Doing tests...

Planning on adding threading support to modules. This will however require lanes to be on your system

certs/all.bat

@@ -0,0 +1,14 @@
+REM make sure the 'openssl.exe' commandline tool is in your path before starting!
+REM set the path below;
+set opensslpath=C:\OpenSSL-Win32\bin
+
+
+
+setlocal
+set path=%opensslpath%;%path%
+call roota.bat
+call rootb.bat
+call servera.bat
+call serverb.bat
+call clienta.bat
+call clientb.bat

certs/clientA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out clientAcert.pem -days 365
+
+copy clientAcert.pem + rootA.pem clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem

certs/clientA.cnf

@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Client A
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

certs/clientA.pem

@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAp6gAwIBAgIJANp+V2miEyyZMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
+bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyF0ZcB+on+ir7Ac+
+hX6AvL5GFv362QNU4Yjoh5Lrd10PfexwvcAk1nW9tQ1ZBZ2Q9qbm6xLixM2rtgIR
+qyU0OJBiwe1ya13cyIY4MsXSnBu4i/oytUA72tIlIg1f1lZu9ueKhFNRHfV0TtPb
+2P0lOgkTBIgDh4RRETZo4yHDoiUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FAKFT1hs8t+xbQSDi+PfxK/1GGQDMB8GA1UdIwQYMBaAFC+73xiwIpAjd/vo/319
+oUWzE+X9MA0GCSqGSIb3DQEBBQUAA4GBAGFwzagTAQkArthKGESnw+EbFOd9qnF8
+FYEyhS2iDIgQnPq4fDGbpSELpcxeOLQndH7g0GiCTqjHnhhpmFnXsriA2ia+RgMy
+PYCE2dyeCEFYCb9TSUBIdPr9OQPGop/TRY83eGQVxUcRjhGndDCcvN6N4MMeZQpC
+UiHF9G3mj7nC
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAyugAwIBAgIJAJSqyJBOJrGkMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs3B138Uul360K3QZ
+11FnFdFhQ2yW7hN4+20RZ8BQ+SGn7ej1uld/zSHeYxYYlWpSkMryWmOPhBSkGd43
+zZxxvuo9+jh4ahqhmWoovRSilWBoZznQwLBUv35N7XCa+L9KJL+RBKYzsMi6K7Ai
+jZgR3yRtSiqcOjT7VigHYW15dKMCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQvu98Y
+sCKQI3f76P99faFFsxPl/TCB0gYDVR0jBIHKMIHHgBQvu98YsCKQI3f76P99faFF
+sxPl/aGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQCUqsiQTiaxpDAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBACFWgpF/q1nJDY9UT2R/8aXf08KUZSu6L5Oi
+3niZsPRyHBRJkysw1PHwktF69fU8bL2p84Atni+w5Pp24PexDUStNyer2riUGzKg
+Y4D7wMVGSgzryGgNLqCe0rsm3zcWEqEFSUsZRtWSda12vAZsUX4VmmR72rMXEU4X
+a9sWuhH8
+-----END CERTIFICATE-----
+

certs/clientA.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientAkey.pem -out clientAreq.pem \
+  -nodes -config ./clientA.cnf -days 365 -batch
+
+openssl x509 -req -in clientAreq.pem -sha1 -extfile ./clientA.cnf \
+  -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
+  -out clientAcert.pem -days 365
+
+cat clientAcert.pem rootA.pem > clientA.pem
+
+openssl x509 -subject -issuer -noout -in clientA.pem

certs/clientAcert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAp6gAwIBAgIJANp+V2miEyyZMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhD
+bGllbnQgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyF0ZcB+on+ir7Ac+
+hX6AvL5GFv362QNU4Yjoh5Lrd10PfexwvcAk1nW9tQ1ZBZ2Q9qbm6xLixM2rtgIR
+qyU0OJBiwe1ya13cyIY4MsXSnBu4i/oytUA72tIlIg1f1lZu9ueKhFNRHfV0TtPb
+2P0lOgkTBIgDh4RRETZo4yHDoiUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
+hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
+FAKFT1hs8t+xbQSDi+PfxK/1GGQDMB8GA1UdIwQYMBaAFC+73xiwIpAjd/vo/319
+oUWzE+X9MA0GCSqGSIb3DQEBBQUAA4GBAGFwzagTAQkArthKGESnw+EbFOd9qnF8
+FYEyhS2iDIgQnPq4fDGbpSELpcxeOLQndH7g0GiCTqjHnhhpmFnXsriA2ia+RgMy
+PYCE2dyeCEFYCb9TSUBIdPr9OQPGop/TRY83eGQVxUcRjhGndDCcvN6N4MMeZQpC
+UiHF9G3mj7nC
+-----END CERTIFICATE-----

certs/clientAkey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMhdGXAfqJ/oq+wH
+PoV+gLy+Rhb9+tkDVOGI6IeS63ddD33scL3AJNZ1vbUNWQWdkPam5usS4sTNq7YC
+EaslNDiQYsHtcmtd3MiGODLF0pwbuIv6MrVAO9rSJSINX9ZWbvbnioRTUR31dE7T
+29j9JToJEwSIA4eEURE2aOMhw6IlAgMBAAECgYB6UJte33TJafjKNgHs7LUag+21
+y4Z/RJFkvXd2jDJCxATZEqYgsFPMuEP/aw6VZwNAD9OYXgchrYzNp6WxnRyq9rS7
+ClTwFkxn9mJvAKXc2P0sKDVrKbhbwc64//bRDMz22mlR02w7ZUQ1D09nl9wRepVD
+1sgH++rgGOXle4+QAQJBAOKJz5Ab3OvfODg1TkDwKzQmq1iy0yGaLX9ryJlQgunf
+yuRLc5y6/p+gCu9BsyVJqBfg05xePPgT4fmXutNcM6UCQQDia9mlXLwjFAwQT/Mw
+2dtwFHsWTfOhzvHnT+Fr+RpgIgMQmxPOMoPCjwqxBoYIkSGxEDYQlHUp4pqpJbu5
+NGyBAkAqlDh9H5+Qfe41Ml+4+OtF7Ba8ny/r2uy+TGXx2x4gEz4xVrUuOj9thUlI
+2xJu6b88bbeYZmYTQrlwjkJBQ805AkEAvnTH/BAYdU1MpIAL6aCntAyWSPnDIO2p
+j9Aipyc/p3OUrmgz7bOSH5sg/C2nmxcxhvZC9Alc0KG7ROLnmG9fgQJBAKJtTtx4
+C6zJ/CPVKqaxJEa1ftObWXUHjS838l2PDNLd7Xg4ZW+Rr6/yMXJrkc1mLApZoaIX
+mWGR9+d+z0zOCMI=
+-----END PRIVATE KEY-----

certs/clientAreq.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDIXRlwH6if6KvsBz6FfoC8vkYW/frZA1ThiOiHkut3XQ997HC9wCTW
+db21DVkFnZD2pubrEuLEzau2AhGrJTQ4kGLB7XJrXdzIhjgyxdKcG7iL+jK1QDva
+0iUiDV/WVm7254qEU1Ed9XRO09vY/SU6CRMEiAOHhFERNmjjIcOiJQIDAQABoAAw
+DQYJKoZIhvcNAQEFBQADgYEAWuMMubz+6Gh/A9ZVmJIyRgcMLyrklB3jyu6oqZDW
+1OnNkCBrfhKpvuyGe8JtTH1eoI9aWNSgGYyjNXooLsZOjnWLrIJEW/wzj9WIcWnR
+rcCzkCZSt7FUC09CRAbvHndtpffZrZJLZ9Q4+uTkpCe2DfFIWYHdNMlJriQwnjyZ
+6oY=
+-----END CERTIFICATE REQUEST-----

certs/clientB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out clientBcert.pem -days 365
+
+copy clientBcert.pem + rootB.pem clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem

certs/clientB.cnf

@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Client B
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

