SystemDoctor/V2GProtocol_CSharp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add files

Browse Source
This commit is contained in:
ChiKyun Kim
2025-09-09 13:59:12 +09:00
parent e94b06888d
commit 747aabe224
791 changed files with 3888723 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/contractCert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = DE-ABC-C123ABC56
organizationName = RISE V2G Project
countryName = DE
domainComponent = MO
[ext]
basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyAgreement
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/cpoSubCA1Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = CPOSubCA1
organizationName = RISE V2G Project
countryName = DE
domainComponent = V2G
[ext]
basicConstraints = critical,CA:true,pathlen:1
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/cpoSubCA2Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = CPOSubCA2
organizationName = RISE V2G Project
countryName = DE
domainComponent = V2G
[ext]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/cpsLeafCert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = CPS Leaf
organizationName = RISE V2G Project
countryName = DE
domainComponent = CPS
[ext]
basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/cpsSubCA1Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = ProvSubCA1
organizationName = RISE V2G Project
countryName = DE
domainComponent = CPS
[ext]
basicConstraints = critical,CA:true,pathlen:1
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/cpsSubCA2Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = ProvSubCA2
organizationName = RISE V2G Project
countryName = DE
domainComponent = CPS
[ext]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/moRootCACert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = MORootCA
organizationName = RISE V2G Project
countryName = DE
domainComponent = MO
[ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/moSubCA1Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = MOSubCA1
organizationName = RISE V2G Project
countryName = DE
domainComponent = MO
[ext]
basicConstraints = critical,CA:true,pathlen:1
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/moSubCA2Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = MOSubCA2
organizationName = RISE V2G Project
countryName = DE
domainComponent = MO
[ext]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,digitalSignature,nonRepudiation,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/oemProvCert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = OEMProvCert
organizationName = RISE V2G Project
countryName = DE
domainComponent = OEM
[ext]
basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature,keyAgreement
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/oemRootCACert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = OEMRootCA
organizationName = RISE V2G Project
countryName = DE
domainComponent = OEM
[ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/oemSubCA1Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = OEMSubCA1
organizationName = RISE V2G Project
countryName = DE
domainComponent = OEM
[ext]
basicConstraints = critical,CA:true,pathlen:1
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/oemSubCA2Cert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = OEMSubCA2
organizationName = RISE V2G Project
countryName = DE
domainComponent = OEM
[ext]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/seccCert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = SECCCert
organizationName = RISE V2G Project
countryName = DE
domainComponent = CPO
[ext]
basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature,keyAgreement
subjectKeyIdentifier = hash

15
temp/RISE-V2G/RISE-V2G-Certificates/configs/v2gRootCACert.cnf Normal file
View File

@@ -0,0 +1,15 @@
[req]
prompt = no
distinguished_name = ca_dn
[ca_dn]
commonName = V2GRootCA
organizationName = RISE V2G Project
countryName = DE
domainComponent = V2G
[ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

12
temp/RISE-V2G/RISE-V2G-Certificates/copyNewCertsAndKeys.bat Normal file
View File

@@ -0,0 +1,12 @@
@echo off
REM This is a useful small shell script to automatically copy the Java Keystores (.jks files), .p12 containers and the DER encoded Mobility Operator Sub-CA private key to the places in the RISE V2G project where they belong. Execute this script after you executed the generateCertificates.sh script.
copy keystores\evccKeystore.jks ..\RISE-V2G-EVCC
copy keystores\evccTruststore.jks ..\RISE-V2G-EVCC
copy keystores\seccKeystore.jks ..\RISE-V2G-SECC
copy keystores\seccTruststore.jks ..\RISE-V2G-SECC
copy certs\cpsCertChain.p12 ..\RISE-V2G-SECC
copy certs\moCertChain.p12 ..\RISE-V2G-SECC
copy privateKeys\moSubCA2.pkcs8.der ..\RISE-V2G-SECC

11
temp/RISE-V2G/RISE-V2G-Certificates/copyNewCertsAndKeys.sh Normal file
View File

@@ -0,0 +1,11 @@
# This is a useful small shell script to automatically copy the Java Keystores (.jks files), .p12 containers and the DER encoded Mobility Operator Sub-CA private key to the places in the RISE V2G project where they belong. Execute this script after you executed the generateCertificates.sh script.
cp keystores/evccKeystore.jks ../RISE-V2G-EVCC/
cp keystores/evccTruststore.jks ../RISE-V2G-EVCC/
cp keystores/seccKeystore.jks ../RISE-V2G-SECC/
cp keystores/seccTruststore.jks ../RISE-V2G-SECC/
cp certs/cpsCertChain.p12 ../RISE-V2G-SECC/
cp certs/moCertChain.p12 ../RISE-V2G-SECC/
cp privateKeys/moSubCA2.pkcs8.der ../RISE-V2G-SECC/

272
temp/RISE-V2G/RISE-V2G-Certificates/generateCertificates.bat Normal file
View File

