multi level ca for CaBuffer

cpr/ssl_ctx.cpp

@@ -1,15 +1,21 @@
 
 #include "cpr/ssl_ctx.h"
 #include "cpr/ssl_options.h"
+#include <cstddef>
 #include <curl/curl.h>
 #include <iostream>
+#include <memory>
+#include <sstream>
+#include <string>
 
 #if SUPPORT_CURLOPT_SSL_CTX_FUNCTION
 
 #ifdef OPENSSL_BACKEND_USED
 
 #include <openssl/bio.h>
+#include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/pemerr.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
@@ -34,46 +40,67 @@ namespace cpr {
  * Sources: https://curl.se/libcurl/c/CURLOPT_SSL_CTX_FUNCTION.html
  *          https://curl.se/libcurl/c/CURLOPT_SSL_CTX_DATA.html
  */
+
+template <auto fn>
+struct deleter_from_fn {
+    template <typename T>
+    constexpr void operator()(T* arg) const {
+        fn(arg);
+    }
+};
+
+template <typename T, auto fn>
+using custom_unique_ptr = std::unique_ptr<T, deleter_from_fn<fn>>;
+using x509_ptr = custom_unique_ptr<X509, X509_free>;
+using bio_ptr = custom_unique_ptr<BIO, BIO_free>;
+
+inline std::string get_openssl_print_errors() {
+    std::ostringstream oss;
+    ERR_print_errors_cb(
+            [](char const* str, size_t len, void* data) -> int {
+                auto& oss = *static_cast<std::ostringstream*>(data);
+                oss << str;
+                return static_cast<int>(len);
+            },
+            &oss);
+    return oss.str();
+}
+
 CURLcode sslctx_function_load_ca_cert_from_buffer(CURL* /*curl*/, void* sslctx, void* raw_cert_buf) {
     // Check arguments
     if (raw_cert_buf == nullptr || sslctx == nullptr) {
         std::cerr << "Invalid callback arguments!\n";
         return CURLE_ABORTED_BY_CALLBACK;
     }
 
-    // Setup pointer
-    X509_STORE* store = nullptr;
-    X509* cert = nullptr;
-    BIO* bio = nullptr;
-    char* cert_buf = static_cast<char*>(raw_cert_buf);
+    // Get a pointer to the current certificate verification storage
+    auto* store = SSL_CTX_get_cert_store(static_cast<SSL_CTX*>(sslctx));
 
     // Create a memory BIO using the data of cert_buf.
     // Note: It is assumed, that cert_buf is nul terminated and its length is determined by strlen.
-    bio = BIO_new_mem_buf(cert_buf, -1);
-
-    // Load the PEM formatted certicifate into an X509 structure which OpenSSL can use.
-    PEM_read_bio_X509(bio, &cert, nullptr, nullptr);
-    if (cert == nullptr) {
-        std::cerr << "PEM_read_bio_X509 failed!\n";
-        return CURLE_ABORTED_BY_CALLBACK;
+    const bio_ptr bio{BIO_new_mem_buf(static_cast<char*>(raw_cert_buf), -1)};
+
+    bool at_least_got_one = false;
+    for (;;) {
+        // Load the PEM formatted certicifate into an X509 structure which OpenSSL can use.
+        const x509_ptr x{PEM_read_bio_X509_AUX(bio.get(), nullptr, nullptr, nullptr)};
+        if (x == nullptr) {
+            if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && at_least_got_one) {
+                ERR_clear_error();
+                break;
+            }
+            std::cerr << "PEM_read_bio_X509_AUX failed: \n" << get_openssl_print_errors() << '\n';
+            return CURLE_ABORTED_BY_CALLBACK;
+        }
+
+        // Add the loaded certificate to the verification storage
+        if (X509_STORE_add_cert(store, x.get()) == 0) {
+            std::cerr << "X509_STORE_add_cert failed: \n" << get_openssl_print_errors() << '\n';
+            return CURLE_ABORTED_BY_CALLBACK;
+        }
+        at_least_got_one = true;
     }
 