certs/clientB.pem

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCApygAwIBAgIJAKYuEhfbhd4GMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMzWhcNMTgwNjI4MTgxMTMzWjCBnTELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTERMA8GA1UEAxMIQ2xp
+ZW50IEIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMAU67v0VbRPsaB1PmcF
+yHB+4MqlFCOsn3ovvsy+J3W9gWhjqSZoOd7gHWlPUCSQTTfxQevlOqitv0KEAm8b
+WnZduslnOnHI8oaQL3j+Fps7WtE6H6QK69c7nvhTZ3osKrgzSo5XXMNKO0SCCAFi
+YkP9DYaekckQ4ZGkwa/gu19VAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
+QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRj
+O+slbrPO0L3h75KLTdxA5dz0OzAfBgNVHSMEGDAWgBTIf2MLMKUZLIrr4i2kBFyr
+9RRkdDANBgkqhkiG9w0BAQUFAAOBgQA0kyQ47ukI/59xruf+vnYzTv7aQWXfKvM7
+QYedTw7uFmBUmusd/593Ftv7MbyzCgJQX61ztGfYyET7DjjxwJ6Bfvbg6JPo+gTF
+pgdY5fVn8nIdGJGYSsMQOp4MQlnzTM3CYZu772CBs5yW4OA6FzPJzWcVLeDbN6oL
+Tk97P0CJog==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDvDCCAyWgAwIBAgIJAJ5E4CzplDDkMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMyWhcNMTgwNjI4MTgxMTMyWjCBmzELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9v
+dCBCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMI9gMIAALR/EUHILUVjnj
+bS0S+u5PjzqZ9Z573m0JyLLhy0hd+bJLo/f7iJ10KjOKQ3vvWZZYQkrtYxm0Q5LK
+Z9thtVQ8ChvO2VBWwKwCd5HB5HbTW7IzigR9vatUzkjFGLeLB2TpqjU/GyPbeyzD
+1AQQ96yftHZ1V2mUm6pPlQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFMh/YwswpRks
+iuviLaQEXKv1FGR0MIHQBgNVHSMEgcgwgcWAFMh/YwswpRksiuviLaQEXKv1FGR0
+oYGhpIGeMIGbMQswCQYDVQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8x
+HzAdBgNVBAcTFlNhbnRvIEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBU
+b25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2ll
+bmNlMQ8wDQYDVQQDEwZSb290IEKCCQCeROAs6ZQw5DAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4GBABjxZmVXAYqXqHJVkI2Lq1RLg/Jrfmp0yE9Hq97I/gLA
+lpCwzuq3cJsnrYYau2DuuY62f3rrgp87wZ42Sg0ViHg9cP43/W7MUXT3SJkdKKc1
+6rxyjwMvjVJyOXQnnLVwbyiPc7xi+S3HZ1hpruE2PUqaYnd7HsciMKm/Qc06LMlw
+-----END CERTIFICATE-----
+

certs/clientB.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout clientBkey.pem -out clientBreq.pem \
+  -nodes -config ./clientB.cnf -days 365 -batch
+
+openssl x509 -req -in clientBreq.pem -sha1 -extfile ./clientB.cnf \
+  -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
+  -out clientBcert.pem -days 365
+
+cat clientBcert.pem rootB.pem > clientB.pem
+
+openssl x509 -subject -issuer -noout -in clientB.pem

certs/clientBcert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCApygAwIBAgIJAKYuEhfbhd4GMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMzWhcNMTgwNjI4MTgxMTMzWjCBnTELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTERMA8GA1UEAxMIQ2xp
+ZW50IEIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMAU67v0VbRPsaB1PmcF
+yHB+4MqlFCOsn3ovvsy+J3W9gWhjqSZoOd7gHWlPUCSQTTfxQevlOqitv0KEAm8b
+WnZduslnOnHI8oaQL3j+Fps7WtE6H6QK69c7nvhTZ3osKrgzSo5XXMNKO0SCCAFi
+YkP9DYaekckQ4ZGkwa/gu19VAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
+QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRj
+O+slbrPO0L3h75KLTdxA5dz0OzAfBgNVHSMEGDAWgBTIf2MLMKUZLIrr4i2kBFyr
+9RRkdDANBgkqhkiG9w0BAQUFAAOBgQA0kyQ47ukI/59xruf+vnYzTv7aQWXfKvM7
+QYedTw7uFmBUmusd/593Ftv7MbyzCgJQX61ztGfYyET7DjjxwJ6Bfvbg6JPo+gTF
+pgdY5fVn8nIdGJGYSsMQOp4MQlnzTM3CYZu772CBs5yW4OA6FzPJzWcVLeDbN6oL
+Tk97P0CJog==
+-----END CERTIFICATE-----

certs/clientBkey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMAU67v0VbRPsaB1
+PmcFyHB+4MqlFCOsn3ovvsy+J3W9gWhjqSZoOd7gHWlPUCSQTTfxQevlOqitv0KE
+Am8bWnZduslnOnHI8oaQL3j+Fps7WtE6H6QK69c7nvhTZ3osKrgzSo5XXMNKO0SC
+CAFiYkP9DYaekckQ4ZGkwa/gu19VAgMBAAECgYBDEgsOYk7a20kG4mmbx6UpwuPz
+Xpkdq9Uz8SAKlgtpTXa2YLZbtuEeNduPPiaZ3dlYw2FlYXGOHL1AGKBQ85guSYJV
+C6LUba4MO3uVHmb8QAT5Hq0S1gGd8oS76327gbAMmwnPODoe4pKYpxpjN2L3JOiu
+bekFZ5G4usiEAPArMQJBAOs/x2HhxHvAbq3ntc+4vKUbG1LR1Get9Jiim8KAmbWI
+VSTl4gA216C9ZXSFYFxLDh0eND/S76TO+eVnGbKdbGsCQQDRBl4WzJ3nGV8PV9Hs
+8d1BcFaYbzhySHI6yKaqTMckkpDA6JA3XMpzpNrfTALd1pySTM54b8nMd+XIBVs7
+RVM/AkBwTZQrIBIiWaz8jB75OOGlmBklIlJZ5Gtd6lKdObMnPBwZbzzCiWvKql+i
+joF/zbzBHcgnp9ULQlt9rghQgmJdAkAJSM4fFyGgZTkatlzluGyKfpHqHW6VbPBd
++hGlGNnznur9FpdpTh7T+iuapYavEdxMh0rYgKanBWBYfRxrSo4DAkEAskJpTosI
+07hKlLcjyzNkTfB9VQtdAFAJspWuba7n1K3nKalbA6sSEWpcOqCYyTZxMRhEjGJ0
+5gYrtiVmfpoipw==
+-----END PRIVATE KEY-----

certs/clientBreq.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+IFNjaWVuY2UxETAPBgNVBAMTCENsaWVudCBCMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDAFOu79FW0T7GgdT5nBchwfuDKpRQjrJ96L77Mvid1vYFoY6kmaDne
+4B1pT1AkkE038UHr5Tqorb9ChAJvG1p2XbrJZzpxyPKGkC94/habO1rROh+kCuvX
+O574U2d6LCq4M0qOV1zDSjtEgggBYmJD/Q2GnpHJEOGRpMGv4LtfVQIDAQABoAAw
+DQYJKoZIhvcNAQEFBQADgYEAFNu7lmh26FukN3yc1gxW6YNYqMr9iPil+2+FiqM2
+wJEzvmZ6tC/5Z9+9D6LEO7nca/rXAGls3ilZQH2Dd6GaTnGvy6mz3V3WWVBpxZ2f
+tjm18Hdu5r046cKLsQaPyaBVlfRnBFX/0pc8w40jwTHNJFwSB2PLIIQLzATTJ9UD
+QjY=
+-----END CERTIFICATE REQUEST-----

certs/rootA.bat

@@ -0,0 +1,7 @@
+REM #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem

certs/rootA.cnf

@@ -0,0 +1,315 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Santo Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+commonName_default		= Root A
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

certs/rootA.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAyugAwIBAgIJAJSqyJBOJrGkMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs3B138Uul360K3QZ
+11FnFdFhQ2yW7hN4+20RZ8BQ+SGn7ej1uld/zSHeYxYYlWpSkMryWmOPhBSkGd43
+zZxxvuo9+jh4ahqhmWoovRSilWBoZznQwLBUv35N7XCa+L9KJL+RBKYzsMi6K7Ai
+jZgR3yRtSiqcOjT7VigHYW15dKMCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQvu98Y
+sCKQI3f76P99faFFsxPl/TCB0gYDVR0jBIHKMIHHgBQvu98YsCKQI3f76P99faFF
+sxPl/aGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQCUqsiQTiaxpDAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBACFWgpF/q1nJDY9UT2R/8aXf08KUZSu6L5Oi
+3niZsPRyHBRJkysw1PHwktF69fU8bL2p84Atni+w5Pp24PexDUStNyer2riUGzKg
+Y4D7wMVGSgzryGgNLqCe0rsm3zcWEqEFSUsZRtWSda12vAZsUX4VmmR72rMXEU4X
+a9sWuhH8
+-----END CERTIFICATE-----

certs/rootA.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootAkey.pem -out rootAreq.pem -nodes -config ./rootA.cnf -days 365 -batch
+
+openssl x509 -req -in rootAreq.pem -sha1 -extfile ./rootA.cnf -extensions v3_ca -signkey rootAkey.pem -out rootA.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootA.pem