@@ -0,0 +1,272 @@
@echo off
REM *******************************************************************************
REM The MIT License (MIT)
REM
REM Copyright (c) 2015-2018 V2G Clarity (Dr. Marc Mültin)
REM
REM Permission is hereby granted, free of charge, to any person obtaining a copy
REM of this software and associated documentation files (the "Software"), to deal
REM in the Software without restriction, including without limitation the rights
REM to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
REM copies of the Software, and to permit persons to whom the Software is
REM furnished to do so, subject to the following conditions:
REM
REM The above copyright notice and this permission notice shall be included in
REM all copies or substantial portions of the Software.
REM
REM THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
REM IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
REM FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
REM AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
REM LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
REM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
REM THE SOFTWARE.
REM *******************************************************************************
REM ===============================================================================================================
REM This shell script can be used to create all necessary certificates and Keystores needed in order to
REM - successfully perform a TLS handshake between the EVCC (TLSClient) and the SECC (TLSServer) and
REM - install/update a contract certificate in the EVCC.
REM
REM This file shall serve you with all information needed to create your own certificate chains.
REM
REM Helpful information about using openssl is provided by Ivan Ristic's book "Bulletproof SSL and TLS".
REM Furthermore, you should have openssl 1.0.2 (or above) installed to comply with all security requirements
REM imposed by ISO 15118. For example, openssl 0.9.8 does not come with SHA-2 for SHA-256 signature algorithms.
REM Some MacOS X installations unfortunately still use openssl < v1.0.2. You could use Homebrew to install openssl.
REM Be aware that you probably then need to use an absolute path for your openssl commands, such as
REM /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl.
REM
REM Author: Dr. Marc Mültin (marc.mueltin@v2g-clarity.com)
REM ===============================================================================================================
REM Some variables to create different outcomes of the PKI for testing purposes. Change the validity periods (given in number of days) to test
REM - valid certificates (e.g. contract certificate or Sub-CA certificate)
REM - expired certificates (e.g. contract certificate or Sub-CA certificates) -> you need to reset your system time to the past to create expired certificates
REM - a to be updated contract certificate
SET validity_contract_cert=730
SET validity_mo_subca1_cert=1460
SET validity_mo_subca2_cert=1460
SET validity_oem_prov_cert=1460
SET validity_oem_subca1_cert=1460
SET validity_oem_subca2_cert=1460
SET validity_cps_leaf_cert=90
SET validity_cps_subca1_cert=1460
SET validity_cps_subca2_cert=730
SET validity_secc_cert=60
SET validity_cpo_subca1_cert=1460
SET validity_cpo_subca2_cert=365
SET validity_v2g_root_cert=3650
SET validity_oem_root_cert=3650
SET validity_mo_root_cert=3650
REM FURTHER REMARKS:
REM 1. OpenSSL does not use the named curve 'secp256r1' but the equivalent 'prime256v1'. So this file uses only 'prime256v1'.
REM 2. The password used is stored in the file passphrase.txt. In it, you'll find two lines. The first line is used for the -passin option, the second line for the -passout option (especially when dealing with PKCS12 containers). See also https://www.openssl.org/docs/man1.0.2/apps/openssl.html, section "Pass Phrase Arguments"
REM 0) Create directories if not yet existing
if exist keystores rd /s /q keystores REM the keystores in the keystores folder (if existing) need to be deleted at first, so delete the complete folder
if not exist certs mkdir certs
if not exist csrs mkdir csrs
if not exist keystores mkdir keystores
if not exist privateKeys mkdir privateKeys
REM 1) Create a self-signed V2GRootCA certificate
REM 1.1) Create a private key
REM - private key -> -genkey
REM - with elliptic curve parameters -> ecparam
REM - using the named curve prime256v1 -> -name prime256v1
REM - encrypt the key with symmetric cipher AES-128-CBC using the 'ec' utility command -> ec -aes-128-cbc
REM - the passphrase for the encryption of the private key is provided in a file -> -passout file:passphrase.txt
REM - save the encrypted private key at the location provided -> -out
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/v2gRootCA.key
REM 1.2) Create a CSR
REM - new -> -new
REM - certificate signing request -> req
REM - using the previously created private key from which the public key can be derived -> -key
REM - use the passwort stored in the file to decrypt the private key -> -passin
REM - take the values needed for the Distinguished Name (DN) from the configuration file -> -config
REM - save the CSR at the location provided -> -out
openssl req -new -key privateKeys\v2gRootCA.key -passin file:passphrase.txt -config configs\v2gRootCACert.cnf -out csrs\v2gRootCA.csr
REM 1.3) Create an X.509 certificate
REM - use the X.509 utility command -> x509
REM - requesting a new X.509 certificate ... -> -req
REM - ... using a CSR file that is located at -> -in
REM - we need an X.509v3 (version 3) certificate that allows for extensions. Those are specified in an extensions file ... -> -extfile
REM - ... that contains a section marked with 'ext' -> -extensions
REM - self-sign the certificate with the previously generated private key -> -signkey
REM - use the passwort stored in the file to decrypt the private key -> -passin
REM - tell OpenSSL to use SHA-256 for creating the digital signature (otherwise SHA1 would be used) -> -sha256
REM - each issued certificate must contain a unique serial number assigned by the CA (must be unique within the issuers number range) -> -set_serial
REM - save the certificate at the location provided -> -out
REM - make the certificate valid for 40 years (give in days) -> -days
openssl x509 -req -in csrs\v2gRootCA.csr -extfile configs\v2gRootCACert.cnf -extensions ext -signkey privateKeys\v2gRootCA.key -passin file:passphrase.txt -sha256 -set_serial 12345 -out certs\v2gRootCACert.pem -days %validity_v2g_root_cert%
REM 2) Create an intermediate CPO sub-CA 1 certificate which is directly signed by the V2GRootCA certificate
REM 2.1) Create a private key (same procedure as for V2GRootCA)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\cpoSubCA1.key
REM 2.2) Create a CSR (same procedure as for V2GRootCA)
openssl req -new -key privateKeys\cpoSubCA1.key -passin file:passphrase.txt -config configs\cpoSubCA1Cert.cnf -out csrs\cpoSubCA1.csr
REM 2.3) Create an X.509 certificate (same procedure as for V2GRootCA, but with the difference that we need the -CA switch to point to the CA certificate, followed by the -CAkey switch that tells OpenSSL where to find the CAs private key. We need the private key to create the signature and the public key certificate to make sure that the CAs certificate and private key match.
openssl x509 -req -in csrs\cpoSubCA1.csr -extfile configs\cpoSubCA1Cert.cnf -extensions ext -CA certs\v2gRootCACert.pem -CAkey privateKeys\v2gRootCA.key -passin file:passphrase.txt -set_serial 12345 -out certs\cpoSubCA1Cert.pem -days %validity_cpo_subca1_cert%
REM 3) Create a second intermediate CPO sub-CA certificate (sub-CA 2) just the way the previous intermedia certificate was created which is directly signed by the CPOSubCA1
REM Differences to CPOSubCA1
REM - basicConstraints in config file sets pathlength to 0 (meaning that no further sub-CA certificates may be signed with this certificate, a leaf certificate must follow this certificate in a certificate chain)
REM - validity is set to 1 year (1 - 2 years are allowed according to ISO 15118)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\cpoSubCA2.key
openssl req -new -key privateKeys\cpoSubCA2.key -passin file:passphrase.txt -config configs\cpoSubCA2Cert.cnf -out csrs\cpoSubCA2.csr
openssl x509 -req -in csrs\cpoSubCA2.csr -extfile configs\cpoSubCA2Cert.cnf -extensions ext -CA certs\cpoSubCA1Cert.pem -CAkey privateKeys\cpoSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days %validity_cpo_subca2_cert% -out certs\cpoSubCA2Cert.pem
REM 4) Create an SECCCert certificate which is the leaf certificate belonging to the charging station which authenticates itself to the EVCC during a TLS handshake, signed by CPOSubCA2 certificate
REM Differences to CPOSubCA1 and CPOSubCA2
REM - basicConstraints sets CA to false, no pathlen is therefore set
REM - keyusage is set to digitalSignature instead of keyCertSign and cRLSign
REM - validity is set to 60 days (2 - 3 months are allowed according to ISO 15118)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\secc.key
openssl req -new -key privateKeys\secc.key -passin file:passphrase.txt -config configs\seccCert.cnf -out csrs\seccCert.csr
openssl x509 -req -in csrs\seccCert.csr -extfile configs\seccCert.cnf -extensions ext -CA certs\cpoSubCA2Cert.pem -CAkey privateKeys\cpoSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days %validity_secc_cert% -out certs\seccCert.pem
REM 5) Create a self-signed OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the V2GRootCA)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\oemRootCA.key
openssl req -new -key privateKeys\oemRootCA.key -passin file:passphrase.txt -config configs\oemRootCACert.cnf -out csrs\oemRootCA.csr
openssl x509 -req -in csrs\oemRootCA.csr -extfile configs\oemRootCACert.cnf -extensions ext -signkey privateKeys\oemRootCA.key -passin file:passphrase.txt -sha256 -set_serial 12345 -out certs\oemRootCACert.pem -days %validity_oem_root_cert%
REM 6) Create an intermediate OEM sub-CA certificate which is directly signed by the OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA1)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\oemSubCA1.key
openssl req -new -key privateKeys\oemSubCA1.key -passin file:passphrase.txt -config configs\oemSubCA1Cert.cnf -out csrs\oemSubCA1.csr
openssl x509 -req -in csrs\oemSubCA1.csr -extfile configs\oemSubCA1Cert.cnf -extensions ext -CA certs\oemRootCACert.pem -CAkey privateKeys\oemRootCA.key -passin file:passphrase.txt -set_serial 12345 -days %validity_oem_subca1_cert% -out certs\oemSubCA1Cert.pem
REM 7) Create a second intermediate OEM sub-CA certificate which is directly signed by the OEMSubCA1 certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA2)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\oemSubCA2.key
openssl req -new -key privateKeys\oemSubCA2.key -passin file:passphrase.txt -config configs\oemSubCA2Cert.cnf -out csrs\oemSubCA2.csr
openssl x509 -req -in csrs\oemSubCA2.csr -extfile configs\oemSubCA2Cert.cnf -extensions ext -CA certs\oemSubCA1Cert.pem -CAkey privateKeys\oemSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days %validity_oem_subca2_cert% -out certs\oemSubCA2Cert.pem
REM 8) Create an OEM provisioning certificate which is the leaf certificate belonging to the OEM certificate chain (used for contract certificate installation)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\oemProv.key
openssl req -new -key privateKeys\oemProv.key -passin file:passphrase.txt -config configs\oemProvCert.cnf -out csrs\oemProvCert.csr
openssl x509 -req -in csrs\oemProvCert.csr -extfile configs\oemProvCert.cnf -extensions ext -CA certs\oemSubCA2Cert.pem -CAkey privateKeys\oemSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days %validity_oem_prov_cert% -out certs\oemProvCert.pem