-    // Get a pointer to the current certificate verification storage
-    store = SSL_CTX_get_cert_store(static_cast<SSL_CTX*>(sslctx));
-
-    // Add the loaded certificate to the verification storage
-    const int status = X509_STORE_add_cert(store, cert);
-    if (status == 0) {
-        std::cerr << "Error adding certificate!\n";
-        return CURLE_ABORTED_BY_CALLBACK;
-    }
-
-    // Decrement the reference count of the X509 structure cert and frees it up
-    X509_free(cert);
-
-    // Free the entire bio chain
-    BIO_free(bio);
-
     // The CA certificate was loaded successfully into the verification storage
     return CURLE_OK;
 }

cpr/util.cpp

@@ -6,6 +6,7 @@
 #include <algorithm>
 #include <cctype>
 #include <chrono>
+#include <cstdint>
 #include <ctime>
 #include <curl/curl.h>
 #include <fstream>
@@ -36,7 +37,7 @@
 
 namespace cpr::util {
 
-enum class CurlHTTPCookieField : size_t {
+enum class CurlHTTPCookieField : uint8_t {
     Domain = 0,
     IncludeSubdomains,
     Path,
@@ -104,7 +105,7 @@ Header parseHeader(const std::string& headers, std::string* status_line, std::st
             header.clear();
         }
 
-        if (line.length() > 0) {
+        if (!line.empty()) {
             const size_t found = line.find(':');
             if (found != std::string::npos) {
                 std::string value = line.substr(found + 1);

test/CMakeLists.txt

@@ -74,6 +74,8 @@ if (ENABLE_SSL_TESTS)
     add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E make_directory $<TARGET_FILE_DIR:ssl_tests>/data/certificates $<TARGET_FILE_DIR:ssl_tests>/data/keys)
     add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/certificates/client.crt $<TARGET_FILE_DIR:ssl_tests>/data/certificates/client.crt)
     add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/certificates/root-ca.crt $<TARGET_FILE_DIR:ssl_tests>/data/certificates/root-ca.crt)
+    add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/certificates/sub-ca.crt $<TARGET_FILE_DIR:ssl_tests>/data/certificates/sub-ca.crt)
+    add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/certificates/ca-bundle.crt $<TARGET_FILE_DIR:ssl_tests>/data/certificates/ca-bundle.crt)
     add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/certificates/server.crt $<TARGET_FILE_DIR:ssl_tests>/data/certificates/server.crt)
     add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/keys/client.key $<TARGET_FILE_DIR:ssl_tests>/data/keys/client.key)
     add_custom_command(TARGET ssl_tests POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/data/keys/root-ca.key $<TARGET_FILE_DIR:ssl_tests>/data/keys/root-ca.key)