certs/rootA.srl

@@ -0,0 +1 @@
+DA7E5769A2132C99

certs/rootAkey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALNwdd/FLpd+tCt0
+GddRZxXRYUNslu4TePttEWfAUPkhp+3o9bpXf80h3mMWGJVqUpDK8lpjj4QUpBne
+N82ccb7qPfo4eGoaoZlqKL0UopVgaGc50MCwVL9+Te1wmvi/SiS/kQSmM7DIuiuw
+Io2YEd8kbUoqnDo0+1YoB2FteXSjAgMBAAECgYBl7gBHeM8ap5LZDD6RnWAdeK7z
+if/ChbU3vaEhepGEs6Wc87SCganLcO3PA4I7fgYg0egRiHTB5qfBOgYg+jlx8kND
+Ilsj1LXvJg4kIdiIWtNzWmIhOrwOvTPxK/b+SI5ZgiBB/BxhgGQqzQfA5Cukrpry
+7fvNotAipqkRInGagQJBANhcdML+sEyYL7czrXY9WASjObOTEhwtOMWm9ArQ0k1c
+e/jCgu5LELm+hIAKsVIAmoxNTLPkPR1FOUBdfJsliXECQQDUUFWIMQoYrSh7Ysut
+tjrxPXmQ/FR2aU+XGpD8HBpmgknZeKG0noMzAS/3xT8FerF5ycZx6fFGRGRt5U7/
+sbVTAkEApJN3cZgADNM6gHV7vdQdrrFmQ9VcUjiH1bkQK2X6gkQWPPvgUlihKVjl
+OuxnQ0QYSx7FeJTlc+1jBjXWgcFE0QJAflGNkgobR7M+cqrFJAVX7E/3FBwM5Kaj
+g/N6b4UI8BR0e78Z9qyYwq/iKjhg1pG5Jgy21O+rbXMjjX7xEZBZoQJAGKCZCOZX
+NgcFpRJcdokmPlb4Hdn8BHX/lF6i0/rc8591vjXtD3MHi6KqBjmCISGNrquRmy7o
+A8xT68ZroszZvg==
+-----END PRIVATE KEY-----

certs/rootAreq.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEaMBgGA1UEChMR
+U2FudG8gVG9uaWNvIEx0ZGExJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0
+ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9vdCBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCzcHXfxS6XfrQrdBnXUWcV0WFDbJbuE3j7bRFnwFD5Iaft6PW6V3/N
+Id5jFhiValKQyvJaY4+EFKQZ3jfNnHG+6j36OHhqGqGZaii9FKKVYGhnOdDAsFS/
+fk3tcJr4v0okv5EEpjOwyLorsCKNmBHfJG1KKpw6NPtWKAdhbXl0owIDAQABoAAw
+DQYJKoZIhvcNAQEFBQADgYEADD6aj8GgK7GqLVvDowCjMcgtVgRwg9F5F3dhqzkK
+l0XzYLPbPu/+t7Xt8I19fjvtHVFjFerv/7JNlJffmfJ5Nsk5MLEKTADl98ad4tGa
+6Dpml75bUqkv62C7N/pMiEeQt8W10wQ9KPwqAX8AGcHpoRju7WuyZ7DFRWbJaHVL
+hNI=
+-----END CERTIFICATE REQUEST-----

certs/rootB.bat

@@ -0,0 +1,7 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem

certs/rootB.cnf

@@ -0,0 +1,315 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Root B
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

certs/rootB.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDvDCCAyWgAwIBAgIJAJ5E4CzplDDkMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMyWhcNMTgwNjI4MTgxMTMyWjCBmzELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9v
+dCBCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMI9gMIAALR/EUHILUVjnj
+bS0S+u5PjzqZ9Z573m0JyLLhy0hd+bJLo/f7iJ10KjOKQ3vvWZZYQkrtYxm0Q5LK
+Z9thtVQ8ChvO2VBWwKwCd5HB5HbTW7IzigR9vatUzkjFGLeLB2TpqjU/GyPbeyzD
+1AQQ96yftHZ1V2mUm6pPlQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFMh/YwswpRks
+iuviLaQEXKv1FGR0MIHQBgNVHSMEgcgwgcWAFMh/YwswpRksiuviLaQEXKv1FGR0
+oYGhpIGeMIGbMQswCQYDVQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8x
+HzAdBgNVBAcTFlNhbnRvIEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBU
+b25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2ll
+bmNlMQ8wDQYDVQQDEwZSb290IEKCCQCeROAs6ZQw5DAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4GBABjxZmVXAYqXqHJVkI2Lq1RLg/Jrfmp0yE9Hq97I/gLA
+lpCwzuq3cJsnrYYau2DuuY62f3rrgp87wZ42Sg0ViHg9cP43/W7MUXT3SJkdKKc1
+6rxyjwMvjVJyOXQnnLVwbyiPc7xi+S3HZ1hpruE2PUqaYnd7HsciMKm/Qc06LMlw
+-----END CERTIFICATE-----

certs/rootB.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -sha1 -keyout rootBkey.pem -out rootBreq.pem -nodes -config ./rootB.cnf -days 365 -batch
+
+openssl x509 -req -in rootBreq.pem -sha1 -extfile ./rootB.cnf -extensions v3_ca -signkey rootBkey.pem -out rootB.pem -days 365
+
+openssl x509 -subject -issuer -noout -in rootB.pem

certs/rootB.srl

@@ -0,0 +1 @@
+A62E1217DB85DE06

certs/rootBkey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMwj2AwgAAtH8RQc
+gtRWOeNtLRL67k+POpn1nnvebQnIsuHLSF35skuj9/uInXQqM4pDe+9ZllhCSu1j
+GbRDkspn22G1VDwKG87ZUFbArAJ3kcHkdtNbsjOKBH29q1TOSMUYt4sHZOmqNT8b
+I9t7LMPUBBD3rJ+0dnVXaZSbqk+VAgMBAAECgYEAqgNsKmT4RGztDbfVCeyqF4vU
+j0sm8GG0B4c1L6qGGzDoMf6wTXvojvCHVhhoMdf3xr3/WM6+1NCZQG1ZefURKT01
+NfoDiizcV34hbg1plH6HXf3yW1leetGSkeilYt/PhHU6D0S6kV7sQ6RukCR+KwNI
+DW5UZlFh8OZ4J/20Wn0CQQD3NdaLAkYpsRJQHZ/qqmgn/Wdx7Irzdk9AVBb2ujAk
+BAVhncpEedN9s/xGj1vVohqNOhhNt8+BYHIuDPSNTK5HAkEA02X4gjkQRrzS9Adm
+DSbNQsVg2lWYd3813Zcmxcg2oygAPGLu28I/dvliwi8QYjYVc3HcdGwaTWDi+GPv
+aVw1QwJBAJLEfvyGvBsyipnQDMpoo2/ijZDgi9phikm54uxWvBAV5w/+e0DOR1bh
+DcziffZGyJbCP/2cPHEmToOyo1pkhS8CQBzE+OAIEg3+bpslUp8hk7etkvPDyF8i
+4drJUk6CY+UqcXXGZQllUyvG3sjcjNdA0wSGD2GMwLudHuZ8+z0Ufm8CQB1OLP/v
+IcaNLpZYIFsqzoI7unryrLepwLU+DZkZwa0BXvDRhtYspWxaq5kTPLPJ1Q+paOPr
+EKz5L1JqEEoEftI=
+-----END PRIVATE KEY-----

certs/rootBreq.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3DCCAUUCAQAwgZsxCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+IFNjaWVuY2UxDzANBgNVBAMTBlJvb3QgQjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEAzCPYDCAAC0fxFByC1FY5420tEvruT486mfWee95tCciy4ctIXfmyS6P3
++4iddCozikN771mWWEJK7WMZtEOSymfbYbVUPAobztlQVsCsAneRweR201uyM4oE
+fb2rVM5IxRi3iwdk6ao1Pxsj23ssw9QEEPesn7R2dVdplJuqT5UCAwEAAaAAMA0G
+CSqGSIb3DQEBBQUAA4GBAKOYhSVzigjxisN/Sbi+hobJ4HhqtvOuYTyKAea4TQX2
+hROgHsG0hXRCpg2N2QCXu+8PxdSaATCzuOLo+4ctj2O8iTpalm8fKzeHGDDqR5k6
+T2qCyUMpBSpdyd6X8zdsVLCeWWElBIMFMtJdTP+ukWLMIiyFNs9yjP5/9oHZSZ/n
+-----END CERTIFICATE REQUEST-----

certs/serverA.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial -out serverAcert.pem -days 365
+
+copy serverAcert.pem + rootA.pem serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem

certs/serverA.cnf

@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Server A
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

