlk 8CvvF7LiX5Ir2gl+eygq34rY3sliAS0aIwJAPvPPKY5HPld9RzAFc0T8FYmQtdhc /W6N/WSq/S2fHJxpI6vYde9am5EXJZDJkojKJnV8gFrd8GVc7GyEKKD3wwJBAJ0j UpYjFirJNBIwwp7XRdXJL2eRgpyhsZ/Vv/mgsgZ16UY3K51YUe1vJ1L3B7MmsigO 8VEAzd2NdpuXq+NC+csCQQCE1lxOvMG5WqQqoq0uzdxYgJMWzEeTqInCSCjgTzhr EneNpotX54keZ4DV/RoCiyB9fH2a5Azdn5BZvesu8Ji/ -----END RSA PRIVATE KEY-----
Certificate for a.example.com.
-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAyMDQ4MzRaFw0wNDA3MTkyMDQ4MzRaMF0xCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxFjAUBgNVBAMTDWEuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBANBefMrebLeKyXpAVfyUhfB1MRZXMZdICIfCG0Wmxr5tmTct B/rI9i3QROQOkF0rPJL4bHEpz7ufQCdlvcPCkOuq5Wr5ojwz9IM0XKByFBfBqo0E yzmDsHV0Y/W0gLr/YLoYQwi4Q2Ht7Geqw9H1Oo2v3h6HkrWMBYrRDbE0/RtTAgMB AAGjgeQwgeEwGAYDVR0RBBEwD4INYS5leGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G A1UdDgQWBBTRQ//VNy9mLk1uNNNd83dCdgT/tzCBmgYDVR0jBIGSMIGPgBRrRhcU 6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZI hvcNAQEFBQADgYEAIVMSP3A3c21zqlGAqpbgQrkU7sNzn8eCmpW85T6kqWPPDj4r gi7Fvy20vp3PoWQ2pUTtk+yES06TLk4i08UZP5HIQllcljJQEciMazQrd5aHkGvL HRt0DfivNEzwSkuEEDHA87rDN+RDwj2x+q/OZ3OzyCa9VsqSvbQIoQ0QXDg= -----END CERTIFICATE-----
Private key for a.example.com.
-----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQDQXnzK3my3isl6QFX8lIXwdTEWVzGXSAiHwhtFpsa+bZk3LQf6 yPYt0ETkDpBdKzyS+GxxKc+7n0AnZb3DwpDrquVq+aI8M/SDNFygchQXwaqNBMs5 g7B1dGP1tIC6/2C6GEMIuENh7exnqsPR9TqNr94eh5K1jAWK0Q2xNP0bUwIDAQAB AoGALtyBLlLVmnWxGDht3i887DY/Auo7Me22VWnXHlQCsIMPiTQsbj9R9j23sJ6B 4yI9LkSGhvDDUkvfbrzX77XLR3zbrdtHuMZpQYB7eR0mLi1QPKf7zX4FFPdPfJek ufgq7IJPEh1tZYhKSGYJPAzZRQSAX/NOSKMhQLYiwaJ5bRECQQD6zRL/vPAhAJc7 O0DyFsTBdvFGzT2GlQdhhAw9fpMICsR7Ury7VRR5z57zUZVgJU2AkEqYTmZyxsBg NE0EcYurAkEA1LA9UMyvOw6aFVrwx6YBUt7L794aqky5HiyHHreC6VabkZYycnUN EpJtzWO2+rzPiL84snRM2dDmjeYyO5LG+QJAbb01xvjhCU+83In8zPDxfsWQpS5A 8ZZb+GtS/8VWiHpNprh5JG8B2priLg1QkxU/aDW6rhH/+dDFdFLuMDeOqQJAH1mK 8Cn7ej0AwT0SWJtDfq+QZ97ZF1kPwD7X+9MY3MQDUkZNUUmnj6E9xhR4mCTUgleN R+CUo1aDZU8VAGr2IQJAZcnfTUjSZ13K9ifREeaLRbvQbKnaRtDV5JH6oi9Aqixb 3l5MEAXHFjdxuS9fWjVrtAhj3R5imeFbFYl32enb3w== -----END RSA PRIVATE KEY-----
Certificate for b.example.com.