test/data/certificates/ca-bundle.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWCgAwIBAgIRAKy+/CzeW5ALVVSDllVnZdMwBQYDK2VwMDExCzAJBgNV
+BAYTAkdCMRAwDgYDVQQKDAdFeGFtcGxlMRAwDgYDVQQDDAdSb290IENBMB4XDTI0
+MDUwNzEwMTgyMloXDTM0MDUwNTEwMTgyMlowMDELMAkGA1UEBhMCR0IxEDAOBgNV
+BAoMB0V4YW1wbGUxDzANBgNVBAMMBlN1YiBDQTAqMAUGAytlcAMhAL9vKw+Jb0jc
+THPJj/0HKRBIusX9D0Xj4qZEvK3kqXX+o4GNMIGKMA8GA1UdEwEB/wQFMAMBAf8w
+DgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSbsZshYdxmKzqt7YTxBbbOmYLB/DBI
+BgNVHR4EQTA/oD0wC4IJbG9jYWxob3N0MAqHCH8AAAH/AAAAMCKHIAAAAAAAAAAA
+AAAAAAAAAAH/////////////////////MAUGAytlcANBACspVj23xQ46wvlIWimf
+ofVcl0Nlj1rW1CoTOoA4butJGfJJQoYMzW8Ui/sVokzPoTw7vdOw9u3Knps26c0T
+Ygk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAWGgAwIBAgIRAKy+/CzeW5ALVVSDllVnZdIwBQYDK2VwMDExCzAJBgNV
+BAYTAkdCMRAwDgYDVQQKDAdFeGFtcGxlMRAwDgYDVQQDDAdSb290IENBMB4XDTI0
+MDUwNzEwMTgyMloXDTM0MDUwNTEwMTgyMlowMTELMAkGA1UEBhMCR0IxEDAOBgNV
+BAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3QgQ0EwKjAFBgMrZXADIQDI4HsQNDKN
+xwtOvL2FI7Q+VIoqWLHmsoLaOe1L+JvbyKOBjTCBijAPBgNVHRMBAf8EBTADAQH/
+MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQUvMDvOfNgjMd7lZ6iDa/JCJcVLwkw
+SAYDVR0eBEEwP6A9MAuCCWxvY2FsaG9zdDAKhwh/AAAB/wAAADAihyAAAAAAAAAA
+AAAAAAAAAAAB/////////////////////zAFBgMrZXADQQBCMm6k6vanrNUO3vlc
+vsecQTSUVxsnl+bD6ANYhs10cuGafZ/lFRh1z4yBxz50b7EIePDeLP2pZlLmz8bm
+sN8M
+-----END CERTIFICATE-----

test/data/certificates/client.crt

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBejCCASygAwIBAgIQKMJShx7GKmJqmABrC/KIkDAFBgMrZXAwMTELMAkGA1UE
-BhMCR0IxEDAOBgNVBAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjIw
-NjI5MTEzMzA3WhcNMjcwNjI4MTEzMzA3WjAWMRQwEgYDVQQDDAt0ZXN0LWNsaWVu
-dDAqMAUGAytlcAMhAOGArRN1SIicY6uB/2CRB668fBEDTQb1oLcCoTsYQetho3Uw
-czAfBgNVHSMEGDAWgBTk8vOFDreFdYR240PRtp0UuOKktzAMBgNVHRMBAf8EAjAA
+MIIBejCCASygAwIBAgIRAKy+/CzeW5ALVVSDllVnZdUwBQYDK2VwMDAxCzAJBgNV
+BAYTAkdCMRAwDgYDVQQKDAdFeGFtcGxlMQ8wDQYDVQQDDAZTdWIgQ0EwHhcNMjQw
+NTA3MTAxODIyWhcNMjkwNTA2MTAxODIyWjAWMRQwEgYDVQQDDAt0ZXN0LWNsaWVu
+dDAqMAUGAytlcAMhAPU88C62SwhVGcJhYDp97gf1x5pHjcVD/AZ3PqoQfU68o3Uw
+czAfBgNVHSMEGDAWgBSbsZshYdxmKzqt7YTxBbbOmYLB/DAMBgNVHRMBAf8EAjAA
 MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQU
-a5RqAAt7DpJN8iHcLvTjH2TIKtowBQYDK2VwA0EApzcNlIuTMToyqyWZ0FhxikP/
-c2TS6u5qkP+YHgcJJkvJ0rRTXs164k4LpvlMG0gNxle4zfoAJQ8mAAMZcQKyAg==
+TU53uUDblDe4iFsDIV77hIwigPswBQYDK2VwA0EAX0aM10AEe8HxQNXcL2Qf1ryh
+StldRyLog/s1ZuGidfxwdr7xoZes0yjYaZYhkKLDIf+CR3BwEWik2ppNXE1bDw==
 -----END CERTIFICATE-----