certs/serverA.pem

@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCArOgAwIBAgIJANp+V2miEyyYMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
+ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxD+XXrf9xo9YGyPL
+Go6fYHmxeDjMKBU7XAqFxks0NZ1wZ8gBFGRL2CrE+mvZFopVx77mR5GkFIEbjgZt
+JLKTckCS8GOKkqBIGgaTVOq5cRubUPhgZTPkW52xTfJOgbVJqvrWNuJJ3rmVFjKw
+Cs5iGzjlVk364KI7MN6jqtlxymkCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGSVbUIaTZGnYzGtMuoyz72uogNpMB8GA1Ud
+IwQYMBaAFC+73xiwIpAjd/vo/319oUWzE+X9MA0GCSqGSIb3DQEBBQUAA4GBAHKA
+vgbrp9hqdk2ClsJhlrxLEK/F+XvdjPbH6/c1oEYMDOZVV6tnvpg60HVaz5bKcO+F
+1fW5f3B2b3muHoxRGKFDl2RBjQrFllZvY4vwaoare8IQ6ykyHTuVLczzAVrGtoVf
+UchSPFcSrIcDBHHZb0fSUrNvHGHJH1qFDiAAP6h5
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAyugAwIBAgIJAJSqyJBOJrGkMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs3B138Uul360K3QZ
+11FnFdFhQ2yW7hN4+20RZ8BQ+SGn7ej1uld/zSHeYxYYlWpSkMryWmOPhBSkGd43
+zZxxvuo9+jh4ahqhmWoovRSilWBoZznQwLBUv35N7XCa+L9KJL+RBKYzsMi6K7Ai
+jZgR3yRtSiqcOjT7VigHYW15dKMCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQvu98Y
+sCKQI3f76P99faFFsxPl/TCB0gYDVR0jBIHKMIHHgBQvu98YsCKQI3f76P99faFF
+sxPl/aGBo6SBoDCBnTELMAkGA1UEBhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNh
+bnRvMR8wHQYDVQQHExZTYW50byBBbnRvbmlvIGRvIENhbmFhMRowGAYDVQQKExFT
+YW50byBUb25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRl
+ciBTY2llbmNlMQ8wDQYDVQQDEwZSb290IEGCCQCUqsiQTiaxpDAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBACFWgpF/q1nJDY9UT2R/8aXf08KUZSu6L5Oi
+3niZsPRyHBRJkysw1PHwktF69fU8bL2p84Atni+w5Pp24PexDUStNyer2riUGzKg
+Y4D7wMVGSgzryGgNLqCe0rsm3zcWEqEFSUsZRtWSda12vAZsUX4VmmR72rMXEU4X
+a9sWuhH8
+-----END CERTIFICATE-----
+

certs/serverA.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverAkey.pem -out serverAreq.pem \
+   -config ./serverA.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverAreq.pem -sha1 -extfile ./serverA.cnf \
+   -extensions usr_cert -CA rootA.pem -CAkey rootAkey.pem -CAcreateserial \
+   -out serverAcert.pem -days 365
+
+cat serverAcert.pem rootA.pem > serverA.pem
+
+openssl x509 -subject -issuer -noout -in serverA.pem

certs/serverAcert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCArOgAwIBAgIJANp+V2miEyyYMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGjAYBgNVBAoTEVNhbnRvIFRvbmljbyBMdGRhMScw
+JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxDzANBgNVBAMT
+BlJvb3QgQTAeFw0xNzA2MjgxODExMzJaFw0xODA2MjgxODExMzJaMIGdMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMREwDwYDVQQDEwhT
+ZXJ2ZXIgQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxD+XXrf9xo9YGyPL
+Go6fYHmxeDjMKBU7XAqFxks0NZ1wZ8gBFGRL2CrE+mvZFopVx77mR5GkFIEbjgZt
+JLKTckCS8GOKkqBIGgaTVOq5cRubUPhgZTPkW52xTfJOgbVJqvrWNuJJ3rmVFjKw
+Cs5iGzjlVk364KI7MN6jqtlxymkCAwEAAaOBjzCBjDAJBgNVHRMEAjAAMBEGCWCG
+SAGG+EIBAQQEAwIGQDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGSVbUIaTZGnYzGtMuoyz72uogNpMB8GA1Ud
+IwQYMBaAFC+73xiwIpAjd/vo/319oUWzE+X9MA0GCSqGSIb3DQEBBQUAA4GBAHKA
+vgbrp9hqdk2ClsJhlrxLEK/F+XvdjPbH6/c1oEYMDOZVV6tnvpg60HVaz5bKcO+F
+1fW5f3B2b3muHoxRGKFDl2RBjQrFllZvY4vwaoare8IQ6ykyHTuVLczzAVrGtoVf
+UchSPFcSrIcDBHHZb0fSUrNvHGHJH1qFDiAAP6h5
+-----END CERTIFICATE-----

certs/serverAkey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMQ/l163/caPWBsj
+yxqOn2B5sXg4zCgVO1wKhcZLNDWdcGfIARRkS9gqxPpr2RaKVce+5keRpBSBG44G
+bSSyk3JAkvBjipKgSBoGk1TquXEbm1D4YGUz5FudsU3yToG1Sar61jbiSd65lRYy
+sArOYhs45VZN+uCiOzDeo6rZccppAgMBAAECgYAl//I9gv7+va7fwnSHdepice3t
+S4IsmL/fuKHinZlEcHHdhpq+6hTNjKqLmup0NOEbRlmsrgTJe55sR85GdtWZyRXa
+8gmCvL1mvRjhIT2rlxITRE47XpfRhKQqLlnQFip/ol0TD4g7gcoLZwNhBwmwcz5x
++0OPc2CpXjlHVadnSQJBAOYjRzCGRKWaGOtSvIzJAMLjHVBoq+PWulpr0dgaIOZd
+3RRDVrbn/sA3xQAbEb0F2CcpOYFXAfvF8GgZAytB9/sCQQDaTV2XeJF5Z+69Fzw2
+bHKr9irkqMWaEMZVB8ctXpJvaJnLsEJ7ccp4BZ6kWAxtA4JvZuAfrtRiG79qlgBX
+/cXrAkBZ/M1nYfkRr/GygoWLn0UW72uU93jO/DWeCa7iC0V2DpnVxIbxukFYs/Xq
+FquW9+QPXAVKV9VEt59LdQxSK9dlAkEAkUKzyWvwGUIgaXDBn1FQiL64Ugk/28HX
+x5LyZW0tsbZ/yDsUMgJJAM50ftUcB5ozPB/PeSWjq1jdaXZA6kwyWwJBAI3IW36h
+3gN+QYDxO6cExY9xgPMkMapVa01v3Kdxus9tpyMDrcrRLBDRq+NIaTTtJwjBKcaw
+rxtGLx7O9PLPhOU=
+-----END PRIVATE KEY-----

certs/serverAreq.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDEP5det/3Gj1gbI8sajp9gebF4OMwoFTtcCoXGSzQ1nXBnyAEUZEvY
+KsT6a9kWilXHvuZHkaQUgRuOBm0kspNyQJLwY4qSoEgaBpNU6rlxG5tQ+GBlM+Rb
+nbFN8k6BtUmq+tY24kneuZUWMrAKzmIbOOVWTfrgojsw3qOq2XHKaQIDAQABoAAw
+DQYJKoZIhvcNAQELBQADgYEAKOBEQ1TO0J00j2gnHaEXaEIDCJMq958/mU5UFEmz
+RAX70mURou0KYI5pFez9oMnYseBjcAYW6Nvi+jqB5lCHwHLkd92hyIa1T7jhK496
+2DP5lKC1Cn5NaQkzBVpFWF+vA22Vkx8eS8o2T4OB5LIP+QH/PSHsWUoOZVoX4gXk
+EvA=
+-----END CERTIFICATE REQUEST-----

certs/serverB.bat

@@ -0,0 +1,9 @@
+rem #!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial -out serverBcert.pem -days 365
+
+copy serverBcert.pem + rootB.pem serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem

certs/serverB.cnf

@@ -0,0 +1,316 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= BR
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Espirito Santo
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Santo Antonio do Canaa
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Sao Tonico Ltda
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Department of Computer Science
+
+commonName			= Common Name (eg, YOUR name)
+commonName_default		= Server B
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