REM 9) Create a self-signed MORootCA (mobility operator) certificate (validity is up to the MO, this example applies the same validity as the V2GRootCA)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\moRootCA.key
openssl req -new -key privateKeys\moRootCA.key -passin file:passphrase.txt -config configs\moRootCACert.cnf -out csrs\moRootCA.csr
openssl x509 -req -in csrs\moRootCA.csr -extfile configs\moRootCACert.cnf -extensions ext -signkey privateKeys\moRootCA.key -passin file:passphrase.txt -sha256 -set_serial 12345 -out certs\moRootCACert.pem -days %validity_mo_root_cert%
REM 10) Create an intermediate MO sub-CA certificate which is directly signed by the MORootCA certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA1)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\moSubCA1.key
openssl req -new -key privateKeys\moSubCA1.key -passin file:passphrase.txt -config configs\moSubCA1Cert.cnf -extensions ext -out csrs\moSubCA1.csr
openssl x509 -req -in csrs\moSubCA1.csr -extfile configs\moSubCA1Cert.cnf -extensions ext -CA certs\moRootCACert.pem -CAkey privateKeys\moRootCA.key -passin file:passphrase.txt -set_serial 12345 -days %validity_mo_subca1_cert% -out certs\moSubCA1Cert.pem
REM 11) Create a second intermediate MO sub-CA certificate which is directly signed by the MOSubCA1 certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA2)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\moSubCA2.key
openssl req -new -key privateKeys\moSubCA2.key -passin file:passphrase.txt -config configs\moSubCA2Cert.cnf -out csrs\moSubCA2.csr
openssl x509 -req -in csrs\moSubCA2.csr -extfile configs\moSubCA2Cert.cnf -extensions ext -CA certs\moSubCA1Cert.pem -CAkey privateKeys\moSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days %validity_mo_subca2_cert% -out certs\moSubCA2Cert.pem
REM 12) Create a contract certificate which is the leaf certificate belonging to the MO certificate chain (used for contract certificate installation)
REM Validity can be between 4 weeks and 2 years (restricted by the contract lifetime), for testing purposes the validity will be set to 2 years
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\contract.key
openssl req -new -key privateKeys\contract.key -passin file:passphrase.txt -config configs\contractCert.cnf -out csrs\contractCert.csr
openssl x509 -req -in csrs\contractCert.csr -extfile configs\contractCert.cnf -extensions ext -CA certs\moSubCA2Cert.pem -CAkey privateKeys\moSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days %validity_contract_cert% -out certs\contractCert.pem
type certs\moSubCA2Cert.pem certs\moSubCA1Cert.pem > certs\intermediateMOCACerts.pem
openssl pkcs12 -export -inkey privateKeys\contract.key -in certs\contractCert.pem -certfile certs\intermediateMOCACerts.pem -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -name contract_cert -out certs\moCertChain.p12
REM 13) Create an intermediate provisioning service sub-CA certificate which is directly signed by the V2GRootCA certificate
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\cpsSubCA1.key
openssl req -new -key privateKeys\cpsSubCA1.key -passin file:passphrase.txt -config configs\cpsSubCA1Cert.cnf -out csrs\cpsSubCA1.csr
openssl x509 -req -in csrs\cpsSubCA1.csr -extfile configs\cpsSubCA1Cert.cnf -extensions ext -CA certs\v2gRootCACert.pem -CAkey privateKeys\v2gRootCA.key -passin file:passphrase.txt -set_serial 12345 -days %validity_cps_subca1_cert% -out certs\cpsSubCA1Cert.pem
REM 14) Create a second intermediate provisioning sub-CA certificate which is directly signed by the CPSSubCA1 certificate (validity 1 - 2 years, we make it 2 years)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\cpsSubCA2.key
openssl req -new -key privateKeys\cpsSubCA2.key -passin file:passphrase.txt -config configs\cpsSubCA2Cert.cnf -out csrs\cpsSubCA2.csr
openssl x509 -req -in csrs\cpsSubCA2.csr -extfile configs\cpsSubCA2Cert.cnf -extensions ext -CA certs\cpsSubCA1Cert.pem -CAkey privateKeys\cpsSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days %validity_cps_subca2_cert% -out certs\cpsSubCA2Cert.pem
REM 15) Create a provisioning service certificate which is the leaf certificate belonging to the provisioning certificate chain (used for contract certificate installation)
REM Validity can be between 2 - 3 months, we make it 3 months
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys\cpsLeaf.key
openssl req -new -key privateKeys\cpsLeaf.key -passin file:passphrase.txt -config configs\cpsLeafCert.cnf -out csrs\cpsLeafCert.csr
openssl x509 -req -in csrs\cpsLeafCert.csr -extfile configs\cpsLeafCert.cnf -extensions ext -CA certs\cpsSubCA2Cert.pem -CAkey privateKeys\cpsSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days %validity_cps_leaf_cert% -out certs\cpsLeafCert.pem
type certs\cpsSubCA2Cert.pem certs\cpsSubCA1Cert.pem > certs\intermediateCPSCACerts.pem
openssl pkcs12 -export -inkey privateKeys\cpsLeaf.key -in certs\cpsLeafCert.pem -certfile certs\intermediateCPSCACerts.pem -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -name cps_leaf_cert -out certs\cpsCertChain.p12
REM 16) Finally we need to convert the certificates from PEM format to DER format (PEM is the default format, but ISO 15118 only allows DER format)
openssl x509 -inform PEM -in certs\v2gRootCACert.pem -outform DER -out certs\v2gRootCACert.der
openssl x509 -inform PEM -in certs\cpsSubCA1Cert.pem -outform DER -out certs\cpsSubCA1Cert.der
openssl x509 -inform PEM -in certs\cpsSubCA2Cert.pem -outform DER -out certs\cpsSubCA2Cert.der
openssl x509 -inform PEM -in certs\cpsLeafCert.pem -outform DER -out certs\cpsLeafCert.der
openssl x509 -inform PEM -in certs\cpoSubCA1Cert.pem -outform DER -out certs\cpoSubCA1Cert.der
openssl x509 -inform PEM -in certs\cpoSubCA2Cert.pem -outform DER -out certs\cpoSubCA2Cert.der
openssl x509 -inform PEM -in certs\seccCert.pem -outform DER -out certs\seccCert.der
openssl x509 -inform PEM -in certs\oemRootCACert.pem -outform DER -out certs\oemRootCACert.der
openssl x509 -inform PEM -in certs\oemSubCA1Cert.pem -outform DER -out certs\oemSubCA1Cert.der
openssl x509 -inform PEM -in certs\oemSubCA2Cert.pem -outform DER -out certs\oemSubCA2Cert.der
openssl x509 -inform PEM -in certs\oemProvCert.pem -outform DER -out certs\oemProvCert.der
openssl x509 -inform PEM -in certs\moRootCACert.pem -outform DER -out certs\moRootCACert.der
openssl x509 -inform PEM -in certs\moSubCA1Cert.pem -outform DER -out certs\moSubCA1Cert.der
openssl x509 -inform PEM -in certs\moSubCA2Cert.pem -outform DER -out certs\moSubCA2Cert.der
openssl x509 -inform PEM -in certs\contractCert.pem -outform DER -out certs\contractCert.der
REM Since the intermediate certificates need to be in PEM format when putting them in a PKCS12 container and the resulting PKCS12 file is a binary format, it might be sufficient. Otherwise, I have currently no idea how to covert the intermediate certificates in DER without running into problems when creating the PKCS12 container.
REM 17) In case you want the private keys in PKCSREM8 file format and DER encoded, use this command. Especially necessary for the private key of MOSubCA2 in RISE V2G
openssl pkcs8 -topk8 -in privateKeys\moSubCA2.key -inform PEM -passin file:passphrase.txt -passout file:passphrase.txt -outform DER -out privateKeys\moSubCA2.pkcs8.der -v1 PBE-SHA1-3DES
REM 18) Create the keystores for the EVCC and SECC. We need to first create the PKCS12 files and then import them into the JKS using the 'keytool' command.
REM - create a PKCS12 file -> -export
REM - if no private keys are added, e.g. for a truststore that holds only root CA certificates -> -nokeys
REM - add a private key to the newly created PKCS12 container; must be in PEM format (not DER) -> -inkey
REM - add any certificate (leaf certificate or root certificate); must be in PEM format (not DER) -> -in
REM - add additional certificats (intermediate sub-CA certificates or more root CA certificates); must be in PEM format (not DER) -> -certfile
REM - use AES to encrypt private keys before outputting -> -aes128
REM - passphrase source to decrypt any private keys that are to be imported -> -passin
REM - passphrase to encrypt any outputted private keys with -> -passout
REM - provide the "friendly name" for the leaf certificate, which is used as the alias in Java -> -name
REM - provide the "friendly name" for CA certificates, which is used as the alias in Java;
REM this option may be used multiple times to specify names for all certificates in the order they appear -> -caname
REM - the file location to store the PKCS12 data container -> -out
REM
REM 18.1) SECC keystore needs to hold initially hold the OEM provisioning certificate (contract certificate will be installed with ISO 15118 message exchange)
REM First, concatenate the intermediate sub-CA certificates into one file intermediateCAs.pem
REM IMPORTANT: Concatenate in such a way that the chain leads from the leaf certificate to the root (excluding), this means here: first parameter of the type command is the sub-CA certificate which signs the leaf certificate (in this case cpoSubCA2.pem). Otherwise the Java method getCertificateChain() which is called on the keystore will only return the leaf certificate!
type certs\cpoSubCA2Cert.pem certs\cpoSubCA1Cert.pem > certs\intermediateCPOCACerts.pem
REM Put the seccCertificate, the private key associated with the seccCertificate as well as the intermediate sub-CA certificates in a PKCS12 container with the -certfile switch.
openssl pkcs12 -export -inkey privateKeys\secc.key -in certs\seccCert.pem -name secc_cert -certfile certs\intermediateCPOCACerts.pem -caname mo_subca_2 -caname mo_subca_1 -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -out keystores\cpoCertChain.p12
keytool -importkeystore -srckeystore keystores\cpoCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias secc_cert -destalias secc_cert -destkeystore keystores\seccKeystore.jks -storepass:file passphrase.txt -noprompt
REM
REM 18.2) EVCC keystore needs to initally hold the OEM provisioning certificate (contract certificate will be installed with ISO 15118 message exchange)
type certs\oemSubCA2Cert.pem certs\oemSubCA1Cert.pem > certs\intermediateOEMCACerts.pem
openssl pkcs12 -export -inkey privateKeys\oemProv.key -in certs\oemProvCert.pem -name oem_prov_cert -certfile certs\intermediateOEMCACerts.pem -caname oem_subca_2 -caname oem_subca_1 -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -out keystores\oemCertChain.p12
keytool -importkeystore -srckeystore keystores\oemCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias oem_prov_cert -destalias oem_prov_cert -destkeystore keystores\evccKeystore.jks -storepass:file passphrase.txt -noprompt
REM 19) Create truststores for EVCC and SECC. Storing trust anchors in PKCS12 is not supported in Java 8. For creating trusstores we need a Java KeyStore (JKS) and import the DER encoded root CA certificates.
REM
REM 19.1) EVCC truststore needs to hold the V2GRootCA certificate
keytool -import -keystore keystores\evccTruststore.jks -alias v2g_root_ca -file certs\v2gRootCACert.der -storepass:file passphrase.txt -noprompt
REM
REM 19.2) SECC truststore needs to hold the V2G root CA certificate and MO root CA certificate.
REM According to ISO 15118-2, MO root CA is not necessarily needed as the MO sub-CA 1 could instead be signed by a V2G root CA.
keytool -import -keystore keystores\seccTruststore.jks -alias v2g_root_ca -file certs\v2gRootCACert.der -storepass:file passphrase.txt -noprompt
keytool -import -keystore keystores\seccTruststore.jks -alias mo_root_ca -file certs\moRootCACert.der -storepass:file passphrase.txt -noprompt
REM Side notes for OCSP stapling in Java: see http://openjdk.java.net/jeps/249