-----BEGIN CERTIFICATE----- MIIDKDCCApGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wMzA3MjAyMDQ2MTZaFw0wNDA3MTkyMDQ2MTZaMF0xCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxFjAUBgNVBAMTDWIuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAOKFGIl7Zyq4Z6yl+U5CWATYOq679ofEVy5deV8V+zJ7ALEQ ZBkq7T7ZGX+99Kq9lLXTGZ7yuIxWKNw9CG4pLRflsLvaKq/44pXOhy/anry/AJBT H0fGUn/2Dtyvy1cqexdGaduxYumz46p0a7zVZbzb6h0VKxsivHsjbnSfAWK5AgMB AAGjgeQwgeEwGAYDVR0RBBEwD4INYi5leGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G A1UdDgQWBBRijijbor95dRfhSPr+EGGiVu9jdDCBmgYDVR0jBIGSMIGPgBRrRhcU 6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZI hvcNAQEFBQADgYEAV+ISZ9HK2RyOOI+D9GLCnFSxaX4yKdYUZ4FpxBGVB68ssGFn ahdtR+rtzUOr+6W4JYREm1lauJ8Su3rfe4Tv9z0cPzVLQQqRYkka5JIP1XkAATN9 3RzwHNyVlujU5VnYZDmAyggdpMS9Uv6DJO6CsjxTTVi1vy59WaPfeDgLdcQ= -----END CERTIFICATE-----
Private key for b.example.com.
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDihRiJe2cquGespflOQlgE2Dquu/aHxFcuXXlfFfsyewCxEGQZ Ku0+2Rl/vfSqvZS10xme8riMVijcPQhuKS0X5bC72iqv+OKVzocv2p68vwCQUx9H xlJ/9g7cr8tXKnsXRmnbsWLps+OqdGu81WW82+odFSsbIrx7I250nwFiuQIDAQAB AoGAYkyP0VmT854Cn5GHFscDm1aaYKmA2noBu0UlHnZThByMuEn8pk9SlStxPVYZ jt6mYiExxSBfpcbeBHUX63ZC8oLD4/EaM8Yr5kCIG0yE/Up6KBstgj2oxRktBCtd /CZh4MV5eOedAk8+WKIeecFiRTWXLB/ebdvNipLwXQvVuuECQQD5AOU7Oq6xw+MW 5Bw2B/MwABEw+uG28CObpUiN1T6tAMk9mElHCNlankSVdmAdVoEdLcBWiyWcsebm KRFbepa3AkEA6OJ5UkMiU95snEmascO0wIz3odbwE7/zV998JkM5XCd/3z95xx7/ UNcBe6m3KpfZ9H0e97TvT3+KObdPR2PiDwJBAK4MWy6gYRWud6A7iCCYQ/sMQPf8 lSMbDbiwulsxcCLbRs8AEFBPtiXqNMRIPvyix5MOtL+JeZvimiPNFu3bbVcCQAKO EYSsheDjrM9eI1tV6VK/eSwGXqXo0jOhmQwWarevG0EIwj5EAcsSQMrphr/p4JNF GCThkEqP/KU7dJw05VMCQQDeny9hAo5oNGkGQx9oWn7RJWXt3+NfmjXJbYPdWqr9 M5rJ2zH5J2L5yk/hjbUwbpMMfS8i8qGc4wryOy4XFvzL -----END RSA PRIVATE KEY-----
This section contains base64 encoded versions of the SIP messages in this draft. They can be encoded and used as test vectors, and they contain all the correct CRLF sequences. A command like "openssl base64 -d -in foo.b64 -out foo" will convert the base64 data to a SIP message that contains everything after the UDP header. This can be used with a net cat program like nc to send test messages to programs.
The following is the base64 of the signed message.
