Finished

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "3rd/openssl"]
 	path = 3rd/openssl
 	url = https://github.com/openssl/openssl.git
+[submodule "3rd/gbench"]
+	path = 3rd/gbench
+	url = [email protected]:henrydcase/benchmark.git

3rd/openssl-cmake/CMakeLists.txt

@@ -17,14 +17,16 @@ set(OPENSSL_INCLUDE_DIR ${OPENSSL_BUILD_INSTALL_ROOT}/include)
 #   ${OPENSSL_PREFIX_OPENSSLDIR}
 set(OPENSSL_PREFIX_OPENSSLDIR ${CMAKE_INSTALL_PREFIX}${PQSDK_INSTALL_DIR}/openssl)
 include(libdefs.cmake)
+set(OPENSSL_CONFIG_CMD "config" CACHE STRING "Command used to configure OpenSSL (default ./config)")
+set(OPENSSL_CONFIG_TARGET "" CACHE STRING "Platform for which OpenSSL should be compiled (default native)")
 
 message("OpenSSL root dir: ${OPENSSL_ROOT_DIR}")
 message("OpenSSL install dir: ${OPENSSL_BUILD_INSTALL_ROOT}")
 message("OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}")
 message("OpenSSL crypto lib: ${OPENSSL_LIB_CRYPTO}")
 message("OpenSSL ssl lib: ${OPENSSL_LIB_SSL}")
 # TODO: add  no-deprecated. Need to get rid of ERR_load_crypto_strings and OBJ_cleanup first
-set(OPENSSL_CONFIG_ARGS no-shared shared threads)
+set(OPENSSL_CONFIG_ARGS no-shared shared threads no-md2 no-md4 no-sm2 no-sm3 no-sm4)
 
 if(DEBUG)
     set(OPENSSL_CONFIG_ARGS ${OPENSSL_CONFIG_ARGS} -d -g3 -O0 no-asm  -fno-omit-frame-pointer -fno-inline-functions)
@@ -44,14 +46,14 @@ add_dependencies(
 ExternalProject_Add(OpenSSL
     SOURCE_DIR ${OPENSSL_ROOT_DIR}
     BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}/openssl-build
-    CONFIGURE_COMMAND <SOURCE_DIR>/config -debug ${OPENSSL_CONFIG_ARGS} --prefix=${OPENSSL_PREFIX_OPENSSLDIR} --openssldir=${OPENSSL_PREFIX_OPENSSLDIR} --strict-warnings
+    CONFIGURE_COMMAND <SOURCE_DIR>/${OPENSSL_CONFIG_CMD} ${OPENSSL_CONFIG_TARGET} ${OPENSSL_CONFIG_ARGS} --prefix=${OPENSSL_PREFIX_OPENSSLDIR} --openssldir=${OPENSSL_PREFIX_OPENSSLDIR} --strict-warnings
     BUILD_COMMAND ${MAKE_PROGRAM} CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER} LD=${CMAKE_LINKER}
     INSTALL_DIR /
     INSTALL_COMMAND make DESTDIR=${OPENSSL_BUILD_INSTALL_ROOT} install
 )
 
-install(DIRECTORY ${OPENSSL_BUILD_INSTALL_ROOT}/${OPENSSL_PREFIX_OPENSSLDIR}/.. DESTINATION ${OPENSSL_PREFIX_OPENSSLDIR})
-install(DIRECTORY ${OPENSSL_BUILD_INSTALL_ROOT}${OPENSSL_PREFIX_OPENSSLDIR}/bin/ DESTINATION
-    ${OPENSSL_PREFIX_OPENSSLDIR}/bin
-    FILE_PERMISSIONS OWNER_EXECUTE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
+#install(DIRECTORY ${OPENSSL_BUILD_INSTALL_ROOT}/${OPENSSL_PREFIX_OPENSSLDIR}/.. DESTINATION ${OPENSSL_PREFIX_OPENSSLDIR})
+#install(DIRECTORY ${OPENSSL_BUILD_INSTALL_ROOT}${OPENSSL_PREFIX_OPENSSLDIR}/bin/ DESTINATION
+#    ${OPENSSL_PREFIX_OPENSSLDIR}/bin
+#    FILE_PERMISSIONS OWNER_EXECUTE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
 set_property(GLOBAL PROPERTY openssl_build_dir_property ${OPENSSL_BUILD_DIR})