270
temp/RISE-V2G/RISE-V2G-Certificates/generateCertificates.sh Normal file
View File

@@ -0,0 +1,270 @@
#*******************************************************************************
# The MIT License (MIT)
#
# Copyright (c) 2015-2018 V2G Clarity (Dr. Marc Mültin)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#*******************************************************************************
# ===============================================================================================================
# This shell script can be used to create all necessary certificates and Keystores needed in order to
# - successfully perform a TLS handshake between the EVCC (TLSClient) and the SECC (TLSServer) and
# - install/update a contract certificate in the EVCC.
#
# This file shall serve you with all information needed to create your own certificate chains.
#
# Helpful information about using openssl is provided by Ivan Ristic's book "Bulletproof SSL and TLS".
# Furthermore, you should have openssl 1.0.2 (or above) installed to comply with all security requirements
# imposed by ISO 15118. For example, openssl 0.9.8 does not come with SHA-2 for SHA-256 signature algorithms.
# Some MacOS X installations unfortunately still use openssl < v1.0.2. You could use Homebrew to install openssl.
# Be aware that you probably then need to use an absolute path for your openssl commands, such as
# /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl.
#
# Author: Dr. Marc Mültin (marc.mueltin@v2g-clarity.com)
# ===============================================================================================================
# Some variables to create different outcomes of the PKI for testing purposes. Change the validity periods (given in number of days) to test
# - valid certificates (e.g. contract certificate or Sub-CA certificate)
# - expired certificates (e.g. contract certificate or Sub-CA certificates) -> you need to reset your system time to the past to create expired certificates
# - a to be updated contract certificate
validity_contract_cert=730
validity_mo_subca1_cert=1460
validity_mo_subca2_cert=1460
validity_oem_prov_cert=1460
validity_oem_subca1_cert=1460
validity_oem_subca2_cert=1460
validity_cps_leaf_cert=90
validity_cps_subca1_cert=1460
validity_cps_subca2_cert=730
validity_secc_cert=60
validity_cpo_subca1_cert=1460
validity_cpo_subca2_cert=365
validity_v2g_root_cert=3650
validity_oem_root_cert=3650
validity_mo_root_cert=3650
# FURTHER REMARKS:
# 1. OpenSSL does not use the named curve 'secp256r1' but the equivalent 'prime256v1'. So this file uses only 'prime256v1'.
# 2. The password used is stored in the file passphrase.txt. In it, you'll find two lines. The first line is used for the -passin option, the second line for the -passout option (especially when dealing with PKCS12 containers). See also https://www.openssl.org/docs/man1.0.2/apps/openssl.html, section "Pass Phrase Arguments"
# 0) Create directories if not yet existing
rm -r keystores # the keystores in the keystores folder (if existing) need to be deleted at first, so delete the complete folder
mkdir -p certs
mkdir -p csrs
mkdir -p keystores
mkdir -p privateKeys
# 1) Create a self-signed V2GRootCA certificate
# 1.1) Create a private key
# - private key -> -genkey
# - with elliptic curve parameters -> ecparam
# - using the named curve prime256v1 -> -name prime256v1
# - encrypt the key with symmetric cipher AES-128-CBC using the 'ec' utility command -> ec -aes-128-cbc
# - the passphrase for the encryption of the private key is provided in a file -> -passout file:passphrase.txt
# - save the encrypted private key at the location provided -> -out
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/v2gRootCA.key
# 1.2) Create a CSR
# - new -> -new
# - certificate signing request -> req
# - using the previously created private key from which the public key can be derived -> -key
# - use the passwort stored in the file to decrypt the private key -> -passin
# - take the values needed for the Distinguished Name (DN) from the configuration file -> -config
# - save the CSR at the location provided -> -out
openssl req -new -key privateKeys/v2gRootCA.key -passin file:passphrase.txt -config configs/v2gRootCACert.cnf -out csrs/v2gRootCA.csr
# 1.3) Create an X.509 certificate
# - use the X.509 utility command -> x509
# - requesting a new X.509 certificate ... -> -req
# - ... using a CSR file that is located at -> -in
# - we need an X.509v3 (version 3) certificate that allows for extensions. Those are specified in an extensions file ... -> -extfile
# - ... that contains a section marked with 'ext' -> -extensions
# - self-sign the certificate with the previously generated private key -> -signkey
# - use the passwort stored in the file to decrypt the private key -> -passin
# - tell OpenSSL to use SHA-256 for creating the digital signature (otherwise SHA1 would be used) -> -sha256
# - each issued certificate must contain a unique serial number assigned by the CA (must be unique within the issuers number range) -> -set_serial
# - save the certificate at the location provided -> -out
# - make the certificate valid for 40 years (give in days) -> -days
openssl x509 -req -in csrs/v2gRootCA.csr -extfile configs/v2gRootCACert.cnf -extensions ext -signkey privateKeys/v2gRootCA.key -passin file:passphrase.txt -sha256 -set_serial 12345 -out certs/v2gRootCACert.pem -days $validity_v2g_root_cert
# 2) Create an intermediate CPO sub-CA 1 certificate which is directly signed by the V2GRootCA certificate
# 2.1) Create a private key (same procedure as for V2GRootCA)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/cpoSubCA1.key
# 2.2) Create a CSR (same procedure as for V2GRootCA)
openssl req -new -key privateKeys/cpoSubCA1.key -passin file:passphrase.txt -config configs/cpoSubCA1Cert.cnf -out csrs/cpoSubCA1.csr
# 2.3) Create an X.509 certificate (same procedure as for V2GRootCA, but with the difference that we need the -CA switch to point to the CA certificate, followed by the -CAkey switch that tells OpenSSL where to find the CAs private key. We need the private key to create the signature and the public key certificate to make sure that the CAs certificate and private key match.
openssl x509 -req -in csrs/cpoSubCA1.csr -extfile configs/cpoSubCA1Cert.cnf -extensions ext -CA certs/v2gRootCACert.pem -CAkey privateKeys/v2gRootCA.key -passin file:passphrase.txt -set_serial 12345 -out certs/cpoSubCA1Cert.pem -days $validity_cpo_subca1_cert
# 3) Create a second intermediate CPO sub-CA certificate (sub-CA 2) just the way the previous intermedia certificate was created which is directly signed by the CPOSubCA1
# Differences to CPOSubCA1
# - basicConstraints in config file sets pathlength to 0 (meaning that no further sub-CA certificates may be signed with this certificate, a leaf certificate must follow this certificate in a certificate chain)
# - validity is set to 1 year (1 - 2 years are allowed according to ISO 15118)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/cpoSubCA2.key
openssl req -new -key privateKeys/cpoSubCA2.key -passin file:passphrase.txt -config configs/cpoSubCA2Cert.cnf -out csrs/cpoSubCA2.csr
openssl x509 -req -in csrs/cpoSubCA2.csr -extfile configs/cpoSubCA2Cert.cnf -extensions ext -CA certs/cpoSubCA1Cert.pem -CAkey privateKeys/cpoSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days $validity_cpo_subca2_cert -out certs/cpoSubCA2Cert.pem
# 4) Create an SECCCert certificate which is the leaf certificate belonging to the charging station which authenticates itself to the EVCC during a TLS handshake, signed by CPOSubCA2 certificate
# Differences to CPOSubCA1 and CPOSubCA2
# - basicConstraints sets CA to false, no pathlen is therefore set
# - keyusage is set to digitalSignature instead of keyCertSign and cRLSign
# - validity is set to 60 days (2 - 3 months are allowed according to ISO 15118)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/secc.key
openssl req -new -key privateKeys/secc.key -passin file:passphrase.txt -config configs/seccCert.cnf -out csrs/seccCert.csr
openssl x509 -req -in csrs/seccCert.csr -extfile configs/seccCert.cnf -extensions ext -CA certs/cpoSubCA2Cert.pem -CAkey privateKeys/cpoSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days $validity_secc_cert -out certs/seccCert.pem
# 5) Create a self-signed OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the V2GRootCA)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/oemRootCA.key
openssl req -new -key privateKeys/oemRootCA.key -passin file:passphrase.txt -config configs/oemRootCACert.cnf -out csrs/oemRootCA.csr
openssl x509 -req -in csrs/oemRootCA.csr -extfile configs/oemRootCACert.cnf -extensions ext -signkey privateKeys/oemRootCA.key -passin file:passphrase.txt -sha256 -set_serial 12345 -out certs/oemRootCACert.pem -days $validity_oem_root_cert
# 6) Create an intermediate OEM sub-CA certificate which is directly signed by the OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA1)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/oemSubCA1.key
openssl req -new -key privateKeys/oemSubCA1.key -passin file:passphrase.txt -config configs/oemSubCA1Cert.cnf -out csrs/oemSubCA1.csr
openssl x509 -req -in csrs/oemSubCA1.csr -extfile configs/oemSubCA1Cert.cnf -extensions ext -CA certs/oemRootCACert.pem -CAkey privateKeys/oemRootCA.key -passin file:passphrase.txt -set_serial 12345 -days $validity_oem_subca1_cert -out certs/oemSubCA1Cert.pem
# 7) Create a second intermediate OEM sub-CA certificate which is directly signed by the OEMSubCA1 certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA2)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/oemSubCA2.key
openssl req -new -key privateKeys/oemSubCA2.key -passin file:passphrase.txt -config configs/oemSubCA2Cert.cnf -out csrs/oemSubCA2.csr
openssl x509 -req -in csrs/oemSubCA2.csr -extfile configs/oemSubCA2Cert.cnf -extensions ext -CA certs/oemSubCA1Cert.pem -CAkey privateKeys/oemSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days $validity_oem_subca2_cert -out certs/oemSubCA2Cert.pem
# 8) Create an OEM provisioning certificate which is the leaf certificate belonging to the OEM certificate chain (used for contract certificate installation)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/oemProv.key
openssl req -new -key privateKeys/oemProv.key -passin file:passphrase.txt -config configs/oemProvCert.cnf -out csrs/oemProvCert.csr
openssl x509 -req -in csrs/oemProvCert.csr -extfile configs/oemProvCert.cnf -extensions ext -CA certs/oemSubCA2Cert.pem -CAkey privateKeys/oemSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days $validity_oem_prov_cert -out certs/oemProvCert.pem
# 9) Create a self-signed MORootCA (mobility operator) certificate (validity is up to the MO, this example applies the same validity as the V2GRootCA)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/moRootCA.key
openssl req -new -key privateKeys/moRootCA.key -passin file:passphrase.txt -config configs/moRootCACert.cnf -out csrs/moRootCA.csr
openssl x509 -req -in csrs/moRootCA.csr -extfile configs/moRootCACert.cnf -extensions ext -signkey privateKeys/moRootCA.key -passin file:passphrase.txt -sha256 -set_serial 12345 -out certs/moRootCACert.pem -days $validity_mo_root_cert