certs/serverB.pem

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCArGgAwIBAgIJAKYuEhfbhd4FMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMyWhcNMTgwNjI4MTgxMTMyWjCBnTELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTERMA8GA1UEAxMIU2Vy
+dmVyIEIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzZ9KKC6Nbzh+RLDL7v
+BI7LsAlpkWBOLI/h5B0FOsuKsFYG90zEY89gz9n+mlteoyADq+T0SPNm1y+TYSUh
+h4niFfz6m9MuPGZ88TpOj/Z08mreyEJUsiHEza9cvIUWe8gN0Nkdc06tCDx9SWCB
+dDFarawcgdPOEsZuthY88CcrAgMBAAGjgY8wgYwwCQYDVR0TBAIwADARBglghkgB
+hvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
+cnRpZmljYXRlMB0GA1UdDgQWBBTD5/Jo/xF49qwUbxiowFOIjFeZQzAfBgNVHSME
+GDAWgBTIf2MLMKUZLIrr4i2kBFyr9RRkdDANBgkqhkiG9w0BAQUFAAOBgQBDb8Uo
+vLRX+45NwVbOs9cUiyXxHvL8jdA84deQ9XBDrENZ12lCsW3Y/YlHwboynAO/fwHY
+F54BV8QWSfSoTYSWUh41/NYkeLoTwNvppvEe5Fv3mjVyhgMQ5dQApTGw2tURv7pL
+Uy/h+tEKpJUKon8N0pJhhhNSWeK35lmo0kJacQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDvDCCAyWgAwIBAgIJAJ5E4CzplDDkMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMyWhcNMTgwNjI4MTgxMTMyWjCBmzELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEPMA0GA1UEAxMGUm9v
+dCBCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMI9gMIAALR/EUHILUVjnj
+bS0S+u5PjzqZ9Z573m0JyLLhy0hd+bJLo/f7iJ10KjOKQ3vvWZZYQkrtYxm0Q5LK
+Z9thtVQ8ChvO2VBWwKwCd5HB5HbTW7IzigR9vatUzkjFGLeLB2TpqjU/GyPbeyzD
+1AQQ96yftHZ1V2mUm6pPlQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFMh/YwswpRks
+iuviLaQEXKv1FGR0MIHQBgNVHSMEgcgwgcWAFMh/YwswpRksiuviLaQEXKv1FGR0
+oYGhpIGeMIGbMQswCQYDVQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8x
+HzAdBgNVBAcTFlNhbnRvIEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBU
+b25pY28gTHRkYTEnMCUGA1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2ll
+bmNlMQ8wDQYDVQQDEwZSb290IEKCCQCeROAs6ZQw5DAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4GBABjxZmVXAYqXqHJVkI2Lq1RLg/Jrfmp0yE9Hq97I/gLA
+lpCwzuq3cJsnrYYau2DuuY62f3rrgp87wZ42Sg0ViHg9cP43/W7MUXT3SJkdKKc1
+6rxyjwMvjVJyOXQnnLVwbyiPc7xi+S3HZ1hpruE2PUqaYnd7HsciMKm/Qc06LMlw
+-----END CERTIFICATE-----
+

certs/serverB.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+openssl req -newkey rsa:1024 -keyout serverBkey.pem -out serverBreq.pem \
+   -config ./serverB.cnf -nodes -days 365 -batch
+
+openssl x509 -req -in serverBreq.pem -sha1 -extfile ./serverB.cnf \
+   -extensions usr_cert -CA rootB.pem -CAkey rootBkey.pem -CAcreateserial \
+   -out serverBcert.pem -days 365
+
+cat serverBcert.pem rootB.pem > serverB.pem
+
+openssl x509 -subject -issuer -noout -in serverB.pem

certs/serverBcert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCArGgAwIBAgIJAKYuEhfbhd4FMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
+VQQGEwJCUjEXMBUGA1UECBMORXNwaXJpdG8gU2FudG8xHzAdBgNVBAcTFlNhbnRv
+IEFudG9uaW8gZG8gQ2FuYWExGDAWBgNVBAoTD1NhbyBUb25pY28gTHRkYTEnMCUG
+A1UECxMeRGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMQ8wDQYDVQQDEwZS
+b290IEIwHhcNMTcwNjI4MTgxMTMyWhcNMTgwNjI4MTgxMTMyWjCBnTELMAkGA1UE
+BhMCQlIxFzAVBgNVBAgTDkVzcGlyaXRvIFNhbnRvMR8wHQYDVQQHExZTYW50byBB
+bnRvbmlvIGRvIENhbmFhMRgwFgYDVQQKEw9TYW8gVG9uaWNvIEx0ZGExJzAlBgNV
+BAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTERMA8GA1UEAxMIU2Vy
+dmVyIEIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzZ9KKC6Nbzh+RLDL7v
+BI7LsAlpkWBOLI/h5B0FOsuKsFYG90zEY89gz9n+mlteoyADq+T0SPNm1y+TYSUh
+h4niFfz6m9MuPGZ88TpOj/Z08mreyEJUsiHEza9cvIUWe8gN0Nkdc06tCDx9SWCB
+dDFarawcgdPOEsZuthY88CcrAgMBAAGjgY8wgYwwCQYDVR0TBAIwADARBglghkgB
+hvhCAQEEBAMCBkAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
+cnRpZmljYXRlMB0GA1UdDgQWBBTD5/Jo/xF49qwUbxiowFOIjFeZQzAfBgNVHSME
+GDAWgBTIf2MLMKUZLIrr4i2kBFyr9RRkdDANBgkqhkiG9w0BAQUFAAOBgQBDb8Uo
+vLRX+45NwVbOs9cUiyXxHvL8jdA84deQ9XBDrENZ12lCsW3Y/YlHwboynAO/fwHY
+F54BV8QWSfSoTYSWUh41/NYkeLoTwNvppvEe5Fv3mjVyhgMQ5dQApTGw2tURv7pL
+Uy/h+tEKpJUKon8N0pJhhhNSWeK35lmo0kJacQ==
+-----END CERTIFICATE-----

certs/serverBkey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALzZ9KKC6Nbzh+RL
+DL7vBI7LsAlpkWBOLI/h5B0FOsuKsFYG90zEY89gz9n+mlteoyADq+T0SPNm1y+T
+YSUhh4niFfz6m9MuPGZ88TpOj/Z08mreyEJUsiHEza9cvIUWe8gN0Nkdc06tCDx9
+SWCBdDFarawcgdPOEsZuthY88CcrAgMBAAECgYEAqju+bY+b28eCw6NzRdmnPiEV
++iYTScCuIrT5L7+7FCdcdO+qlKSjZBhcxKDg+2P/n6gvlx8tc1tMtjIf65yh03h0
+Klp5p5hmbz5F6xkvrfwlSmEC0CTN2qADghSlmqDhJMYfXxe/4rv302YyTJXkzv/+
+f/g9YA7hBHuEBmnEmAECQQDc4LDnDwxyFQGRfxD6V2GJAqdDnFfG1xPrLu16SMLA
+nMzcVTNEL9wsYr6RNMgDEsE4lwrflpfcJpu76bv15dcBAkEA2uGQTqy/cipOzIj7
+3eg6CtQE9hBVXY476iocR1XK3sFnJnDcb56cfDKtRNI2l7dfyLonvB/XIbTkh5nI
+O+8KKwJBALh5sUZJ+0sM4FJ0nel4Ma4M2UZOvcEEwU4b05veSUo1q6QaRMcecfVg
+Q2lje+mVMGvjOuGjFRJ57Hf1r1agsAECQCgAOwg1x9MMalQ04JrAWwMpljKF76Pm
+X4q+4WYkBqxI+hnrXE3F1eFYvZOrOzDk4Utkweg+hWlyjqU9dHuHhvsCQGr9no88
+axjoTD3VcgppGTeuCVsuaqOy/fpF2aqDWsTTfKvsyYdD1MZjTJp8ZlXwq6FdTXet
+0t0kRdaNYx2dgcY=
+-----END PRIVATE KEY-----

certs/serverBreq.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIEw5Fc3Bpcml0byBT
+YW50bzEfMB0GA1UEBxMWU2FudG8gQW50b25pbyBkbyBDYW5hYTEYMBYGA1UEChMP
+U2FvIFRvbmljbyBMdGRhMScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVy
+IFNjaWVuY2UxETAPBgNVBAMTCFNlcnZlciBCMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQC82fSigujW84fkSwy+7wSOy7AJaZFgTiyP4eQdBTrLirBWBvdMxGPP
+YM/Z/ppbXqMgA6vk9EjzZtcvk2ElIYeJ4hX8+pvTLjxmfPE6To/2dPJq3shCVLIh
+xM2vXLyFFnvIDdDZHXNOrQg8fUlggXQxWq2sHIHTzhLGbrYWPPAnKwIDAQABoAAw
+DQYJKoZIhvcNAQELBQADgYEAOD/nlvv7K8EOA+JPWlTPm5toDdfIqXnS13PrJ9e7
+IYbe57137W9lovSP9zUIWoMlkPlbSyG9Z6ZQMGXu++eMHGeKab5JkzbKtp6OzDX4
+BRBsY+jM8WpDuiL4JtSBy9CaPeNrcYY0mqiFblOM8HnH22W+DcQX5SO+32lPIVV0
+lNw=
+-----END CERTIFICATE REQUEST-----

examples/basicTestClient.lua

@@ -0,0 +1,14 @@
+package.path="?/init.lua;"..package.path
+require("bin") -- this library needs a lot of work it has a bunch of old useless code, but also has many nice things as well that are really useful
+require("multi") -- you need this to handle multiple connections and such
+require("net.testinit") -- That requires the main library
+client=net:newTCPClient("localhost",12345,true) -- connect to the server
+client.OnClientReady(function(self
+  self:send("Hello!")
+end) -- For a tcp client the client is already ready, with udp a small handshake is done and the client is not instantly ready
+client.OnDataRecieved(function(self,data) -- thats it clients only have to worry about itself and the server
+  if data=="Hello Client!" then
+    print("Server Responded Back!")
+  end
+end)
+multi:mainloop()