CMakeLists.txt

@@ -10,45 +10,36 @@ set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "~/.cmake/Modules")
 set(CMAKE_CXX_STANDARD 11)
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(INSTALL_GTEST OFF CACHE BOOL "" FORCE)
-set(OPTEE_ENGINE_INSTALL_DIR /usr/local/softs)
+set(OPTEE_ENGINE_INSTALL_DIR /opt)
 
-# --- Configuration ---
-
-# Arch settings
-if(CMAKE_C_COMPILER_ID MATCHES "Clang")
-  set(CLANG 1)
+# OP-TEE
+if (NOT OPTEE_BUILD_DIR)
+    message(FATAL_ERROR "Must specify -DOPTEE_BUILD_DIR")
 endif()
-
-if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
-   set(CMAKE_C_COMPILER /usr/bin/cc CACHE PATH "" FORCE)
-   set(CMAKE_CXX_COMPILER /usr/bin/c++ CACHE PATH "" FORCE)
-   set(OPTEE_ENG_LD_FLAGS "-Wl")
-else()
-   set(OPTEE_ENG_LD_FLAGS "-W")
+if (NOT PLATFORM)
+    message(FATAL_ERROR "Must specify -DPLATFORM=V where V is either qemu or hikey960")
 endif()
+set(OPTEE_ROOT_DIR ${OPTEE_BUILD_DIR})
+set(OPTEE_REE_LIB_DIR ${OPTEE_ROOT_DIR}/out-br/target/usr/lib)
+set(OPTEE_REE_INCLUDE_DIR ${OPTEE_ROOT_DIR}/optee_client/public)
+set(CMAKE_C_COMPILER ${OPTEE_ROOT_DIR}/toolchains/aarch64/bin/aarch64-linux-gnu-gcc CACHE PATH "" FORCE)
+set(CMAKE_CXX_COMPILER ${OPTEE_ROOT_DIR}/toolchains/aarch64/bin/aarch64-linux-gnu-g++ CACHE PATH "" FORCE)
 
-# Build OpenSSL if not provided, otherwise define
-# OpenSSL_ssl_shared and OpenSSL_crypto_shared
-if (BUILD_OPENSSL)
-	add_subdirectory(3rd/openssl-cmake)
-else()
-	if (NOT OPENSSL_INSTALL_DIR)
-		message(FATAL_ERROR "Must specify -DOPENSSL_INSTALL_DIR")
-	endif()
-	set(OPENSSL_BUILD_INSTALL_ROOT ${OPENSSL_INSTALL_DIR})
-	set(OPENSSL_PREFIX_OPENSSLDIR ${CMAKE_INSTALL_PREFIX}${OPTEE_ENGINE_INSTALL_DIR}/openssl)
-	include(3rd/openssl-cmake/libdefs.cmake)
-endif()
+# 3rd Parties
 
+# OpenSSL config targets
+set(OPENSSL_CONFIG_CMD "Configure" CACHE STRING "Command used to configure OpenSSL (default ./config)")
+set(OPENSSL_CONFIG_TARGET "linux-aarch64" CACHE STRING "Platform for which OpenSSL should be compiled (default native)")
+
+add_subdirectory(3rd/openssl-cmake)
+# Gtest
+add_subdirectory(3rd/gtest)
 get_property(OPENSSL_INSTALL_DIR GLOBAL PROPERTY openssl_build_install_dir_property)
 set(OPENSSL_INCLUDE_DIR ${OPENSSL_INSTALL_DIR}/include)
 
 # Trusted Application sources
 set(TA_DELEGATOR_ROOT ${CMAKE_SOURCE_DIR}/src/ta)
 
-# Build gtest
-add_subdirectory(3rd/gtest)
-
 # Global configuration
 set(C_CXX_FLAGS "\
     -Wno-ignored-qualifiers \
@@ -60,35 +51,15 @@ set(C_CXX_FLAGS "\
     -Wundef \
     -Wunused-result")
 
-if(CLANG)
-	set(C_CXX_FLAGS
-		"-Wconditional-uninitialized \
-		-Wmissing-variable-declarations")
-endif()
-
 # Control Debug/Release mode
 IF(${CMAKE_BUILD_TYPE} MATCHES "Debug")
 	set(C_CXX_FLAGS "${C_CXX_FLAGS} -g3 -O0 -Wno-unused")
 else()
 	set(C_CXX_FLAGS "${C_CXX_FLAGS} -O3")
 endif()
 