# 10) Create an intermediate MO sub-CA certificate which is directly signed by the MORootCA certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA1)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/moSubCA1.key
openssl req -new -key privateKeys/moSubCA1.key -passin file:passphrase.txt -config configs/moSubCA1Cert.cnf -extensions ext -out csrs/moSubCA1.csr
openssl x509 -req -in csrs/moSubCA1.csr -extfile configs/moSubCA1Cert.cnf -extensions ext -CA certs/moRootCACert.pem -CAkey privateKeys/moRootCA.key -passin file:passphrase.txt -set_serial 12345 -days $validity_mo_subca1_cert -out certs/moSubCA1Cert.pem
# 11) Create a second intermediate MO sub-CA certificate which is directly signed by the MOSubCA1 certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA2)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/moSubCA2.key
openssl req -new -key privateKeys/moSubCA2.key -passin file:passphrase.txt -config configs/moSubCA2Cert.cnf -out csrs/moSubCA2.csr
openssl x509 -req -in csrs/moSubCA2.csr -extfile configs/moSubCA2Cert.cnf -extensions ext -CA certs/moSubCA1Cert.pem -CAkey privateKeys/moSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days $validity_mo_subca2_cert -out certs/moSubCA2Cert.pem
# 12) Create a contract certificate which is the leaf certificate belonging to the MO certificate chain (used for contract certificate installation)
# Validity can be between 4 weeks and 2 years (restricted by the contract lifetime), for testing purposes the validity will be set to 2 years
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/contract.key
openssl req -new -key privateKeys/contract.key -passin file:passphrase.txt -config configs/contractCert.cnf -out csrs/contractCert.csr
openssl x509 -req -in csrs/contractCert.csr -extfile configs/contractCert.cnf -extensions ext -CA certs/moSubCA2Cert.pem -CAkey privateKeys/moSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days $validity_contract_cert -out certs/contractCert.pem
cat certs/moSubCA2Cert.pem certs/moSubCA1Cert.pem > certs/intermediateMOCACerts.pem
openssl pkcs12 -export -inkey privateKeys/contract.key -in certs/contractCert.pem -certfile certs/intermediateMOCACerts.pem -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -name contract_cert -out certs/moCertChain.p12
# 13) Create an intermediate provisioning service sub-CA certificate which is directly signed by the V2GRootCA certificate
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/cpsSubCA1.key
openssl req -new -key privateKeys/cpsSubCA1.key -passin file:passphrase.txt -config configs/cpsSubCA1Cert.cnf -out csrs/cpsSubCA1.csr
openssl x509 -req -in csrs/cpsSubCA1.csr -extfile configs/cpsSubCA1Cert.cnf -extensions ext -CA certs/v2gRootCACert.pem -CAkey privateKeys/v2gRootCA.key -passin file:passphrase.txt -set_serial 12345 -days $validity_cps_subca1_cert -out certs/cpsSubCA1Cert.pem
# 14) Create a second intermediate provisioning sub-CA certificate which is directly signed by the CPSSubCA1 certificate (validity 1 - 2 years, we make it 2 years)
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/cpsSubCA2.key
openssl req -new -key privateKeys/cpsSubCA2.key -passin file:passphrase.txt -config configs/cpsSubCA2Cert.cnf -out csrs/cpsSubCA2.csr
openssl x509 -req -in csrs/cpsSubCA2.csr -extfile configs/cpsSubCA2Cert.cnf -extensions ext -CA certs/cpsSubCA1Cert.pem -CAkey privateKeys/cpsSubCA1.key -passin file:passphrase.txt -set_serial 12345 -days $validity_cps_subca2_cert -out certs/cpsSubCA2Cert.pem
# 15) Create a provisioning service certificate which is the leaf certificate belonging to the provisioning certificate chain (used for contract certificate installation)
# Validity can be between 2 - 3 months, we make it 3 months
openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -passout file:passphrase.txt -out privateKeys/cpsLeaf.key
openssl req -new -key privateKeys/cpsLeaf.key -passin file:passphrase.txt -config configs/cpsLeafCert.cnf -out csrs/cpsLeafCert.csr
openssl x509 -req -in csrs/cpsLeafCert.csr -extfile configs/cpsLeafCert.cnf -extensions ext -CA certs/cpsSubCA2Cert.pem -CAkey privateKeys/cpsSubCA2.key -passin file:passphrase.txt -set_serial 12345 -days $validity_cps_leaf_cert -out certs/cpsLeafCert.pem
cat certs/cpsSubCA2Cert.pem certs/cpsSubCA1Cert.pem > certs/intermediateCPSCACerts.pem
openssl pkcs12 -export -inkey privateKeys/cpsLeaf.key -in certs/cpsLeafCert.pem -certfile certs/intermediateCPSCACerts.pem -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -name cps_leaf_cert -out certs/cpsCertChain.p12
# 16) Finally we need to convert the certificates from PEM format to DER format (PEM is the default format, but ISO 15118 only allows DER format)
openssl x509 -inform PEM -in certs/v2gRootCACert.pem -outform DER -out certs/v2gRootCACert.der
openssl x509 -inform PEM -in certs/cpsSubCA1Cert.pem -outform DER -out certs/cpsSubCA1Cert.der
openssl x509 -inform PEM -in certs/cpsSubCA2Cert.pem -outform DER -out certs/cpsSubCA2Cert.der
openssl x509 -inform PEM -in certs/cpsLeafCert.pem -outform DER -out certs/cpsLeafCert.der
openssl x509 -inform PEM -in certs/cpoSubCA1Cert.pem -outform DER -out certs/cpoSubCA1Cert.der
openssl x509 -inform PEM -in certs/cpoSubCA2Cert.pem -outform DER -out certs/cpoSubCA2Cert.der
openssl x509 -inform PEM -in certs/seccCert.pem -outform DER -out certs/seccCert.der
openssl x509 -inform PEM -in certs/oemRootCACert.pem -outform DER -out certs/oemRootCACert.der
openssl x509 -inform PEM -in certs/oemSubCA1Cert.pem -outform DER -out certs/oemSubCA1Cert.der
openssl x509 -inform PEM -in certs/oemSubCA2Cert.pem -outform DER -out certs/oemSubCA2Cert.der
openssl x509 -inform PEM -in certs/oemProvCert.pem -outform DER -out certs/oemProvCert.der
openssl x509 -inform PEM -in certs/moRootCACert.pem -outform DER -out certs/moRootCACert.der
openssl x509 -inform PEM -in certs/moSubCA1Cert.pem -outform DER -out certs/moSubCA1Cert.der
openssl x509 -inform PEM -in certs/moSubCA2Cert.pem -outform DER -out certs/moSubCA2Cert.der
openssl x509 -inform PEM -in certs/contractCert.pem -outform DER -out certs/contractCert.der
# Since the intermediate certificates need to be in PEM format when putting them in a PKCS12 container and the resulting PKCS12 file is a binary format, it might be sufficient. Otherwise, I have currently no idea how to covert the intermediate certificates in DER without running into problems when creating the PKCS12 container.
# 17) In case you want the private keys in PKCS#8 file format and DER encoded, use this command. Especially necessary for the private key of MOSubCA2 in RISE V2G
openssl pkcs8 -topk8 -in privateKeys/moSubCA2.key -inform PEM -passin file:passphrase.txt -passout file:passphrase.txt -outform DER -out privateKeys/moSubCA2.pkcs8.der -v1 PBE-SHA1-3DES
# 18) Create the keystores for the EVCC and SECC. We need to first create the PKCS12 files and then import them into the JKS using the 'keytool' command.
# - create a PKCS12 file -> -export
# - if no private keys are added, e.g. for a truststore that holds only root CA certificates -> -nokeys
# - add a private key to the newly created PKCS12 container; must be in PEM format (not DER) -> -inkey
# - add any certificate (leaf certificate or root certificate); must be in PEM format (not DER) -> -in
# - add additional certificats (intermediate sub-CA certificates or more root CA certificates); must be in PEM format (not DER) -> -certfile
# - use AES to encrypt private keys before outputting -> -aes128
# - passphrase source to decrypt any private keys that are to be imported -> -passin
# - passphrase to encrypt any outputted private keys with -> -passout
# - provide the "friendly name" for the leaf certificate, which is used as the alias in Java -> -name
# - provide the "friendly name" for CA certificates, which is used as the alias in Java;
# this option may be used multiple times to specify names for all certificates in the order they appear -> -caname
# - the file location to store the PKCS12 data container -> -out
#
# 18.1) SECC keystore needs to hold initially hold the OEM provisioning certificate (contract certificate will be installed with ISO 15118 message exchange)
# First, concatenate the intermediate sub-CA certificates into one file intermediateCAs.pem
# IMPORTANT: Concatenate in such a way that the chain leads from the leaf certificate to the root (excluding), this means here: first parameter of the cat command is the sub-CA certificate which signs the leaf certificate (in this case cpoSubCA2.pem). Otherwise the Java method getCertificateChain() which is called on the keystore will only return the leaf certificate!
cat certs/cpoSubCA2Cert.pem certs/cpoSubCA1Cert.pem > certs/intermediateCPOCACerts.pem
# Put the seccCertificate, the private key associated with the seccCertificate as well as the intermediate sub-CA certificates in a PKCS12 container with the -certfile switch.
openssl pkcs12 -export -inkey privateKeys/secc.key -in certs/seccCert.pem -name secc_cert -certfile certs/intermediateCPOCACerts.pem -caname mo_subca_2 -caname mo_subca_1 -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -out keystores/cpoCertChain.p12
keytool -importkeystore -srckeystore keystores/cpoCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias secc_cert -destalias secc_cert -destkeystore keystores/seccKeystore.jks -storepass:file passphrase.txt -noprompt
#
# 18.2) EVCC keystore needs to initally hold the OEM provisioning certificate (contract certificate will be installed with ISO 15118 message exchange)
cat certs/oemSubCA2Cert.pem certs/oemSubCA1Cert.pem > certs/intermediateOEMCACerts.pem
openssl pkcs12 -export -inkey privateKeys/oemProv.key -in certs/oemProvCert.pem -name oem_prov_cert -certfile certs/intermediateOEMCACerts.pem -caname oem_subca_2 -caname oem_subca_1 -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -out keystores/oemCertChain.p12
keytool -importkeystore -srckeystore keystores/oemCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias oem_prov_cert -destalias oem_prov_cert -destkeystore keystores/evccKeystore.jks -storepass:file passphrase.txt -noprompt
# 19) Create truststores for EVCC and SECC. Storing trust anchors in PKCS12 is not supported in Java 8. For creating trusstores we need a Java KeyStore (JKS) and import the DER encoded root CA certificates.
#
# 19.1) EVCC truststore needs to hold the V2GRootCA certificate
keytool -import -keystore keystores/evccTruststore.jks -alias v2g_root_ca -file certs/v2gRootCACert.der -storepass:file passphrase.txt -noprompt
#
# 19.2) SECC truststore needs to hold the V2G root CA certificate and MO root CA certificate.
# According to ISO 15118-2, MO root CA is not necessarily needed as the MO sub-CA 1 could instead be signed by a V2G root CA.
keytool -import -keystore keystores/seccTruststore.jks -alias v2g_root_ca -file certs/v2gRootCACert.der -storepass:file passphrase.txt -noprompt
keytool -import -keystore keystores/seccTruststore.jks -alias mo_root_ca -file certs/moRootCACert.der -storepass:file passphrase.txt -noprompt
# Side notes for OCSP stapling in Java: see http://openjdk.java.net/jeps/249