examples/basicTestServer.lua

@@ -0,0 +1,12 @@
+package.path="?/init.lua;"..package.path
+require("bin") -- this library needs a lot of work it has a bunch of old useless code, but also has many nice things as well that are really useful
+require("multi") -- you need this to handle multiple connections and such
+require("net.testinit") -- That requires the main library
+server=net:newTCPServer(12345,true) -- create a server that listens on port 12345
+server.OnDataRecieved(function(self,data,CID_OR_HANDLE,IP_OR_HANDLE,PORT_OR_IP,UPDATER_OR_NIL) -- a bit confusing, but dont worry you will hardly ever need more then the first 5 arguments, unless you are writing modules!
+  if data=="Hello!" then
+    print("Got response from client sending back data!")
+    self:send(IP_OR_HANDLE,"Hello Client!",PORT_OR_IP) -- doing it like this makes this code work for both udp and tcp
+  end
+end)
+multi:mainloop()

net/eft.lua

@@ -1,24 +1,41 @@
 require("net")
 net:registerModule("eft",{1,0,0})
 --[[
-	This module provides a dedicated socket for file transfer
+	This module makes use of the new threading features of the multi library!
-	This allows us to do some more complex stuff with it
+	This means we can use threading to imporve our speed!
-	The only data that is non file stuff is the initial handshake
+	This module will mirror the aft module so if we are unable to create systemThreads
-	CMDs are done on the general socket while transfers are done on the file socket
+	We will fall back to aft!
 ]]
-net.OnServerCreated:connect(function(s)
+if multi:canSystemThread() then -- can we spawn system threads?
-	print("The eft(Expert File Transfer) Module has been loaded onto the server!")
+	-- How do we set up the threading stuff?
-	if s.Type~="tcp" then
+	-- On the server side we will use lanes, clients may vary though... It could be a lanes or love2d intergration, or some other intergration...
-		print("It is recomended that you use tcp to transfer files!")
+	local __GLOBAL=multi.intergration.GLOBAL
-	end
+	local __THREAD=multi.intergration.THREAD
-	s.OnDataRecieved(function(self,data,CID_OR_HANDLE,IP_OR_HANDLE,PORT_OR_IP)
+	multi:newSystemThread("eftThread",function()
+		require("multi.all")
+		if multi:getPlatform()=="love2d" then
+			__GLOBAL=_G.GLOBAL
+			__THREAD=_G.sThread
+		end -- we cannot have upvalues... in love2d globals not locals must be used
+		print("Testing...",__THREAD.waitFor("Test1"))
+	end)
+	net.OnServerCreated:connect(function(s)
+		print("The eft(Expert File Transfer) Module has been loaded onto the server!")
+		if s.Type~="tcp" then
+			print("It is recomended that you use tcp to transfer files!")
+		end
+		s.OnDataRecieved(function(self,data,CID_OR_HANDLE,IP_OR_HANDLE,PORT_OR_IP)
+			--
+		end,"eft")
 		--
-	end,"eft")
+	end)
-	--
+	net.OnClientCreated:connect(function(c)
-end)
+		c.OnDataRecieved(function(self,data)
-net.OnClientCreated:connect(function(c)
+			--
-	c.OnDataRecieved(function(self,data)
+		end,"eft")
 		--
-	end,"eft")
+	end)
-	--
+else
-end)
+	print("Unable to system thread! Check Your intergrations with the multi library! Falling back to aft!")
+	require("net.aft") -- fallback
+end