test/data/certificates/root-ca.crt

@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBrjCCAWCgAwIBAgIQKMJShx7GKmJqmABrC/KIjjAFBgMrZXAwMTELMAkGA1UE
-BhMCR0IxEDAOBgNVBAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjIw
-NjI5MTEzMzA3WhcNMzIwNjI2MTEzMzA3WjAxMQswCQYDVQQGEwJHQjEQMA4GA1UE
-CgwHRXhhbXBsZTEQMA4GA1UEAwwHUm9vdCBDQTAqMAUGAytlcAMhAJqzaumMKuMm
-htBGbS+UCrCmXbGb+lRcuO71mPRey7HXo4GNMIGKMA8GA1UdEwEB/wQFMAMBAf8w
-DgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTk8vOFDreFdYR240PRtp0UuOKktzBI
-BgNVHR4EQTA/oD0wC4IJbG9jYWxob3N0MAqHCH8AAAH/AAAAMCKHIAAAAAAAAAAA
-AAAAAAAAAAH/////////////////////MAUGAytlcANBAESQBu1/oyaeYouu3q+h
-VbIDkQiyZT4sPRYautZZ+xrN4MkNWDtwLeVJ+a9N0YU9vDpOviJpvXN4H/EEBwBF
-3AA=
+MIIBrzCCAWGgAwIBAgIRAKy+/CzeW5ALVVSDllVnZdIwBQYDK2VwMDExCzAJBgNV
+BAYTAkdCMRAwDgYDVQQKDAdFeGFtcGxlMRAwDgYDVQQDDAdSb290IENBMB4XDTI0
+MDUwNzEwMTgyMloXDTM0MDUwNTEwMTgyMlowMTELMAkGA1UEBhMCR0IxEDAOBgNV
+BAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3QgQ0EwKjAFBgMrZXADIQDI4HsQNDKN
+xwtOvL2FI7Q+VIoqWLHmsoLaOe1L+JvbyKOBjTCBijAPBgNVHRMBAf8EBTADAQH/
+MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQUvMDvOfNgjMd7lZ6iDa/JCJcVLwkw
+SAYDVR0eBEEwP6A9MAuCCWxvY2FsaG9zdDAKhwh/AAAB/wAAADAihyAAAAAAAAAA
+AAAAAAAAAAAB/////////////////////zAFBgMrZXADQQBCMm6k6vanrNUO3vlc
+vsecQTSUVxsnl+bD6ANYhs10cuGafZ/lFRh1z4yBxz50b7EIePDeLP2pZlLmz8bm
+sN8M
 -----END CERTIFICATE-----

test/data/certificates/server.crt

@@ -1,10 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBdTCCASegAwIBAgIQKMJShx7GKmJqmABrC/KIjzAFBgMrZXAwMTELMAkGA1UE
-BhMCR0IxEDAOBgNVBAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjIw
-NjI5MTEzMzA3WhcNMjcwNjI4MTEzMzA3WjAWMRQwEgYDVQQDDAt0ZXN0LXNlcnZl
-cjAqMAUGAytlcAMhAI64JU5RjfdEG1KQMxS5DQWkiGlKIQO7ye4mNFq9QleTo3Aw
-bjAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEw
-HQYDVR0OBBYEFDnBgTgB3FU45S9OetBMhHu3J9OvMB8GA1UdIwQYMBaAFOTy84UO
-t4V1hHbjQ9G2nRS44qS3MAUGAytlcANBAC4NoQ31kHfp64R9gGNjTYrr2SNXHyEq
-7YG0qFi5ABvLXJAbM2v27EIgY1TWYO43FBsclQsz6mcp1MzZfjT9RwQ=
+MIIBtDCCAWagAwIBAgIRAKy+/CzeW5ALVVSDllVnZdQwBQYDK2VwMDAxCzAJBgNV
+BAYTAkdCMRAwDgYDVQQKDAdFeGFtcGxlMQ8wDQYDVQQDDAZTdWIgQ0EwHhcNMjQw
+NTA3MTAxODIyWhcNMjkwNTA2MTAxODIyWjAWMRQwEgYDVQQDDAt0ZXN0LXNlcnZl
+cjAqMAUGAytlcAMhACdLUqJFSyspgGKJiXNlnOLU2dO/TLV+b8aIZNAX7EuVo4Gu
+MIGrMB8GA1UdIwQYMBaAFJuxmyFh3GYrOq3thPEFts6ZgsH8MAwGA1UdEwEB/wQC
+MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHQ4EFgQUZkdU+CWXVppSVjW0p1JgDOdPMwkwLAYDVR0RBCUwI4IJbG9j
+YWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAUGAytlcANBAG1j2RGjm8ef
+tiMSJ+k04KGjIL7734D+UwidjOSCQnbCVRPofIaDMwuan5IqP97pMnjAsbw/QukX
++Z9sFTWjAQk=
 -----END CERTIFICATE-----