2
temp/RISE-V2G/RISE-V2G-Certificates/passphrase.txt Normal file
View File

@@ -0,0 +1,2 @@
123456
123456

1
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/CertificateInstallationRes-MsgBody-namespace.xml Normal file
View File

File diff suppressed because one or more lines are too long

1
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/CertificateInstallationRes-empty-namespace.xml Normal file
View File

File diff suppressed because one or more lines are too long

190
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/README.md Normal file
View File

@@ -0,0 +1,190 @@
# Test Data To Verify Your CertificateInstallationRes Signature
This file provides test data needed to reproduce the same digest and signature values for a CertificateInstallationRes. This test data is provided for your convenience to verify that your implementation of creating and verifying digital XML-based signatures is correct.
Further explanation is given in the ISO 15118 Manual in section 3.12.3 "Test Data To Verify Your CertificateInstallationRes".
For further explanation why the different usage of XML namespace matters with regards to the resulting digest and signature values, have a look at section 3.12.4 "Pitfalls with Signatures And XML Namespaces" in the [ISO 15118 Manual](http://v2g-clarity.com/iso15118-manual/).
## TEST DATA SETUP
### Private key for signature creation
The private key used to create the signature for the CertificateInstallationRes is the one belonging to the Sub-CA 2 of the certificate provisioning service (CPS). See file cpsSubCA2.key.
169FE1CBCE6CED08391F3235FD530DB84430F165E474117C0AC587D6554F581C
### Public key for signature verification
The public key used to verify the signature of the CertificateInstallationRes is part of the Sub-CA 2 certificate of the certificate provisioning service (CPS). The 64 bytes represent a point on the elliptic curve, thus the raw x-coordinate and y-coordinate. The public key has an additional byte 0x04 in the beginning to represent the uncompressed form as demanded by the ISO 15118-2, resulting in 65 bytes in total.
0491CAA2FE68797277C9FEADEC61DC7AE7DC334DA59DD82D82290327AF105771F7307B9573870A8DA09CA4CE2F293B23D9F8AEED3AE49A9C177C6F710C55089CE4
### ContractSignatureCertChain
The certificate chain provided by the Mobility Operator (MO) comprises the contract certificate and the intermediate sub-CA certificates.
All MO certificates are packaged in the PKCS#12 container file moCertChain.p12. But you can also access every single certificate by its own, if you want: the contractCert, moSubCA2, and moSubCA1 (each provided in .pem and .der format). Be aware that the order in which the certificates are placed in the SubCertificates element is important. The first element is the Sub-CA 2 certificate, followed by the Sub-CA 1 certificate.
Also, the certificates' validity period might already have expired by the time you use this test data. But that is not a problem for this issue.
### ContractSignatureEncryptedPrivateKey
This field holds the encrypted private key that belongs to the contract certificate as well as a so-called initialization vector (IV) of 16 bytes length that is needed for the AES cipher. The IV is represented by the first (also known as most significant) 16 bytes of this field.
Use this hexadecimal representation of a ContractSignatureEncryptedPrivateKey to get the same results.
803340C03FEFBC0CF47613E50D74C660EF471D2104C2EB1C1EAE39BAE700EAB0DC9AE909CE234FF2619DD3A721C60AA0
### DHpublickey
The DHpublickey is the public key of a generated elliptic curve Diffie-Hellman key pair. The key pair is used to create the session key with which the private key that belongs to the contract certificate is encrypted. Again, with an additional byte 0x04 prepended as demanded by ISO 15118-2 to represent the uncompressed form of a public key.
Use this hexadecimal representation of a DHpublickey to get the same results.
04BE426A534EBCD5444476C0809425F9A593875AA7A4C2A2167C8A295B2B9069E054AD61801552FAB1F7C710D9506890120354C763800891DA595A1619E06254E9
### eMAID
Let's use the following eMAID for this test case: DEABCC123ABC56
### SAProvisioningCertificateChain
The signature is built over the four fields mentioned above. The Certificate Provisioning Service's (CPS) certificate chain is not part of the signature. However, the CPS's Sub-CA 2 certificate holds the public key (printed further above in hexadecimal notation for your convenience) with which you need to verify the signature. If you also want to validate the CPS's chain of certificates all the way up to the V2G root certificate, then use the PKCS#12 container file cpsCertChain.p12 and the v2gRootCA.pem or v2gRootCA.der file. All certificates in cpsCertChain.p12 are also provided as single certificates in this folder.
## XML REFERENCE ELEMENT GENERATION WITH CORRECT XML NAMESPACE "urn:iso:15118:2:2013:MsgBody"
The following values are created using the XML namespace "urn:iso:15118:2:2013:MsgBody".
### ContractSignatureCertChain
EXI:
8021015A590C4D703308201D33082017AA00302010202023039300906072A8648CE3D0401304F3111300F06035504030C084D4F53756243413231193017060355040A0C1052495345205632472050726F6A656374310B300906035504061302444531123010060A0992268993F22C64011916024D4F301E170D3138303831353132333433355A170D3230303831343132333433355A30573119301706035504030C1044452D4142432D43313233414243353631193017060355040A0C1052495345205632472050726F6A656374310B300906035504061302444531123010060A0992268993F22C64011916024D4F3059301306072A8648CE3D020106082A8648CE3D0301070342000473FEBA248E8E0D246F4ECC79D46E57184BF86ACBC01644F7AE453D8C721B8AF9442723892948A6E48A6E81229363DFBAEF37F4631FC3592E868BEF2E5884185EA33F303D300C0603551D130101FF04023000300E0603551D0F0101FF0404030203E8301D0603551D0E0416041446EC52B4D9BFC688275F5B0A872DD47D6960448A300906072A8648CE3D04010348003045022100E97C0514FAE75296B5951D06EAC507922167C725780951869AA5E3DF43E618F5022059F81CAFEDDA35B5C73DF80EA1522C53951EF2361232E35442B16D6B77909D8A06A81984100E8984100BC50018100810101181C98048303954324671E82009827988898078301AA8201860426A7A9BAB121A098988C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7980F0B86989C181C189A9899199A199AAD0B869919181C189A1899199A199AAD1827988898078301AA8201860426A7A9BAB121A099188C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7982C98098303954324671E81008304154324671E81808381A100024A1FD0FC8C3F56A5E5CFC49A0FDF110400AAD7E8C8B33AC646EF0B93A4C74CA034FEDAB0900313607E24849385E45905DDB22B5DD9E88A9C1076CEFC266A848F51A2982198090301AA8E898080FF820418030080FF81008018070301AA8E878080FF8202018100E3180E8301AA8E87020B020A256D0F08428AADE1FB88C3BF4C1E7E8EE606C1D118048303954324671E820081A40018228110151FDB8466FA92DB3E5AE0AC81B4BC3AAB7C18FF1CA54DD7CDB4E18C0CAAE8BD8110806ABF339E3F7C85EAD2FAA175F61DDBE6E015876FD8BFE225B04169563377128D86B01984100E9184100BC50018100810101181C98048303954324671E82009827988898078301AA8201860426A7A937B7BA21A0988C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7980F0B86989C181C189A9899199A199AAD0B869919181C189A1899199A199AAD1827988898078301AA8201860426A7A9BAB121A098988C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7982C98098303954324671E81008304154324671E81808381A1000262BE27D8CCBAA40F456878995C3E34CDE5EF3C4B435FC84C4A57B6F84212FCCFC195290B3B265255BC4CF067A3294E73516D54B255838C9C35F67F5F77B64EE6D1A2982198090301AA8E898080FF820418030080FF81008098070301AA8E878080FF820201810083180E8301AA8E87020B020A6876F21C15AB68AE79919AF9807C85B49B1DD2C718048303954324671E820081A48018230110806656378B705F6308BDA5749D1CC6AAB30FC93390A01E608C8C99DE16D0DF09430110807B4806A1E2B9B762C65B7C8783321E83B185CD00FA57EEAC334A27965CF6B9D817A00
SHA-256:
8EFA2B8D3BDED68CF6F4DF02D80BADCC4036AEA8F2D4E4124CA69A64DBC192B0
Base64 encoded SHA-256:
jvorjTve1oz29N8C2AutzEA2rqjy1OQSTKaaZNvBkrA=
### ContractSignatureEncryptedPrivateKey
EXI:
802202B4B2190C200CD0300FFBEF033D1D84F9435D31983BD1C7484130BAC707AB8E6EB9C03AAC3726BA427388D3FC986774E9C87182A81E80
SHA-256:
5F0EEDE44720B6AE9F7A4EC27E49C8F28C5F0A31FDAE012FE4E3C8FCEEC231F2
Base64 encoded SHA-256:
Xw7t5Ecgtq6fek7CfknI8oxfCjH9rgEv5OPI/O7CMfI=
### DHpublickey
EXI:
802D02B4B21990412F909A94D3AF3551111DB02025097E6964E1D6A9E930A8859F228A56CAE41A78152B58600554BEAC7DF1C436541A240480D531D8E0022476965685867818953A5E80
SHA-256:
02003E52F83579B57A72D4C9514B1480956D71B5C669A63CD633B309B040CE78
Base64 encoded SHA-256:
AgA+Uvg1ebV6ctTJUUsUgJVtcbXGaaY81jOzCbBAzng=
### eMAID
EXI:
80EC0202B4B21A40041111505090D0CC4C8CD05090CD4DBD3D00
SHA-256:
939AF54F14396EC0D827F753C896AC0762AE1E00ACAB57E19AF100243CDD5A6B
Base64 encoded SHA-256:
k5r1TxQ5bsDYJ/dTyJasB2KuHgCsq1fhmvEAJDzdWms=
## SIGNATURE GENERATION WITH CORRECT XML NAMESPACE "urn:iso:15118:2:2013:MsgBody"
EXI:
808112B43A3A381D1797BBBBBB973B999737B93397AA2917B1B0B737B734B1B0B616B2BC3497A1AB43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B63239B4B396B6B7B93291B2B1B239B096B9B430991A9B220623696432025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C840BE1DDBC88E416D5D3EF49D84FC9391E518BE1463FB5C025FC9C791F9DD8463E408188DA590C4095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B210477D15C69DEF6B467B7A6F816C05D6E6201B5754796A720926534D326DE0C958020623696434025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C8412735EA9E2872DD81B04FEEA7912D580EC55C3C015956AFC335E2004879BAB4D608188DA590CC095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B21001001F297C1ABCDABD396A64A8A58A404AB6B8DAE334D31E6B19D984D820673C0DC
The signature value will never be the same because ECDSA always uses a random seed to generate the signature. Therefore, it does not make sense to provide a signature value here for comparison.
HINT: Do not make the mistake to hash the EXI binary stream before you run ECDSA on it. ECDSA already performs a SHA-256 hashing operation!
## XML REFERENCE ELEMENT GENERATION WITH INCORRECT XML NAMESPACE ""
There was a discussion going on whether the XML elements for a CertificateInstallationRes/CertificateUpdateRes need to be created using the namespace "urn:iso:15118:2:2013:MsgBody" or if using no namespace (the same as using the empty namespace "") is also a possible solution. The [ISO 15118 User Group issue #72](http://extmgmt.kn.e-technik.tu-dortmund.de/issues/172) further elaborates on that and makes clear that the namespace "urn:iso:15118:2:2013:MsgBody" shall be used. Using the empty namespace would NOT conform to the standard's requirements.
However, just to show the difference in the EXI encoding result as well as the difference in message size, the following values are created using the empty XML namespace "". As you can see, those EXI encoding results are bigger in size. This is due to a so-called schema deviation encoding for those message elements.
### ContractSignatureCertChain
EXI:
80F311B436F6E74726163745369676E617475726543657274436861696E4C028006070052056964312E00109805000C7EC089A92928460F4868682B0E2CE82EE928482CE92869A88D6EE86A2B29096DEB492F4D4608A82A884A09AA48AEE88EEB288ACA2A2888882D09CA8629C62B2D69C849AD48AB49A84C68E8262AA8A86CEEEA2AAD6D8A8A4A684AE9AD6C6CEAA9094ECC2DAACD4C8888A989A82D68E8262AA8A84D09A86A48AAAF08AD482A284CEDE94D6D2C294D65E92E6B4828AB48CCE949CA8F482CA8CEE60F09E8882689AA8AAF09AD49A609AF4ACC28CEE60F29A8882689AA8A2F09AD49A609AF4ACC29A8CC6F08EA882B084CE9CAC84829A9A8A8AA48C98AA8C86A2F262889AA892F4A2AA94889CA8B2F08EA882B084CE9CAC8482DE9A8A8C9494AA60AACEACD49490928C84F2C464E0D8B266A2F086F4829484CE9CAC8482B2A882D6A48C9AA492EE8A82B29686B492DAD2B4A0F2988EA2848EA4B286A8AA70EEAEA882A884CEC6E2D0D6D49EA0A2928484CECEE2D0D6D49EA0A29A8484EE9C868282A4F45EE4DED6D4DE689C948E729EF490DCAAC4D8C6B2A65ED0E2F27082AEA4A0CAEAA4A8649AC6D0EA9656AAA2DC9268D6E0A696C4D6D2DA6C8492E09CD4666EE4EC9C5EA4D490709CB498DEC2986EF26AB2D084D0CADEF470EEA0A8829A84CE9CAC90A49A8482CC708A82D482829A82688E8262AAC888EE8A845EEEA28A82EE92886C8882C884CE9CAC90A2688A8CCEA2AAA4EAF0A6E89CDA5EF0DECEDCB062E696D0F266AACCAED8CEA492DEEE86A2B29096DEB492F4D4608A82A29C928288848C82D28A826CB0EE8C8CA0E4DCAAE0C262D8A4608E6CE6AA90D6D28CDCF0F2AC6886AC8E8EDAE2B0D46660A0DA8EA0AA86928CDC6890965EE864D4AE62F0F4666888E28CA6988C9EAC90EC92648AD498D4AC8A96F0C4AEE866D69464968E01169805000C2E00114C0280063F6044D494942305443434158696741774942416749434D446B77435159484B6F5A497A6A3045415442504D52457744775944565151444441684E54314E31596B4E424D54455A4D4263474131554543677751556B6C54525342574D6B636755484A76616D566A6444454C4D416B474131554542684D4352455578456A415142676F4A6B69614A6B2F49735A41455A46674A4E547A4165467730784F4441344D5455784D6A4D304D7A5661467730794D6A41344D5451784D6A4D304D7A56614D4538784554415042674E5642414D4D4345315055335669513045794D526B77467759445651514B4442425353564E464946597952794251636D39715A574E304D517377435159445651514745774A45525445534D42414743676D534A6F6D543869786B41526B57416B31504D466B77457759484B6F5A497A6A3043415159494B6F5A497A6A304441516344516741456C442B682B52682B7255764C6E346B304837346943414656723947525A6E574D6A6434584A306D4F6D5542702F6256684941596D7750784A4353634C794C494C753252577537505246546767375A3334544E554A48714E464D454D7745675944565230544151482F42416777426745422F7749424144414F42674E56485138424166384542414D4341635977485159445652304F4242594546457261486843464656764439784748667067382F52334D44594F694D416B4742797147534D34394241454453414177525149674B6A2B33434D33314A625A387463465A41326C34645662344D663435537075766D326E4447426C563058734349514456666D633866766B4C31615831517576734F37664E7743734F3337462F7845746767744B735A75346C47773D3D470008A60140031FB0226A4A4A1183521A1A0AC34B3A0BBA4A120B3A4A1A6A235BBA1A8ACA425B7AD24BD351822A0AA212826A922BBA23BACA22B28A8A22220B4272A18A53B3119A92228AA22AD26A131A3A098AAA2A1B3BBA8AAB5B62A2929A12BA6B5B1B3AAA4253B30B6AB35322222A626A0B5A3A098AAA2A13426A1A922AABC22B520A8A133B7A535B4B0A53597A4B9AD20A2AD2333A5272A3D20B2A33B983C27A2209A26AA2ABC26B5269826BD2B30A33B983CA6B5209A26AA28BC26B5269826BD2B30A6A29C3C22AA20A82133A72B2120A6A6A1A298A82A99AB34A89822BC26A935BBA33BACA22B28A8A5A2212129A9AB272324A32CBCA93CA128B1B69CB8AD2BA71826A8B9BBA1A8ACA22B28A8A3A2BBA522A92A22A9A6A120A3A1B3B6A9A537B6AA1C34BC35A0A935ABA0B598A826A335BBA2BBACA425B7AD24BD351821A0A8ACA4A5B7AD24BD35182220A8B1A228B3A0A2BC2C3C2839AD3618A9A11B25982822BCBAA43C38369C3B32B2A530A3BB1AA1ACB6259CBA1C24A8B615AD15A225B624ABB235BCB5B899B4AD1A269CA3AAB83D36B7BA38B82D25B9A423AA34391BA81B159B993CB23D30A72326A2A6BBA2B3ACA22B29182A20A8A417A120B3BBA133A2A117BBA4A120AA20A7A133A72B24289C2120B31C22A120A6A1A0A8ACBBA428ACA22B291827A1212CA2A327223A1AA233B92B3A23319C3CA6989C3BA21AA1993599279B2BA7A6A0B5A3A13CB8A3A9A69A1CA120A2A229A8A0BBA933A4B420A6BCB9B13C3133BB39ACA93298393827B536A72B2BACB335B6B1B428A23D2123A935BD3B2199343B3425A3A0B4A2A09CB820A7289C2B3D3139ABA6BA3B35A82136A89CA11926A636B3A418391C98ACAD3829282626373A319BA09EABE8
SHA-256:
8A624F06F7D29216B15462F188D4217A811E2D8D18EEB25CE2252004EFA0BC62
Base64 encoded SHA-256:
imJPBvfSkhaxVGLxiNQheoEeLY0Y7rJc4iUgBO+gvGI=
### ContractSignatureEncryptedPrivateKey
EXI:
80F3125436F6E74726163745369676E6174757265456E63727970746564507269766174654B65794C02800607005205696432684CE889C82EE885EECEC82F460C8D0A0D888B0A88EB29E729090A68A8AEEEAE6C690E2686AEAEAC6826CE488C6DAEAD694F4D29CA070DA8EC8606CC6D0F0CEE2CEFA00
SHA-256:
59B9F0CBF4E7D528A3E233EC55A3ED41C0971E032727704829E64ED56F2CC829
Base64 encoded SHA-256:
Wbnwy/Tn1Sij4jPsVaPtQcCXHgMnJ3BIKeZO1W8syCk=
### DHpublickey
EXI:
80F310C44487075626C69636B65794C028006070052056964336B484986A86C2D89C9EEC9CAC8AA490C482CE94A2D856C2AEA8D062E2DCE09A96D28CDCF29696ACE6E4D68EDCCEAC9662D0CE84ACA656E49066F0F088B4AA8ED2A28ACE9CAAF0649E82869490C2AEACDEAE8ECA84D2AC9ED67AFA00
SHA-256:
086D79FE8E5990F26ACC99ED0095B18156D4F1C221D1F72D3C7206B7D5514F81
Base64 encoded SHA-256:
CG15/o5ZkPJqzJntAJWxgVbU8cIh0fctPHIGt9VRT4E=
### eMAID
EXI:
80F3106654D4149444C02800607005205696434620888A828486866264668284866A6CFA00
SHA-256:
45CD81DFFD1A56BB5F4A796B804CA71721AF434587E0ED803A09EAEBADBB8479
Base64 encoded SHA-256:
Rc2B3/0aVrtfSnlrgEynFyGvQ0WH4O2AOgnq6627hHk=
## SIGNATURE GENERATION WITH INCORRECT XML NAMESPACE ""
EXI:
808112B43A3A381D1797BBBBBB973B999737B93397AA2917B1B0B737B734B1B0B616B2BC3497A1AB43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B63239B4B396B6B7B93291B2B1B239B096B9B430991A9B220623696432025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C840B373E197E9CFAA5147C467D8AB47DA83812E3C064E4EE09053CC9DAADE59905208188DA590C4095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B210453127837BE9490B58AA3178C46A10BD408F16C68C77592E7112900277D05E31020623696434025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C8408B9B03BFFA34AD76BE94F2D700994E2E435E868B0FC1DB007413D5D75B7708F208188DA590CC095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B2100436BCFF472CC87935664CF6804AD8C0AB6A78E110E8FB969E39035BEAA8A7C08DC
The signature value will never be the same because ECDSA always uses a random seed to generate the signature. Therefore, it does not make sense to provide a signature value here for comparison.
HINT: Do not make the mistake to hash the EXI binary stream before you run ECDSA on it. ECDSA already performs a SHA-256 hashing operation!

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/contractCert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0zCCAXqgAwIBAgICMDkwCQYHKoZIzj0EATBPMREwDwYDVQQDDAhNT1N1YkNB
MjEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVjdDELMAkGA1UEBhMCREUxEjAQBgoJ
kiaJk/IsZAEZFgJNTzAeFw0xODA4MTUxMjM0MzVaFw0yMDA4MTQxMjM0MzVaMFcx
GTAXBgNVBAMMEERFLUFCQy1DMTIzQUJDNTYxGTAXBgNVBAoMEFJJU0UgVjJHIFBy
b2plY3QxCzAJBgNVBAYTAkRFMRIwEAYKCZImiZPyLGQBGRYCTU8wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAARz/rokjo4NJG9OzHnUblcYS/hqy8AWRPeuRT2MchuK
+UQnI4kpSKbkim6BIpNj37rvN/RjH8NZLoaL7y5YhBheoz8wPTAMBgNVHRMBAf8E
AjAAMA4GA1UdDwEB/wQEAwID6DAdBgNVHQ4EFgQURuxStNm/xognX1sKhy3UfWlg
RIowCQYHKoZIzj0EAQNIADBFAiEA6XwFFPrnUpa1lR0G6sUHkiFnxyV4CVGGmqXj
30PmGPUCIFn4HK/t2jW1xz34DqFSLFOVHvI2EjLjVEKxbWt3kJ2K
-----END CERTIFICATE-----

BIN
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/cpsCertChain.p12 Normal file
View File

Binary file not shown.