net/testinit.lua

@@ -0,0 +1,702 @@
+--[[
+	UPCOMMING ADDITIONS
+	AUDP - advance udp. Ensures packets arrive and handles late packets.
+	P2P - peer to peer (Server to set up initial connection)
+	Relay - offput server load (locally)
+	Threading - Simple threading ~~(UDP/AUDP Only)~~ Thanks to an updated multi library we can thread with ease
+	Priority handling
+]]
+--[[
+	TODO: Finish stuff for Priority handling
+]]
+function table.merge(t1, t2)
+    for k,v in pairs(t2) do
+    	if type(v) == 'table' then
+    		if type(t1[k] or false) == 'table' then
+    			table.merge(t1[k] or {}, t2[k] or {})
+    		else
+    			t1[k] = v
+    		end
+    	else
+    		t1[k] = v
+    	end
+    end
+    return t1
+end
+function string.trim(s)
+	local from = s:match"^%s*()"
+	return from > #s and "" or s:match(".*%S", from)
+end
+socket=require("socket")
+http=require("socket.http")
+mime=require("mime")
+net={}
+net.Version={2,0,1} -- This will probably stay this version for quite a while... The modules on the otherhand will be more inconsistant
+net._VERSION="2.0.1"
+net.OnServerCreated=multi:newConnection()
+net.OnClientCreated=multi:newConnection()
+net.loadedModules={}
+net.autoInit=true
+net.sParams={
+	mode = "server",
+	protocol = "sslv3",
+	key = "./certs/serverAkey.pem",
+	certificate = "./certs/serverA.pem",
+	cafile = "./certs/rootA.pem",
+	verify = {"peer", "fail_if_no_peer_cert"},
+	options = {"all", "no_sslv2"},
+}
+net.cParams={
+	mode = "client",
+	protocol = "sslv3",
+	key = "./certs/clientAkey.pem",
+	certificate = "./certs/clientA.pem",
+	cafile = "./certs/rootA.pem",
+	verify = {"peer", "fail_if_no_peer_cert"},
+	options = {"all", "no_sslv2"},
+}
+function net.normalize(input)
+	local enc=mime.b64(input)
+	return enc
+end
+function net.denormalize(input)
+	local unenc=mime.unb64(input)
+	return unenc
+end
+function net.getLocalIP()
+	local someRandomIP = "192.168.1.122"
+	local someRandomPort = "3102"
+	local mySocket = socket.udp()
+	mySocket:setpeername(someRandomIP,someRandomPort)
+	local dat = (mySocket:getsockname())
+	mySocket:close()
+	return dat
+end
+function net.getExternalIP()
+	local data=http.request("http://whatismyip.org/")
+	return data:match("600;\">(%d-.%d-.%d-.%d-)</span>")
+end
+function net:registerModule(mod,version)
+	if net[mod] then
+		error("Module by the name: "..mod.." has already been registered! Remember some modules are internal and use certain names!")
+	end
+	table.insert(self.loadedModules,mod)
+	net[mod]={}
+	if version then
+		net[mod].Version=version
+		net[mod]._VERSION=version[1].."."..version[2].."."..version[3]
+	else
+		net[mod].Version={1,0,0}
+		net[mod]._VERSION={1,0,0}
+	end
+	return {Version=version,_VERSION=version[1].."."..version[2].."."..version[3]}
+end
+function net.getModuleVersion(ext)
+	if not ext then
+		return string.format("%d.%d.%d",net.Version[1],net.Version[2],net.Version[3])
+	end
+	return string.format("%d.%d.%d",net[ext].Version[1],net[ext].Version[2],net[ext].Version[3])
+end
+function net.resolveID(obj)
+	local num=math.random(10000000,99999999)
+	if obj[tostring(num)] then
+		return net.resolveID(obj)
+	end
+	obj.ids[tostring(num)]=true
+	return tostring(num)
+end
+function net.inList(list,dat)
+	for i,v in pairs(list) do
+		if v==dat then
+			return true
+		end
+	end
+	return false
+end
+function net.setTrigger(funcW,funcE)
+	multi:newTrigger(func)
+end
+net:registerModule("net",net.Version)
+-- Client broadcast
+function net:newCastedClient(name) -- connects to the broadcasted server
+	local listen = socket.udp() -- make a new socket
+	listen:setsockname(net.getLocalIP(), 11111)
+	listen:settimeout(0)
+	local timer=multi:newTimer()
+	while true do
+		local data, ip, port = listen:receivefrom()
+		if timer:Get()>3 then
+			error("Timeout! Server by the name: "..name.." has not been found!")
+		end
+		if data then
+			local n,tp,ip,port,secure=data:match("(%S-)|(%S-)|(%S-):(%d-)|(.)")
+			if n:match(name) then
+				print("Found Server!",n,tp,ip,port)
+				if tp=="tcp" then
+					return net:newTCPClient(ip,tonumber(port),secure=="1")
+				else
+					return net:newClient(ip,tonumber(port),secure=="1")
+				end
+			end
+		end
+	end
+end
+-- UDP Stuff
+function net:newServer(port,servercode)
+	local c={}
+	c.udp=assert(socket.udp())
+	c.udp:settimeout(0)
+	c.udp:setsockname("*", port)
+	c.ips={}
+	c.Type="udp"
+	c.port=port
+	c.ids={}
+	c.servercode=servercode
+	c.bannedIPs={}
+	c.bannedCIDs={}
+	c.autoNormalization=false
+	function c:setUpdateRate(n)
+		print("Not needed in a udp server!")
+	end
+	function c:banCID(cid)
+		table.insert(self.bannedCIDs,cid)
+	end
+	function c:banIP(ip)
+		table.insert(self.bannedIPs,cid)
+	end
+	c.broad=socket.udp()
+	c.hostip=net.getLocalIP()
+	function c:broadcast(name)
+		local loop=multi:newTLoop(function(loop,dt)
+			self.broad:setoption('broadcast',true)
+			self.broad:sendto(name.."|"..self.Type.."|"..self.hostip..":"..self.port.."|"..({[true]="1",[false]="0"})[secure], "255.255.255.255", 11111)
+			self.broad:setoption('broadcast',false)
+		end,1)
+	end
+	function c:send(ip,data,port,cid)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		if self.servercode then
+			cid=cid or self:CIDFrom(ip,port)
+			if not self.ips[cid] then
+				print("Can't determine cid from client... sending the client a new one!")
+				local cid=net.resolveID(self)
+				print("Sending unique cid to client: "..cid)
+				self.ips[cid]={ip,port,0,self.servercode==nil}
+				print(ip)
+				self.udp:sendto("I!"..cid,ip,port)
+				if self.servercode then
+					self.udp:sendto("S!",ip,port)
+				end
+				return
+			end
+			if net.inList(self.bannedIPs,ip) or net.inList(self.bannedCIDs,cid) then
+				self.udp:sendto("BANNED CLIENT", ip, port or self.port)
+			elseif self.ips[cid][4] then
+				self.udp:sendto(data, ip, port or self.port)
+			elseif self.ips[cid][4]==false then
+				self.udp:sendto("Make sure your server code is correct!", ip, port)
+			end
+		else
+			self.udp:sendto(data, ip, port or self.port)
+		end
+	end
+	function c:pollClientModules(ip,port)
+		self:send(ip,"L!",port)
+	end
+	function c:CIDFrom(ip,port)
+		for i,v in pairs(self.ips) do
+			if(ip==v[1] and v[2]==port) then
+				return i
+			end
+		end
+	end
+	function c:sendAll(data)
+		for i,v in pairs(self.ips) do
+			self:send(v[1],data,v[2],i)
+		end
+	end
+	function c:sendAllBut(data,cid)
+		for i,v in pairs(self.ips) do
+			if i~=cid then
+				self:send(v[1],data,v[2],i)
+			end
+		end
+	end
+	function c:clientRegistered(cid)
+		return self.ips[cid]
+	end
+	function c:clientLoggedIn(cid)
+		if not self.clientRegistered(cid) then
+			return nil
+		end
+		return self.ips[cid][4]
+	end
+	function c:update()
+		local data,ip,port=self.udp:receivefrom()
+		if net.inList(self.bannedIPs,ip) or net.inList(self.bannedCIDs,cid) then
+			print("We will ingore data from a banned client!")
+			return
+		end
+		if data then
+			if self.autoNormalization then
+				data=net.denormalize(data)
+			end
+			if data:sub(1,4)=="pong" then
+				--print("Recieved pong from: "..data:sub(5,-1))
+				self.ips[data:sub(5,-1)][3]=os.clock()
+			elseif data:sub(1,2)=="S!" then
+				local cid=self:CIDFrom(ip,port)
+				if data:sub(3,-1)==self.servercode then
+					print("Servercode Accepted: "..self.servercode)
+					if self.ips[cid] then
+						self.ips[cid][4]=true
+					else
+						print("Server can't keep up! CID: "..cid.." has been skipped! Sending new CID to the client!")
+						local cid=net.resolveID(self)
+						print("Sending unique cid to client: "..cid)
+						self.ips[cid]={ip,port,0,self.servercode==nil}
+						print(ip)
+						self.udp:sendto("I!"..cid,ip,port)
+						if self.servercode then
+							self.udp:sendto("S!",ip,port)
+						end
+					end
+				else
+					self.udp:sendto("Make sure your server code is correct!", ip, port)
+				end
+			elseif data:sub(1,2)=="C!" then
+				local hook=(data:sub(11,-1)):match("!(.-)!")
+				self.OnDataRecieved:getConnection(hook):Fire(self,data:sub(11,-1),data:sub(3,10),ip,port)
+			elseif data:sub(1,2)=="E!" then
+				self.ips[data:sub(3,10)]=nil
+				obj.ids[data:sub(3,10)]=false
+				self.OnClientClosed:Fire(self,"Client Closed Connection!",data:sub(3,10),ip,port)
+			elseif data=="I!" then
+				local cid=net.resolveID(self)
+				print("Sending unique cid to client: "..cid)
+				self.ips[cid]={ip,port,os.clock(),self.servercode==nil}
+				print(ip)
+				self.udp:sendto("I!"..cid,ip,port)
+				if self.servercode then
+					self.udp:sendto("S!",ip,port)
+				end
+				self.OnClientConnected:Fire(self,cid,ip,port)
+			elseif data:sub(1,2)=="L!" then
+				cid,cList=data:sub(3,10),data:sub(11,-1)
+				local list={}
+				for m,v in cList:gmatch("(%S-):(%S-)|") do
+					list[m]=v
+				end
+				self.OnClientsModulesList:Fire(list,cid,ip,port)
+			end
+		end
+		for cid,dat in pairs(self.ips) do
+			if not((os.clock()-dat[3])<65) then
+				self.ips[cid]=nil
+				self.OnClientClosed:Fire(self,"Client lost Connection: ping timeout",cid,ip,port)
+			end
+		end
+	end
+	c.OnClientsModulesList=multi:newConnection()
+	c.OnDataRecieved=multi:newConnection()
+	c.OnClientClosed=multi:newConnection()
+	c.OnClientConnected=multi:newConnection()
+	c.connectiontest=multi:newAlarm(30)
+	c.connectiontest.link=c
+	c.connectiontest:OnRing(function(alarm)
+		--print("pinging clients!")
+		alarm.link:sendAll("ping")
+		alarm:Reset()
+	end)
+	multi:newLoop(function()
+		c:update()
+	end)
+	net.OnServerCreated:Fire(c)
+	return c
+end
+
+function net:newClient(host,port,servercode,nonluaServer)
+	local c={}
+	c.ip=assert(socket.dns.toip(host))
+	c.udp=assert(socket.udp())
+	c.udp:settimeout(0)
+	c.udp:setpeername(c.ip, port)
+	c.cid="NIL"
+	c.lastPing=0
+	c.Type="udp"
+	c.servercode=servercode
