I've started collecting a certificate torture test suite at

It has RSA, DSA and EC keys in various forms (PKCS#1, PKCS#8, PKCS#12
with varying encryptions), and PKCS#11.

I'm vaguely thinking about separating it from OpenConnect and making it
available as a generic test suite — and then perhaps trying to set
expectations that any application that can use SSL client certs/keys
should pass it.

Currently, every application you encounter on a Linux system will
support a *different* subset of the keys here. It would be nice to have
a bit of consistency.

Does that seem reasonable? Is there anything I'm missing from the tests
above? I know I need to add some non-ASCII password tests, and I need a
PKCS#11 test case where the certificate isn't visible until you log in
to the token. What else? Should I add PKCS#12 in PEM form for

FWIW I hate all crypto libraries... there isn't *one* which simply has
a function that'll do the right thing and load a certificate given a
string which identifies it (by filename or PKCS#11 URI). GnuTLS comes
closest, I think, but we still have to jump through hoops in the
*application* to work out what kind of file we're looking at and ask
for it to be loaded. The library *really* ought to make that simple.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to