test/data/certificates/sub-ca.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWCgAwIBAgIRAKy+/CzeW5ALVVSDllVnZdMwBQYDK2VwMDExCzAJBgNV
+BAYTAkdCMRAwDgYDVQQKDAdFeGFtcGxlMRAwDgYDVQQDDAdSb290IENBMB4XDTI0
+MDUwNzEwMTgyMloXDTM0MDUwNTEwMTgyMlowMDELMAkGA1UEBhMCR0IxEDAOBgNV
+BAoMB0V4YW1wbGUxDzANBgNVBAMMBlN1YiBDQTAqMAUGAytlcAMhAL9vKw+Jb0jc
+THPJj/0HKRBIusX9D0Xj4qZEvK3kqXX+o4GNMIGKMA8GA1UdEwEB/wQFMAMBAf8w
+DgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSbsZshYdxmKzqt7YTxBbbOmYLB/DBI
+BgNVHR4EQTA/oD0wC4IJbG9jYWxob3N0MAqHCH8AAAH/AAAAMCKHIAAAAAAAAAAA
+AAAAAAAAAAH/////////////////////MAUGAytlcANBACspVj23xQ46wvlIWimf
+ofVcl0Nlj1rW1CoTOoA4butJGfJJQoYMzW8Ui/sVokzPoTw7vdOw9u3Knps26c0T
+Ygk=
+-----END CERTIFICATE-----

test/data/generate-certificates.sh

@@ -21,6 +21,7 @@ openssl rand -hex 16  > $CA_PATH/db/serial
 
 # Generate all private keys
 openssl genpkey -algorithm ed25519 -out $KEY_PATH/root-ca.key
+openssl genpkey -algorithm ed25519 -out $KEY_PATH/sub-ca.key
 openssl genpkey -algorithm ed25519 -out $KEY_PATH/server.key
 openssl genpkey -algorithm ed25519 -out $KEY_PATH/client.key
 
@@ -39,6 +40,16 @@ openssl ca -batch \
     -extensions ca_ext \
     -in root-ca.csr -out $CRT_PATH/root-ca.crt -notext
 
+# Create a Certificate Signing request for the Sub CA
+openssl req -new \
+    -config sub-ca.cnf -out sub-ca.csr \
+    -key $KEY_PATH/sub-ca.key
+
+# Issue the Sub CA
+openssl ca -batch \
+    -config root-ca.cnf \
+    -extensions ca_ext \
+    -in sub-ca.csr -out $CRT_PATH/sub-ca.crt -notext
 
 # Create a Certificate Signing request for the server certificate
 openssl req -new \
@@ -49,12 +60,11 @@ openssl req -text -in server.csr -noout
 # Issue the server certificate
 openssl ca -batch \
     -config root-ca.cnf \
+    -name sub_ca \
     -extensions server_ext \
-    -extfile server.cnf -extensions ext \
     -in server.csr -out $CRT_PATH/server.crt -notext \
     -days 1825
 
-
 # Create a Certificate Signing request for the client certificate
 openssl req -new \
     -config client.cnf -out client.csr \
@@ -63,11 +73,13 @@ openssl req -new \
 # Issue the client certificate
 openssl ca -batch \
     -config root-ca.cnf \
+    -name sub_ca \
     -extensions client_ext \
     -in client.csr -out $CRT_PATH/client.crt -notext \
     -days 1825
 
-
+cp $CRT_PATH/sub-ca.crt $CRT_PATH/ca-bundle.crt
+cat $CRT_PATH/root-ca.crt >> $CRT_PATH/ca-bundle.crt
 