+	c.autoReconnect=true
+	c.autoNormalization=false
+	function c:pollPing(n)
+		return not((os.clock()-self.lastPing)<(n or 60))
+	end
+	function c:send(data)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		self.udp:send("C!"..self.cid..data)
+	end
+	function c:sendRaw(data)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		self.udp:send(data)
+	end
+	function c:getCID()
+		if self:IDAssigned() then
+			return self.cid
+		end
+	end
+	function c:close()
+		self:send("E!")
+	end
+	function c:IDAssigned()
+		return self.cid~="NIL"
+	end
+	function c:update()
+		local data=self.udp:receive()
+		if data then
+			if self.autoNormalization then
+				data=net.denormalize(data)
+			end
+			if data:sub(1,2)=="I!" then
+				self.cid=data:sub(3,-1)
+				self.OnClientReady:Fire(self)
+			elseif data=="S!" then
+				self.udp:send("S!"..(self.servercode or ""))
+			elseif data=="L!" then
+				local mods=""
+				local m=""
+				for i=1,#net.loadedModules do
+					m=net.loadedModules[i]
+					mods=mods..m..":"..net.getModuleVersion(m).."|"
+				end
+				self.udp:send("L!"..self.cid..mods)
+			elseif data=="ping" then
+				self.lastPing=os.clock()
+				self.OnPingRecieved:Fire(self)
+				self.udp:send("pong"..self.cid)
+			else
+				local hook=data:match("!(.-)!")
+				self.OnDataRecieved:getConnection(hook):Fire(self,data)
+			end
+		end
+	end
+	function c:reconnect()
+		if not nonluaServer then
+			self.cid="NIL"
+			c.udp:send("I!")
+		end
+		self.OnConnectionRegained:Fire(self)
+	end
+	c.pingEvent=multi:newEvent(function(self) return self.link:pollPing() end)
+	c.pingEvent:OnEvent(function(self)
+		if self.link.autoReconnect then
+			self.link.OnServerNotAvailable:Fire("Connection to server lost: ping timeout! Attempting to reconnect...")
+			self.link.OnClientDisconnected:Fire(self,"closed")
+			self.link:reconnect()
+		else
+			self.link.OnServerNotAvailable:Fire("Connection to server lost: ping timeout!")
+			self.link.OnClientDisconnected:Fire(self,"closed")
+		end
+	end)
+	c.pingEvent.link=c
+	c.OnPingRecieved=multi:newConnection()
+	c.OnDataRecieved=multi:newConnection()
+	c.OnServerNotAvailable=multi:newConnection()
+	c.OnClientReady=multi:newConnection()
+	c.OnClientDisconnected=multi:newConnection()
+	c.OnConnectionRegained=multi:newConnection()
+	c.notConnected=multi:newFunction(function(self)
+		self:hold(3)
+		if self.link:IDAssigned()==false then
+			self.link.OnServerNotAvailable:Fire("Can't connect to the server: no response from server")
+		end
+	end)
+	c.notConnected.link=c
+	if not nonluaServer then
+		c.udp:send("I!")
+	end
+	multi:newLoop(function()
+		c:update()
+	end)
+	multi:newJob(function() c.notConnected() end)
+	net.OnClientCreated:Fire(c)
+	return c
+end
+--TCP Stuff
+function net:newTCPServer(port,secure)
+	local c={}
+	c.tcp=assert(socket.bind("*", port))
+	c.tcp:settimeout(0)
+	c.ip,c.port=c.tcp:getsockname()
+	c.ips={}
+	c.port=port
+	c.ids={}
+	c.bannedIPs={}
+	c.Type="tcp"
+	c.rMode="*l"
+	c.sMode="*l"
+	c.updaterRate=1
+	c.autoNormalization=false
+	c.updates={}
+	c.links={}
+	c.broad=socket.udp()
+	c.hostip=net.getLocalIP()
+	function c:broadcast(name)
+		local loop=multi:newTLoop(function(loop,dt)
+			self.broad:setoption('broadcast',true)
+			self.broad:sendto(name.."|"..self.Type.."|"..self.hostip..":"..self.port.."|"..({[true]="1",[false]="0"})[secure], "255.255.255.255", 11111)
+			self.broad:setoption('broadcast',false)
+		end,1)
+	end
+	function c:setUpdateRate(n)
+		self.updaterRate=n
+	end
+	function c:setReceiveMode(mode)
+		self.rMode=mode
+	end
+	function c:setSendMode(mode)
+		self.rMode=mode
+	end
+	function c:banCID(cid)
+		print("Function not supported on a tcp server!")
+	end
+	function c:banIP(ip)
+		table.insert(self.bannedIPs,cid)
+	end
+	function c:send(handle,data)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		if self.sMode=="*l" then
+			handle:send(data.."\n")
+		else
+			handle:send(data)
+		end
+	end
+	function c:sendAllData(handle,data)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		handle:send(data)
+	end
+	function c:pollClientModules(ip,port)
+		self:send(ip,"L!",port)
+	end
+	function c:CIDFrom(ip,port)
+		print("Method not supported when using a TCP Server!")
+		return "CIDs in TCP work differently!"
+	end
+	function c:sendAll(data)
+		for i,v in pairs(self.ips) do
+			self:send(v,data)
+		end
+	end
+	function c:sendAllBut(data,cid)
+		for i,v in pairs(self.ips) do
+			if not(cid==i) then
+				self:send(v,data)
+			end
+		end
+	end
+	function c:clientRegistered(cid)
+		return self.ips[cid]
+	end
+	function c:clientLoggedIn(cid)
+		return self.ips[cid]
+	end
+	function c:getUpdater(cid)
+		return self.updates[cid]
+	end
+	function c:update()
+		local client = self.tcp:accept(self.rMode)
+		if not client then return end
+		ip,port=client:getpeername()
+		if secure then
+			if not net.ssl then
+				net.ssl=require("ssl")
+			end
+			client = net.ssl.wrap(client, net.sParams)
+			client:dohandshake()
+		else
+			client:settimeout(0)
+			client:setoption('keepalive', true)
+		end
+		table.insert(self.ips,client)
+		if ip and port then
+			print("Got connection from: ",ip,port)
+			local updater=multi:newUpdater(skip)
+			self.updates[client]=updater
+			self.OnClientConnected:Fire(self,self.client,self.client,ip)
+			updater:OnUpdate(function(self)
+				local data, err = self.client:receive(self.rMode or self.Link.rMode)
+				if err=="closed" then
+					for i=1,#self.Link.ips do
+						if self.Link.ips[i]==self.client then
+							table.remove(self.Link.ips,i)
+						end
+					end
+					self.Link.OnClientClosed:Fire(self.Link,"Client Closed Connection!",self.client,self.client,ip)
+					self.Link.links[self.client]=nil -- lets clean up
+					self:Destroy()
+				end
+				if data then
+					if self.autoNormalization then
+						data=net.denormalize(data)
+					end
+					if net.inList(self.Link.bannedIPs,ip) then
+						print("We will ingore data from a banned client!")
+						return
+					end
+					local hook=data:match("!(.-)!")
+					self.Link.OnDataRecieved:getConnection(hook):Fire(self.Link,data,self.client,self.client,ip,self)
+					if data:sub(1,2)=="L!" then
+						cList=data
+						local list={}
+						for m,v in cList:gmatch("(%S-):(%S-)|") do
+							list[m]=v
+						end
+						self.Link.OnClientsModulesList:Fire(list,self.client,self.client,ip)
+					end
+				end
+			end)
+			updater:setSkip(self.updaterRate)
+			updater.client=client
+			updater.Link=self
+			function updater:setReceiveMode(mode)
+				self.rMode=mode
+			end
+			self.links[client]=updater
+		end
+	end
+	c.OnClientsModulesList=multi:newConnection()
+	c.OnDataRecieved=multi:newConnection()
+	c.OnClientClosed=multi:newConnection()
+	c.OnClientConnected=multi:newConnection()
+	multi:newLoop(function()
+		c:update()
+	end)
+	net.OnServerCreated:Fire(c)
+	return c
+end
+function net:newTCPClient(host,port,secure)
+	local c={}
+	c.ip=assert(socket.dns.toip(host))
+	c.port=port
+	if secure then
+		if not net.ssl then
+			net.ssl=require("ssl")
+		end
+		c.tcp=socket.tcp()
+		c.tcp:connect(c.ip,port)
+		if not c.tcp then
+			return false,"Can't connect to the server: no response from server"
+		end
+		c.tcp=net.ssl.wrap(c.tcp, net.cParams)
+		c.tcp:dohandshake()
+		c.ready=true
+	else
+		c.tcp=socket.connect(c.ip,port)
+		c.tcp:settimeout(0)
+		c.tcp:setoption('keepalive', true)
+	end
+	if not c.tcp then
+		return false,"Can't connect to the server: no response from server"
+	end
+	c.Type="tcp"
+	c.autoReconnect=true
+	c.rMode="*l"
+	c.sMode="*l"
+	c.ready=false
+	c.autoNormalization=false
+	function c:setReceiveMode(mode)
+		self.rMode=mode
+	end
+	function c:setSendMode(mode)
+		self.sMode=mode
+	end
+	function c:send(data)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		if self.sMode=="*l" then
+			ind,err=self.tcp:send(data.."\n")
+		else
+			ind,err=self.tcp:send(data)
+		end
+		if err=="closed" then
+			self.OnClientDisconnected:Fire(self,err)
+		elseif err=="timeout" then
+			self.OnClientDisconnected:Fire(self,err)
+		elseif err then
+			print(err)
+		end
+	end
+	function c:sendRaw(data)
+		if self.autoNormalization then
+			data=net.normalize(data)
+		end
+		self.tcp:send(data)
+	end
+	function c:getCID()
+		return "No Cid on a tcp client!"
+	end
+	function c:close()
+		self.tcp:close()
+	end
+	function c:IDAssigned()
+		return self.ready
+	end
+	function c:update()
+		if not self.tcp then return end
+		local data,err=self.tcp:receive()
+		if err=="closed" then
+			self.OnClientDisconnected:Fire(self,err)
+		elseif err=="timeout" then
+			self.OnClientDisconnected:Fire(self,err)
+		elseif err then
+			print(err)
+		end
+		if data then
+			if self.autoNormalization then
+				data=net.denormalize(data)
+			end
+			local hook=data:match("!(.-)!")
+			self.OnDataRecieved:getConnection(hook):Fire(self,data)
+		end
+	end
+	function c:reconnect()
+		multi:newFunction(function(func)
+			self.tcp=socket.connect(self.ip,self.port)
+			if self.tcp==nil then
+				print("Can't connect to the server: No response from server!")
+				func:hold(3)
+				self:reconnect()
+				return
+			end
+			self.OnConnectionRegained:Fire(self)
+			self.tcp:settimeout(0)
+			--self.tcp:setoption('tcp-nodelay', true)
+			self.tcp:setoption('keepalive', true)
+		end)
+	end
+	c.event=multi:newEvent(function(event)
+		return event.link:IDAssigned()
+	end)
+	c.event:OnEvent(function(event)
+		event.link.OnClientReady:Fire(event.link)
+	end)
+	c.event.link=c
+	c.OnClientReady=multi:newConnection()
+	c.OnClientDisconnected=multi:newConnection()
+	c.OnDataRecieved=multi:newConnection()
+	c.OnConnectionRegained=multi:newConnection()
+	multi:newLoop(function()
+		c:update()
+	end)
+	net.OnClientCreated:Fire(c)
+	return c
+end