8
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/cpsLeaf.key Normal file
View File

@@ -0,0 +1,8 @@
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,380BED020885167EDF788D043AA87CE0
vZ4x8xI8BuaQoWn84sC0EZ1nMJkc9vcomYZujt/EFkx9Pet0maaBSUC4gAp+Vmuv
6CTIiCIg4Nqfr0bIDG0Fc1sR7qbzwjdbxdTyb30gxAYZXkrg9k1YBHYBkJDFNgiK
01YxM+KvvOklzasS3E6N8O18aCLr073nQ3/GeCoyBgM=
-----END EC PRIVATE KEY-----

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/cpsLeafCert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBzjCCAXagAwIBAgICMDkwCQYHKoZIzj0EATBSMRMwEQYDVQQDDApQcm92U3Vi
Q0EyMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQswCQYDVQQGEwJERTETMBEG
CgmSJomT8ixkARkWA0NQUzAeFw0xODA4MTUxMjM0MzVaFw0xODExMTMxMjM0MzVa
MFAxETAPBgNVBAMMCENQUyBMZWFmMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0
MQswCQYDVQQGEwJERTETMBEGCgmSJomT8ixkARkWA0NQUzBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABJHKov5oeXJ3yf6t7GHceufcM02lndgtgikDJ68QV3H3MHuV
c4cKjaCcpM4vKTsj2fiu7TrkmpwXfG9xDFUInOSjPzA9MAwGA1UdEwEB/wQCMAAw
DgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBQoXojyIBpvdgAXOaYQeTUMq5ag9TAJ
BgcqhkjOPQQBA0cAMEQCIAS8mjlsl/1Tpl5AkRj2fk6NwQjWT+WrCYn8hewTHvpA
AiBRj+hg0I04i3sKspaBv6NADWNIbdyYlvBVSApUQwy1Iw==
-----END CERTIFICATE-----

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/cpsSubCA1Cert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB1zCCAX2gAwIBAgICMDkwCQYHKoZIzj0EATBRMRIwEAYDVQQDDAlWMkdSb290
Q0ExGTAXBgNVBAoMEFJJU0UgVjJHIFByb2plY3QxCzAJBgNVBAYTAkRFMRMwEQYK
CZImiZPyLGQBGRYDVjJHMB4XDTE4MDgxNTEyMzQzNVoXDTIyMDgxNDEyMzQzNVow
UjETMBEGA1UEAwwKUHJvdlN1YkNBMTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVj
dDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/IsZAEZFgNDUFMwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAS6olYOW2Eqj8UbE8qK4kw66+v77/wHfa8fuxiziYz9/C8T
auZVSzmLKZVhSxgot/aEM9arcR6z6pm6IUhooRHCo0UwQzASBgNVHRMBAf8ECDAG
AQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUiPeAh9VKGtrLvJx+te9q
Eq8re2wwCQYHKoZIzj0EAQNJADBGAiEAkLiSEhwZhW2J1HkWyWCsDfI8FSWZzkgQ
WdRpPf6wQfICIQDkB4W/cXLTh2muLSvANTv5gAZBpbFnLCDLtWMIcEwO7w==
-----END CERTIFICATE-----

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/cpsSubCA2Cert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB1zCCAX6gAwIBAgICMDkwCQYHKoZIzj0EATBSMRMwEQYDVQQDDApQcm92U3Vi
Q0ExMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQswCQYDVQQGEwJERTETMBEG
CgmSJomT8ixkARkWA0NQUzAeFw0xODA4MTUxMjM0MzVaFw0yMDA4MTQxMjM0MzVa
MFIxEzARBgNVBAMMClByb3ZTdWJDQTIxGTAXBgNVBAoMEFJJU0UgVjJHIFByb2pl
Y3QxCzAJBgNVBAYTAkRFMRMwEQYKCZImiZPyLGQBGRYDQ1BTMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEb7ni77kvihibEYfe38rkdViqbQZ2DdaWTuSgb8f5MYBt
0X7Yd2EmMNggBA/y6b/qdy7i/CZtO4XoxhWdxR27VqNFMEMwEgYDVR0TAQH/BAgw
BgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMzOBrGZABRuhmOnhZeM
j7IRE5bXMAkGByqGSM49BAEDSAAwRQIhAP2QVgZFV2At/5En2inD6xPbDR8fGYTi
LSs+aVKerEb6AiAqhCcm3aCBHqkuc/AIP5QRFLVcw8k7nKyNVsvEmE//FA==
-----END CERTIFICATE-----

BIN
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/moCertChain.p12 Normal file
View File

Binary file not shown.

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/moSubCA1Cert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0jCCAXigAwIBAgICMDkwCQYHKoZIzj0EATBPMREwDwYDVQQDDAhNT1Jvb3RD
QTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVjdDELMAkGA1UEBhMCREUxEjAQBgoJ
kiaJk/IsZAEZFgJNTzAeFw0xODA4MTUxMjM0MzVaFw0yMjA4MTQxMjM0MzVaME8x
ETAPBgNVBAMMCE1PU3ViQ0ExMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQsw
CQYDVQQGEwJERTESMBAGCgmSJomT8ixkARkWAk1PMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAExXxPsZl1SB6K0PEyuHxpm8veeJaGv5CYlK9t8IQl+Z+DKlIWdkyk
q3iZ4M9GUpzmotqpZKsHGThr7P6+72ydzaNFMEMwEgYDVR0TAQH/BAgwBgEB/wIB
ATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNDt5DgrVtFc8yM18wD5C2k2O6WO
MAkGByqGSM49BAEDSQAwRgIhAMysbxbgvsYRe0rpOjmNVWYfkmchQDzBGRkzvC2h
vhKGAiEA9pANQ8VzbsWMtvkPBmQ9B2MLmgH0r91YZpRPLLntc7A=
-----END CERTIFICATE-----

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/moSubCA2Cert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0TCCAXigAwIBAgICMDkwCQYHKoZIzj0EATBPMREwDwYDVQQDDAhNT1N1YkNB
MTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVjdDELMAkGA1UEBhMCREUxEjAQBgoJ
kiaJk/IsZAEZFgJNTzAeFw0xODA4MTUxMjM0MzVaFw0yMjA4MTQxMjM0MzVaME8x
ETAPBgNVBAMMCE1PU3ViQ0EyMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQsw
CQYDVQQGEwJERTESMBAGCgmSJomT8ixkARkWAk1PMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAElD+h+Rh+rUvLn4k0H74iCAFVr9GRZnWMjd4XJ0mOmUBp/bVhIAYm
wPxJCScLyLILu2RWu7PRFTgg7Z34TNUJHqNFMEMwEgYDVR0TAQH/BAgwBgEB/wIB
ADAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFEraHhCFFVvD9xGHfpg8/R3MDYOi
MAkGByqGSM49BAEDSAAwRQIgKj+3CM31JbZ8tcFZA2l4dVb4Mf45Spuvm2nDGBlV
0XsCIQDVfmc8fvkL1aX1QuvsO7fNwCsO37F/xEtggtKsZu4lGw==
-----END CERTIFICATE-----

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/oemProvCert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0TCCAXigAwIBAgICMDkwCQYHKoZIzj0EATBRMRIwEAYDVQQDDAlPRU1TdWJD
QTIxGTAXBgNVBAoMEFJJU0UgVjJHIFByb2plY3QxCzAJBgNVBAYTAkRFMRMwEQYK
CZImiZPyLGQBGRYDT0VNMB4XDTE4MDgxNTEyMzQzNVoXDTIyMDgxNDEyMzQzNVow
UzEUMBIGA1UEAwwLT0VNUHJvdkNlcnQxGTAXBgNVBAoMEFJJU0UgVjJHIFByb2pl
Y3QxCzAJBgNVBAYTAkRFMRMwEQYKCZImiZPyLGQBGRYDT0VNMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAED4hImL7PFPU7Nxsgt/+SyNSkbhBxOJMseZNyc6KNTixb
l2mA08AixhhPu0f+2mTWyT8qBHKc18ekD4AjCnR1uKM/MD0wDAYDVR0TAQH/BAIw
ADAOBgNVHQ8BAf8EBAMCA4gwHQYDVR0OBBYEFKOPm6bvahIJjUgSnCXGpaiG2NHO
MAkGByqGSM49BAEDSAAwRQIhAPDzK9lM60lDuac8M03gZFip6l8k5ozEYe3qy5r1
UQQxAiAmFmlrWIrxAiUvkEL88p13WKPE/mII6G4tF35m+TzUHw==
-----END CERTIFICATE-----

12
temp/RISE-V2G/RISE-V2G-Certificates/signature-creation-testdata/v2gRootCACert.pem Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB1TCCAXqgAwIBAgICMDkwCgYIKoZIzj0EAwIwUTESMBAGA1UEAwwJVjJHUm9v
dENBMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQswCQYDVQQGEwJERTETMBEG
CgmSJomT8ixkARkWA1YyRzAeFw0xODA4MTUxMjM0MzVaFw0yODA4MTIxMjM0MzVa
MFExEjAQBgNVBAMMCVYyR1Jvb3RDQTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVj
dDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/IsZAEZFgNWMkcwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAARm86LOcZnbwSKBrBH1rAaOXTnyMZFYyard0rSMgMHpN/kD
jluhBnvvAgpk4wmVBx0YBqfVRaIPretAGCmqO5Jso0IwQDAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrToVah3wryPZxFzBuIyFRzal
adcwCgYIKoZIzj0EAwIDSQAwRgIhAKU6GMgF0Njd5nkcBLVAIx/3EzTkKunt/7xH
qd00Gn6PAiEAkr/8pOHqZ82Zq3h2dTrJNGlhuIS2jBl+7P4wDzSNXyg=
-----END CERTIFICATE-----