 # Clean up
 # IMPORTANT: If new certificates should be issued, $CA_PATH and its files MUST NOT be deleted!

test/data/keys/client.key

@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIPTCPxm8reXOE2aIrafTcibvg4f6Rg1/F2LVk12EILzJ
+MC4CAQAwBQYDK2VwBCIEIIK4CYIlr3jGta1aSNICikX8V4CXv/i6IJTmj68CUQOU
 -----END PRIVATE KEY-----

test/data/keys/root-ca.key

@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIHbCvDGMRz5Ky+7gJvQYZ5t+5sZyHI+UcAKWvS20CoLU
+MC4CAQAwBQYDK2VwBCIEICJbx2nPwG8L2S/EKvCHI2q4InmAFAaNVBqdVq13ZpJz
 -----END PRIVATE KEY-----

test/data/keys/server.key

@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIGVXwKYyi/u52mmDVC56TSorC/GGNqgyiW4+jsDno81i
+MC4CAQAwBQYDK2VwBCIEIGqt/stoQYkwb24d3EUC0LpH2QwKuh+0tftML+wk/N1P
 -----END PRIVATE KEY-----

test/data/keys/server.pub

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAjrglTlGN90QbUpAzFLkNBaSIaUohA7vJ7iY0Wr1CV5M=
+MCowBQYDK2VwAyEAJ0tSokVLKymAYomJc2Wc4tTZ079MtX5vxohk0BfsS5U=
 -----END PUBLIC KEY-----

test/data/keys/sub-ca.key

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIASqWiXeb8UOEbwjVVq/2j49JvbBX2aLAiqjUtHQK2qV
+-----END PRIVATE KEY-----

test/data/root-ca.cnf

@@ -23,6 +23,22 @@ default_days            = 3650
 default_md              = sha256
 policy                  = policy_cn_supplied
 
+[sub_ca]
+name                    = sub-ca
+name_opt                = utf8,esc_ctrl,multiline,lname,align
+home                    = ./${ENV::CA_PATH}
+database                = $home/db/index
+serial                  = $home/db/serial
+certificate             = ./${ENV::CRT_PATH}/$name.crt
+private_key             = ./${ENV::KEY_PATH}/$name.key
+RANDFILE                = $home/private/random
+new_certs_dir           = $home/certificates
+unique_subject          = no
+copy_extensions         = none
+default_days            = 3650
+default_md              = sha256
+policy                  = policy_cn_supplied
+
 [policy_cn_supplied]
 countryName             = optional
 stateOrProvinceName     = optional
@@ -47,13 +63,13 @@ keyUsage                = critical,keyCertSign
 subjectKeyIdentifier    = hash
 nameConstraints         = @name_constraints
 
-
 [server_ext]
 authorityKeyIdentifier  = keyid:always
 basicConstraints        = critical,CA:false
 extendedKeyUsage        = clientAuth,serverAuth
 keyUsage                = critical,digitalSignature,keyEncipherment
 subjectKeyIdentifier    = hash
+subjectAltName          = DNS:localhost,IP:127.0.0.1,IP:::1
 
 [client_ext]
 authorityKeyIdentifier  = keyid:always

test/data/sub-ca.cnf

@@ -0,0 +1,25 @@
+[req]
+default_bits            = 4096
+encrypt_key             = yes
+default_md              = sha256
+utf8                    = yes
+string_mask             = utf8only
+prompt                  = no
+distinguished_name      = sub_ca_dn
+req_extensions          = sub_ca_ext
+
+[sub_ca_dn]
+countryName             = "GB"
+organizationName        = "Example"
+commonName              = "Sub CA"
+
+[sub_ca_ext]
+basicConstraints        = critical,CA:true
+keyUsage                = critical,keyCertSign
+subjectKeyIdentifier    = hash
+nameConstraints         = @name_constraints
+
+[name_constraints]
+permitted;DNS.0=localhost
+permitted;IP.0=127.0.0.1/255.0.0.0
+permitted;IP.1=::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff