1 files changed, 214 insertions, 0 deletions
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
new file mode 100644
index 000000000..133b2ea71
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -0,0 +1,214 @@
+# openssl.cnf -  OpenSSL configuration file for the ZHW PKI
+# Mario Strasser <mario.strasser@zhwin.ch>
+#	
+
+# This definitions were set by the ca_init script DO NOT change
+# them manualy.
+CAHOME			= /etc/openssl/rfc3779 
+RANDFILE		= $CAHOME/.rand
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+SmartcardLogin		= 1.3.6.1.4.1.311.20.2
+ClientAuthentication	= 1.3.6.1.4.1.311.20.2.2
+
+####################################################################
+
+[ ca ]
+default_ca	= root_ca		# The default ca section
+
+####################################################################
+
+[ root_ca ]				
+
+dir		= $CAHOME
+certs		= $dir/certs		  # Where the issued certs are kept
+crl_dir		= $dir/crl                # Where the issued crl are kept
+database	= $dir/index.txt          # database index file.
+new_certs_dir   = $dir/newcerts           # default place for new certs.
+
+certificate     = $dir/strongswanCert.pem # The CA certificate
+serial          = $dir/serial             # The current serial number
+crl             = $dir/crl.pem            # The current CRL
+crlnumber	= $dir/crlnumber	  # The current CRL serial number
+private_key     = $dir/strongswanKey.pem  # The private key
+RANDFILE        = $dir/.rand              # private random number file
+
+x509_extensions = host_ext		  # The extentions to add to the cert
+
+crl_extensions	= crl_ext  		  # The extentions to add to the CRL
+
+default_days    = 1825                    # how long to certify for
+default_crl_days= 30			  # how long before next CRL
+default_md      = sha256                  # which md to use.
+preserve        = no                      # keep passed DN ordering
+email_in_dn	= no			  # allow/forbid EMail in DN
+
+policy          = policy_match		  # specifying how similar the request must look
+
+####################################################################
+
+# the 'match' policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+localityName            = optional
+organizationName	= match
+organizationalUnitName	= optional
+userId			= optional
+serialNumber		= optional
+commonName		= supplied
+emailAddress		= optional
+
+# the 'anything' policy
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions		= ca_ext	# The extentions to add to the self signed cert
+# req_extensions 	= v3_req 	# The extensions to add to a certificate request
+
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask 			= nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CH
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= ZH
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= Winterthur
+
+organizationName		= Organization Name (eg, company)
+organizationName_default	= Linux strongSwan
+
+0.organizationalUnitName		= Organizational Unit Name (eg, section)
+0.organizationalUnitName_default	= RFC3779 
+
+#1.organizationalUnitName	= Type (eg, Staff)
+#1.organizationalUnitName_default = Staff
+
+#userId				= UID 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= $ENV::COMMON_NAME
+commonName_max			= 64
+
+#0.emailAddress			= Email Address (eg, foo@bar.com)
+#0.emailAddress_min              = 0
+#0.emailAddress_max              = 40
+
+#1.emailAddress                  = Second Email Address (eg, foo@bar.com)
+#1.emailAddress_min              = 0
+#1.emailAddress_max              = 40
+
+####################################################################
+
+[ req_attributes ]
+
+####################################################################
+
+[ host_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName			= DNS:$ENV::COMMON_NAME
+#extendedKeyUsage		= OCSPSigning
+extendedKeyUsage		= serverAuth
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_rfc3779.crl
+
+sbgp-ipAddrBlock = critical, @host-addr-section
+
+[host-addr-section]
+
+IPv4.0 = 192.168.0.2
+IPv4.1 = 10.2.0.0/16
+IPv6.0 = fec0::2
+IPv6.1 = fec2::/16
+
+####################################################################
+
+[ user_ext ]
+
+basicConstraints		= CA:FALSE
+keyUsage                        = digitalSignature, keyEncipherment, keyAgreement
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer:always
+subjectAltName                  = email:$ENV::COMMON_NAME 
+#authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
+crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan_rfc3779.crl
+
+#sbgp-ipAddrBlock = critical, IPv4:192.168.0.0/24, IPv6:inherit
+
+sbgp-ipAddrBlock = critical, @user-addr-section
+
+[user-addr-section]
+
+IPv4.0 = 192.168.0.200
+IPv4.1 = 10.3.0.2
+IPv6.0 = fec0::20
+
+####################################################################
+
+[ ca_ext ]
+
+basicConstraints               	= critical, CA:TRUE, pathlen:1
+keyUsage                        = cRLSign, keyCertSign
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid, issuer:always
+
+sbgp-ipAddrBlock = critical, @ca-addr-section
+
+[ca-addr-section]
+
+IPv4.0 = 192.168.0.0/24
+IPv4.1 = 10.1.0.0/16
+IPv4.2 = 10.2.0.0/16
+IPv4.3 = 10.3.0.1 - 10.3.3.232
+IPv6.0 = fec0::/16
+IPv6.1 = fec1::/16
+IPv6.2 = fec2::/16
+
+####################################################################
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+#issuerAltName			= issuer:copy
+authorityKeyIdentifier		= keyid:always, issuer:always
+
+# eof