TUVTU0FHRSBzaXA6Ym9iQGIuZXhhbXBsZS5jb20gU0lQLzIuMA0KVG86IDxzaXA6 Ym9iQGIuZXhhbXBsZS5jb20+DQpGcm9tOiA8c2lwOmFsaWNlQGEuZXhhbXBsZS5j b20+O3RhZz0xYjJmNTc2OQ0KVmlhOiBTSVAvMi4wL1VEUCAxMjcuMC4wLjE6NTA3 MDticmFuY2g9ejloRzRiSy1jODc1NDItNzMwMDc1NDA2LTEtLWM4NzU0Mi07cnBv cnQNCkNhbGwtSUQ6IDIyYjRmMjZkNmJlMjNhMGUNCkNTZXE6IDEgTUVTU0FHRQ0K Q29udGFjdDogPHNpcDphbGljZUBhLmV4YW1wbGUuY29tOjUwNzA+DQpNYXgtRm9y d2FyZHM6IDcwDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9zaWduZWQ7Ym91bmRh cnk9NjViNjU2M2Y1ZThlZjYzMjttaWNhbGc9c2hhMTtwcm90b2NvbD1hcHBsaWNh dGlvbi9wa2NzNy1zaWduYXR1cmUNClVzZXItQWdlbnQ6IFNJUGltcC5vcmcvMC4y LjIgKGN1cnNlcykNCkNvbnRlbnQtTGVuZ3RoOiAxNjUzDQoNCi0tNjViNjU2M2Y1 ZThlZjYzMg0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluDQpDb250ZW50LVRyYW5z ZmVyLUVuY29kaW5nOiBiaW5hcnkNCg0KSGkNCi0tNjViNjU2M2Y1ZThlZjYzMg0K Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wa2NzNy1zaWduYXR1cmU7bmFtZT1z bWltZS5wN3MNCkNvbnRlbnQtRGlzcG9zaXRpb246IGF0dGFjaG1lbnQ7aGFuZGxp bmc9cmVxdWlyZWQ7ZmlsZW5hbWU9c21pbWUucDdzDQpDb250ZW50LVRyYW5zZmVy LUVuY29kaW5nOiBiaW5hcnkNCg0KMIIFSwYJKoZIhvcNAQcCoIIFPDCCBTgCAQEx CzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAz4wggM6MIICo6ADAgECAgdVAYEC SQBzMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNV BAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAzMTAxNDIw MjQ1OVoXDTA2MTAxMzIwMjQ1OVowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEcMBoG A1UEAxQTYWxpY2VAYS5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAoYw/gUYHZ5v+xKL+8axvOOrIFH5JruQqzcL6BbvktjPXnETrJKcQOedb 75xEKqrTd1MDqm9AXJuF1xG0zYf0aWHEzUWTxKUgSQwMBYzaFErpjrgjE0U5zRlM vbzK10AqGtgzFgq4LS//WXme0Zj7qbIpqMif15plDIg/UjKq518CAwEAAaOB6jCB 5zAeBgNVHREEFzAVgRNhbGljZUBhLmV4YW1wbGUuY29tMAkGA1UdEwQCMAAwHQYD VR0OBBYEFPvBYLvWCgb7Xzy3lSsw3OZteAheMIGaBgNVHSMEgZIwgY+AFGtGFxTq lHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs aWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYD VQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIBADANBgkqhkiG 9w0BAQUFAAOBgQBfex+PEk9VKHhNqgTZtPcdkYgleGBdsvK5vZR+AmMzjhDZns/N VTIct1N4RLZ2l4ZySQ5/y28H0GjNO5G8bDbQLpOdvJ/bivpQ2BUit9PQ1lFWGhOv o0hsygux6XVMyogp8re6eNJgAhN4WxNkDjkmn06BaiIzlsncW7Neb7dTyDGCAdUw ggHRAgEBMHswcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAP BgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQg VGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCB1UBgQJJAHMwCQYFKw4DAhoFAKCB sTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzEw MTUwMDA5MDdaMCMGCSqGSIb3DQEJBDEWBBRweIiRmownAI3QcTrAOjUZBJolPDBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEF AASBgBGmL7aacdLrQbLav67qW9vawNWCEjIVefaK8/QSMy+J+TQX6FCThi45uDwU MezrzxTroNCZhJPVf45inWrqG3h8SK2fIUBSbYdwdpb1QlMbbrygsb2Ea85mNVO/ upIk2YgSiz3Z796y2NV4sqB1go2rmVtLKPAWVrFoML86Wk6xDQotLTY1YjY1NjNm NWU4ZWY2MzItLQ==
The base64 of the response was:
U0lQLzIuMCAyMDAgT0sNClRvOiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tPjt0YWc9 NmIxNjdlZDgNCkZyb206IDxzaXA6YWxpY2VAYS5leGFtcGxlLmNvbT47dGFnPTFi MmY1NzY5DQpWaWE6IFNJUC8yLjAvVURQIDEyNy4wLjAuMTo1MDcwO2JyYW5jaD16 OWhHNGJLLWM4NzU0Mi03MzAwNzU0MDYtMS0tYzg3NTQyLTtycG9ydD01MDcwO3Jl Y2VpdmVkPTEyNy4wLjAuMQ0KQ2FsbC1JRDogMjJiNGYyNmQ2YmUyM2EwZQ0KQ1Nl cTogMSBNRVNTQUdFDQpDb250YWN0OiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tOjUw NjA+DQpDb250ZW50LUxlbmd0aDogMA0KDQo=
The following is the base64 of the encrypted message.
TUVTU0FHRSBzaXA6Ym9iQGIuZXhhbXBsZS5jb20gU0lQLzIuMA0KVG86IDxzaXA6 Ym9iQGIuZXhhbXBsZS5jb20+DQpGcm9tOiA8c2lwOmFsaWNlQGEuZXhhbXBsZS5j b20+O3RhZz00YmJhMWYwZA0KVmlhOiBTSVAvMi4wL1VEUCAxMjcuMC4wLjE6NTA3 MDticmFuY2g9ejloRzRiSy1jODc1NDItNTU4NDIyODM0LTEtLWM4NzU0Mi07cnBv cnQNCkNhbGwtSUQ6IDEzMmJiODk1MDE5ZDQ1MzYNCkNTZXE6IDEgTUVTU0FHRQ0K Q29udGFjdDogPHNpcDphbGljZUBhLmV4YW1wbGUuY29tOjUwNzA+DQpNYXgtRm9y d2FyZHM6IDcwDQpDb250ZW50LURpc3Bvc2l0aW9uOiBhdHRhY2htZW50O2hhbmRs aW5nPXJlcXVpcmVkO2ZpbGVuYW1lPXNtaW1lLnA3DQpDb250ZW50LVR5cGU6IGFw cGxpY2F0aW9uL3BrY3M3LW1pbWU7c21pbWUtdHlwZT1lbnZlbG9wZWQtZGF0YTtu YW1lPXNtaW1lLnA3bQ0KVXNlci1BZ2VudDogU0lQaW1wLm9yZy8wLjIuMiAoY3Vy c2VzKQ0KQ29udGVudC1MZW5ndGg6IDM4NQ0KDQowggF9BgkqhkiG9w0BBwOgggFu MIIBagIBADGCARYwggESAgEAMHswcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCB1UBgQJJAHIw DQYJKoZIhvcNAQEBBQAEgYCUvSKVQO7kymKOszSmBP8WBx1Q4Y/Lb9C52Lo5ze9+ mzthE+09Yf5iCzecZZ208jJ0LuXsfg81meW+RXxjLd9eoEKbcN2NmWVw3TU1GNck Ubr3lICk4pP10M3CH/+qVj/6CRVBvQJteCE7ANyWSd0hbFeu2aBfh1Uboea45yY2 qzBLBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJyyY8coGB9SgCiP8VFLHeq5gTx+ pr4tR390slx3dSBzPvDH9SyOWMELstFhlkedC+aL
The base64 of the response was:
U0lQLzIuMCAyMDAgT0sNClRvOiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tPjt0YWc9 MzMwODA1ZjUNCkZyb206IDxzaXA6YWxpY2VAYS5leGFtcGxlLmNvbT47dGFnPTRi YmExZjBkDQpWaWE6IFNJUC8yLjAvVURQIDEyNy4wLjAuMTo1MDcwO2JyYW5jaD16 OWhHNGJLLWM4NzU0Mi01NTg0MjI4MzQtMS0tYzg3NTQyLTtycG9ydD01MDcwO3Jl Y2VpdmVkPTEyNy4wLjAuMQ0KQ2FsbC1JRDogMTMyYmI4OTUwMTlkNDUzNg0KQ1Nl cTogMSBNRVNTQUdFDQpDb250YWN0OiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tOjUw NjA+DQpDb250ZW50LUxlbmd0aDogMA0KDQo=
The following is the base64 of the signed and encrypted message.
TUVTU0FHRSBzaXA6Ym9iQGIuZXhhbXBsZS5jb20gU0lQLzIuMA0KVG86IDxzaXA6 Ym9iQGIuZXhhbXBsZS5jb20+DQpGcm9tOiA8c2lwOmFsaWNlQGEuZXhhbXBsZS5j b20+O3RhZz0xZDg2NzNhMw0KVmlhOiBTSVAvMi4wL1VEUCAxMjcuMC4wLjE6NTA3 MDticmFuY2g9ejloRzRiSy1jODc1NDItNDg4ODg0MTA0LTEtLWM4NzU0Mi07cnBv cnQNCkNhbGwtSUQ6IDQ1MGM4YjExMjcxNWE3MzINCkNTZXE6IDEgTUVTU0FHRQ0K Q29udGFjdDogPHNpcDphbGljZUBhLmV4YW1wbGUuY29tOjUwNzA+DQpNYXgtRm9y d2FyZHM6IDcwDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9zaWduZWQ7Ym91bmRh cnk9NzViM2Q3M2I0ZTI0ZDNmNjttaWNhbGc9c2hhMTtwcm90b2NvbD1hcHBsaWNh dGlvbi9wa2NzNy1zaWduYXR1cmUNClVzZXItQWdlbnQ6IFNJUGltcC5vcmcvMC4y LjIgKGN1cnNlcykNCkNvbnRlbnQtTGVuZ3RoOiAyMTU4DQoNCi0tNzViM2Q3M2I0 ZTI0ZDNmNg0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wa2NzNy1taW1lO3Nt aW1lLXR5cGU9ZW52ZWxvcGVkLWRhdGE7bmFtZT1zbWltZS5wN20NCkNvbnRlbnQt RGlzcG9zaXRpb246IGF0dGFjaG1lbnQ7aGFuZGxpbmc9cmVxdWlyZWQ7ZmlsZW5h bWU9c21pbWUucDcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJpbmFyeQ0K DQowggF9BgkqhkiG9w0BBwOgggFuMIIBagIBADGCARYwggESAgEAMHswcDELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl MQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0 ZSBBdXRob3JpdHkCB1UBgQJJAHIwDQYJKoZIhvcNAQEBBQAEgYBbH0sWpjlXVG3S OdYb8BXnJx/x/SiFhNbfvEUpPNgX5/CT+xtEoUvftXcHNb7BIUP1l52lXq0fyxRU TLxgGY2uAaMsWxJkQ2JwcZKlpIg/w+llcKxr3iLhAnZ5g68TTDOQbET8Xr77NiIh uOufuTthKvUQ6H/NDNbd6wY5Tlrl5zBLBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcE CK6ldx+VV8mYgCgzKJcCCnt7e8ToqY/Id+dfAm81r/zVDZRTMP+cpiUplPmlDolL e47xDQotLTc1YjNkNzNiNGUyNGQzZjYNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRp b24vcGtjczctc2lnbmF0dXJlO25hbWU9c21pbWUucDdzDQpDb250ZW50LURpc3Bv c2l0aW9uOiBhdHRhY2htZW50O2hhbmRsaW5nPXJlcXVpcmVkO2ZpbGVuYW1lPXNt aW1lLnA3cw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmluYXJ5DQoNCjCC BUsGCSqGSIb3DQEHAqCCBTwwggU4AgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0B BwGgggM+MIIDOjCCAqOgAwIBAgIHVQGBAkkAczANBgkqhkiG9w0BAQUFADBwMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj YXRlIEF1dGhvcml0eTAeFw0wMzEwMTQyMDI0NTlaFw0wNjEwMTMyMDI0NTlaMGMx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4g Sm9zZTEOMAwGA1UEChMFc2lwaXQxHDAaBgNVBAMUE2FsaWNlQGEuZXhhbXBsZS5j b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKGMP4FGB2eb/sSi/vGsbzjq yBR+Sa7kKs3C+gW75LYz15xE6ySnEDnnW++cRCqq03dTA6pvQFybhdcRtM2H9Glh xM1Fk8SlIEkMDAWM2hRK6Y64IxNFOc0ZTL28ytdAKhrYMxYKuC0v/1l5ntGY+6my KajIn9eaZQyIP1IyqudfAgMBAAGjgeowgecwHgYDVR0RBBcwFYETYWxpY2VAYS5l eGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0GA1UdDgQWBBT7wWC71goG+188t5UrMNzm bXgIXjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0pHIwcDEL MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK b3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZp Y2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQADgYEAX3sfjxJPVSh4TaoE 2bT3HZGIJXhgXbLyub2UfgJjM44Q2Z7PzVUyHLdTeES2dpeGckkOf8tvB9BozTuR vGw20C6Tnbyf24r6UNgVIrfT0NZRVhoTr6NIbMoLsel1TMqIKfK3unjSYAITeFsT ZA45Jp9OgWoiM5bJ3FuzXm+3U8gxggHVMIIB0QIBATB7MHAxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y aXR5AgdVAYECSQBzMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDMxMDE1MDAwOTIyWjAjBgkqhkiG9w0BCQQx FgQUFLTFVme+Oh3uIw7w3GTqTnmdRLAwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYAoI2BmK6Iv3cbIFJSCkgxQC0f9 yvYT9E0c9MEj1eSEMyG+0iFcxzxmvsnNNVRYub13SU2fPmlHAPWLm80reOWuXbKR kJinPgs3bbwWBH+xSzmLSiYAWXK/ZlVZtlQcJWL9bQ6DOy7HmaqbthMe007HUR8j pwqyKeskUIz9kzQ5bA0KLS03NWIzZDczYjRlMjRkM2Y2LS0=
The base64 of the response was:
U0lQLzIuMCAyMDAgT0sNClRvOiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tPjt0YWc9 NDBkNzEzMWINCkZyb206IDxzaXA6YWxpY2VAYS5leGFtcGxlLmNvbT47dGFnPTFk ODY3M2EzDQpWaWE6IFNJUC8yLjAvVURQIDEyNy4wLjAuMTo1MDcwO2JyYW5jaD16 OWhHNGJLLWM4NzU0Mi00ODg4ODQxMDQtMS0tYzg3NTQyLTtycG9ydD01MDcwO3Jl Y2VpdmVkPTEyNy4wLjAuMQ0KQ2FsbC1JRDogNDUwYzhiMTEyNzE1YTczMg0KQ1Nl cTogMSBNRVNTQUdFDQpDb250YWN0OiA8c2lwOmJvYkBiLmV4YW1wbGUuY29tOjUw NjA+DQpDb250ZW50LUxlbmd0aDogMA0KDQo=
Is the encrypted and signed example in this draft correct with respect to what the signature in a detached signature is computed over?
The examples here attach the sender's certificates - is this how we want to go? Need more text on when or should or should not do this.
Need to added Accept with multipart to all examples. Might also want to request congestion safety on all of them.
The examples here attach the sender's certificates - is that how we want to go? Need more text on when or should or should not do this.
Examples showing keywrap stuff.
Would be nice to add an example showing encrypted SDP with SRTP key examples.
Would be nice to add an example showing securing a REFER.
Many thanks to the developers of all the open source software used to create these call flows. This includes the underling crypto and TLS software used from openssl.org, the SIP stack from www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org. The TLS flow dumps were done with SSLDump from http://www.rtfm.com/ssldump. The book SSL and TLS [9] was a huge help in developing the code for these flows and is a great resource for anyone trying to implement TLS with SIP.
Thanks to Dan Wing and Robert Sparks for catching many silly mistakes and Tat Chan who caught a key problem in what the signature was being computed over.
[1] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[2] | Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and Schooler, E., "SIP: Session Initiation Protocol", RFC 3261, June 2002. |
[3] | Housley, R., Polk, W., Ford, W. and Solo, D., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. |
[4] | Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L. and Repka, L., "S/MIME Version 2 Message Specification", RFC 2311, March 1998. |
[5] | Dierks, T., Allen, C., Treese, W., Karlton, P.L., Freier, A.O. and Kocher, P.C., "The TLS Protocol Version 1.0", RFC 2246, January 1999. |
[6] | Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)", RFC 3268, June 2002. |
[7] | Ramsdell, B, "S/MIME Version 3.1 Message Specification", Internet-Draft draft-ietf-smime-rfc2633bis-03, January 2003. |
[8] | Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C. and Gurle, D., "Session Initiation Protocol (SIP) Extension for Instant Messaging", RFC 3428, December 2002. |
[9] | Rescorla, E.K., "SSL and TLS - Designing and Building Secure Systems", 2001. |
Cullen Jennings | |
Cisco Systems | |
170 West Tasman Drive Mailstop SJC-21/2 |
|
San Jose, CA 95134 | |
USA | |
Phone: | +1 408 902-3341 |
EMail: | fluffy@cisco.com |
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Funding for the RFC editor function is currently provided by the Internet Society.