-# Add possibility to build Client Application with ASAN
-if(ASAN)
-	set(CLANG 1)
-	set(C_CXX_FLAGS "${C_CXX_FLAGS} -fsanitize=undefined,address,leak -fno-omit-frame-pointer")
-	set(LDFLAGS "${LDFLAGS} -fsanitize=undefined,address,leak")
-endif()
-
 set(CMAKE_C_FLAGS ${C_CXX_FLAGS})
 set(CMAKE_CXX_FLAGS ${C_CXX_FLAGS})
-if(CLANG)
-	if(NOT CMAKE_C_COMPILER_ID MATCHES "Clang" OR NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-		message(FATAL_ERROR "Clang required for this build")
-	endif()
-
-    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof -fcolor-diagnostics")
-endif()
 
 # --- Build targets ---
 
@@ -133,8 +104,99 @@ target_link_directories(
 target_link_libraries(
     optee_eng
     OpenSSL_crypto_shared
+    teec
     ${CMAKE_DL_LIBS})
 
 IF(${CMAKE_BUILD_TYPE} MATCHES "Debug")
     target_compile_definitions(optee_eng PRIVATE BUILD_DEBUG)
 endif()
+
+# Key management app
+add_executable(
+    optee_keymgnt
+    src/optee_engine/keymgnt.c
+)
+target_include_directories(
+    optee_keymgnt PRIVATE
+    ${OPENSSL_INCLUDE_DIR}
+    ${OPTEE_REE_INCLUDE_DIR}
+    ${TA_DELEGATOR_ROOT}/include)
+target_link_directories(
+    optee_keymgnt PRIVATE
+    ${OPTEE_REE_LIB_DIR})
+target_link_libraries(
+    optee_keymgnt
+    OpenSSL_crypto_shared
+    teec
+    ${OPTEE_ENG_LD_FLAGS}
+    ${CMAKE_DL_LIBS})
+
+ExternalProject_Add(optee_eng_ta
+    SOURCE_DIR ${TA_DELEGATOR_ROOT}
+    CONFIGURE_COMMAND ""
+    BUILD_COMMAND OPTEE_ROOT=${OPTEE_BUILD_DIR} O=${CMAKE_CURRENT_BINARY_DIR} ${MAKE_PROGRAM}
+    BUILD_IN_SOURCE TRUE
+    INSTALL_DIR ${CMAKE_CURRENT_BINARY_DIR}/ta
+    INSTALL_COMMAND ""
+    BUILD_ALWAYS TRUE
+)
+
+# Google benchmark settings
+set(CMAKE_BUILD_TYPE "Release" CACHE STRING "" FORCE)
+# Target for benchmark - it also builds gtest library
+set(BENCHMARK_ENABLE_GTEST_TESTS OFF CACHE BOOL "Enable testing of the benchmark library." FORCE)
+set(BENCHMARK_ENABLE_TESTING OFF CACHE BOOL "Disable benchmark tests" FORCE)
+set(GOOGLETEST_PATH "${CMAKE_CURRENT_SOURCE_DIR}/3rd/gtest" CACHE PATH "Path to the gtest sources" FORCE)
+set(BENCHMARK_OS_WINDOWS OFF CACHE BOOL "" FORCE)
+set(HAVE_POSIX_REGEX OFF CACHE BOOL "" FORCE)
+set(BENCHMARK_ENABLE_EXCEPTIONS OFF CACHE BOOL "" FORCE)
+set(BENCHMARK_ENABLE_INSTALL OFF CACHE BOOL "" FORCE)
+add_subdirectory(3rd/gbench)
+add_executable(
+    speed
+    src/optee_engine/speed.cc)
+target_include_directories(
+    speed PRIVATE
+    ${OPENSSL_INCLUDE_DIR}
+)
+target_link_libraries(
+    speed
+    gtest
+    pthread
+    OpenSSL_crypto_shared
+    benchmark::benchmark)
+
+# Install copies needed files to the buildroot overlay.
+
+# OpenVPN config
+install(FILES ${PROJECT_SOURCE_DIR}/cfg/openvpn_cli.conf
+    DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/etc/openvpn/
+    RENAME client.conf)
+install(FILES
+    ${PROJECT_SOURCE_DIR}/cfg/certs/ca.cert
+    ${PROJECT_SOURCE_DIR}/cfg/certs/client.cert
+    ${PROJECT_SOURCE_DIR}/cfg/certs/client.key
+    DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/etc/openvpn/certs/)
+# OpenSSL config
+install(FILES ${PROJECT_SOURCE_DIR}/cfg/openssl_optee.cnf
+    DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/etc/ssl/
+    RENAME openssl.cnf)
+# OpTEE engine
+install(TARGETS optee_eng
+    LIBRARY DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/opt/
+    PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+# TA
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/8aaaf200-2450-11e4-0060-0dc0ffee0000.ta
+    DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/lib/optee_armtz)
+# Must be empty and have same name as the TEE key ID
+install(FILES /dev/null
+    DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/etc/openvpn/
+    RENAME vpn.testlab.com)
+# Key management app
+install(TARGETS optee_keymgnt
+    RUNTIME DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/usr/bin/
+    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ WORLD_READ)
+# Speed app
+install(TARGETS speed
+    RUNTIME DESTINATION ${OPTEE_ROOT_DIR}/build/br-ext/board/${PLATFORM}/overlay/usr/bin/
+    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ WORLD_READ)

README.md

@@ -0,0 +1,9 @@
+# OPTEE OpenSSL ENGINE for TLS
+
+Typically, a TLS server uses an X509 Certificate and associated Private Key to sign TLS session. Both certificate and private key used for signing the certificate form an asymmetric cryptographic key-pair. Revealing the traffic-private-key makes it possible to perform men-in-the-middle type of attacks. Typically private-key is stored on the server’s hard disk. Even if it is stored in encrypted form, at some point HTTPS server needs to have a possibility to decrypt it to use for signing. It means that at runtime the key in the plaintext will be available in memory of an HTTPS process. In the case of software errors, attackers may be able to steal a private key (see [Heartbleed](https://heartbleed.com/)). From the other hand, in multiple domains, there is a need for binding of secret keys to the hardware on which software is running comes with multiple (IoT devices, software deployments on the edge networks).
+
+Secure Trusted Execution Environments may address those needs. The repository provides a PoC implementation of Trusted Application that can be run in the ARM's TrustZone and be used for storing secret key of a TLS server as well as perform signing operation with that key. The implementation uses [OPTEE](https://www.op-tee.org/) as an implementation of the TEE. The secret key is stored in the encrypted form on secure storage. The secure storage is encrypted with device Device Unique Key (HUK) and hence it can be only used by any other hardware after being copied from one device to the other.
+
+The plugin to OpenSSL provides integration between Trusted Application running in Trust Zone and TLS stack. Namely, the plugin implements OpenSSL ENGINE API and hence it can be dynamically loaded by OpenSSL, eliminating a need to modify OpenSSL source code.
+
+The idea was initially described on a blog [here](https://www.amongbytes.com/post/201904-tee-sign-delegator/). The main improvement provided by software in this repository is the implementation of the OpenSSL plugin.

cfg/certs/10e22dbc.0

@@ -0,0 +1 @@
+server.cert

cfg/certs/ca.cert

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4jCCAYegAwIBAgIUUAWISiMN6taMN9o92ZeCmvF/hWEwCgYIKoZIzj0EAwIw
+PjElMCMGA1UECgwcQW1vbmcgQnl0ZXMsIHZwbi50ZXN0bGFiLmNvbTEVMBMGA1UE
+AwwMUm9vdCBDZXJ0IEcxMB4XDTIxMDIwNzIzNDQ0NFoXDTQ4MDYyNDIzNDQ0NFow
+PjElMCMGA1UECgwcQW1vbmcgQnl0ZXMsIHZwbi50ZXN0bGFiLmNvbTEVMBMGA1UE
+AwwMUm9vdCBDZXJ0IEcxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELti1AngN
+Z5mpgfL/IEfwP4d28l5qqj3qagHproif80C0L7mkGmseO7gdLQHyU7UlelGxAFZD
+vC4NOufG2c6fS6NjMGEwHQYDVR0OBBYEFI+sqwD8xeuHR2qtcnS/hBPfUA4vMB8G
+A1UdIwQYMBaAFI+sqwD8xeuHR2qtcnS/hBPfUA4vMA8GA1UdEwEB/wQFMAMBAf8w
+DgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0kAMEYCIQCn4bViwS6ALu7HtXjp
+SaEJgkSjLj/Fw/5/XohAx/ta/QIhAJrdETBDyaqN7kZjT3mI12vOb1vdA2oHYCZw
+OsL1I5yO
+-----END CERTIFICATE-----

cfg/certs/ca.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIM2kewhtexp7AZonkZqAYKk4pNTImjxDpX5GeGxkb0IDoAoGCCqGSM49
+AwEHoUQDQgAELti1AngNZ5mpgfL/IEfwP4d28l5qqj3qagHproif80C0L7mkGmse
+O7gdLQHyU7UlelGxAFZDvC4NOufG2c6fSw==
+-----END EC PRIVATE KEY-----

cfg/certs/ca.srl

@@ -0,0 +1 @@
+725588E0FAE750D03BC5D4B1254454A2C85ECBBB

cfg/certs/client.cert

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICNTCCAdygAwIBAgIUclWI4PrnUNA7xdSxJURUoshey7swCgYIKoZIzj0EAwIw
+PjElMCMGA1UECgwcQW1vbmcgQnl0ZXMsIHZwbi50ZXN0bGFiLmNvbTEVMBMGA1UE
+AwwMUm9vdCBDZXJ0IEcxMB4XDTIxMDIwNzIzNDQ0NFoXDTQ4MDYyNDIzNDQ0NFow
+MTEZMBcGA1UECgwQQ2VydCBUZXN0aW5nIE9SRzEUMBIGA1UEAwwLQ2xpZW50IENl
+cnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQU41Tkm38N15yBrlUdrrIhcfXO
+aav9SY+OHoEYpR6FvZvvhEtmSLMe0tBlXLq/SBwWDERMwCb4ksnMYuRk81wko4HE
+MIHBMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMDIGCWCGSAGG+EIBDQQl
+FiNBbW9uZyBCeXRlcywgTGFiIFRlc3RuZywgVExTIENsaWVudDAdBgNVHQ4EFgQU
+TfNbUInWGruGey7vUaXiWdZUBIcwHwYDVR0jBBgwFoAUj6yrAPzF64dHaq1ydL+E
+E99QDi8wDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDBDAKBggqhkjOPQQDAgNHADBEAiAaN2sorsRKG9GeEcqUSag/FS+cRVt70vG/
+AN+3XKlmeAIgKKSwTm8JuHYJO1bHQzVBJOFtjQQvc1NINEE3yIvTc6M=
+-----END CERTIFICATE-----

cfg/certs/client.csr

@@ -0,0 +1,7 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIHsMIGTAgEAMDExGTAXBgNVBAoMEENlcnQgVGVzdGluZyBPUkcxFDASBgNVBAMM
+C0NsaWVudCBDZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFONU5Jt/Ddec
+ga5VHa6yIXH1zmmr/UmPjh6BGKUehb2b74RLZkizHtLQZVy6v0gcFgxETMAm+JLJ
+zGLkZPNcJKAAMAoGCCqGSM49BAMCA0gAMEUCIQCvWl41LYMmGyfsGMKoNrc3kXac
+4/vTZbt/3F5N3MnfIAIgKhkxJ8K8leLqsUnasAINKqV7goVXdOncZXFZWB3Z/zs=
+-----END CERTIFICATE REQUEST-----

cfg/certs/client.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINy9shU4Xzqh+R47QxCvTFkaAWK5V35J1ynaPU29LlRKoAoGCCqGSM49
+AwEHoUQDQgAEFONU5Jt/Ddecga5VHa6yIXH1zmmr/UmPjh6BGKUehb2b74RLZkiz
+HtLQZVy6v0gcFgxETMAm+JLJzGLkZPNcJA==
+-----END EC PRIVATE KEY-----

cfg/certs/f40a0c39.0

@@ -0,0 +1 @@
+ca.cert

cfg/certs/server.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAnegAwIBAgIUclWI4PrnUNA7xdSxJURUoshey7owCgYIKoZIzj0EAwIw
+PjElMCMGA1UECgwcQW1vbmcgQnl0ZXMsIHZwbi50ZXN0bGFiLmNvbTEVMBMGA1UE
+AwwMUm9vdCBDZXJ0IEcxMB4XDTIxMDIwNzIzNDQ0NFoXDTQ4MDYyNDIzNDQ0NFow
+NTEZMBcGA1UECgwQQ2VydCBUZXN0aW5nIE9SRzEYMBYGA1UEAwwPdnBuLnRlc3Rs
+YWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQKMXJu5XByLVq1Mo7oek
+MzDLQWBulUcDH6CXxXJSRVDOHapNMTNsjEIzLvManD7tXRaxDNINXvAJ/ze6eA+0
+FaOCAVowggFWMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDIGCWCGSAGG
++EIBDQQlFiNBbW9uZyBCeXRlcywgTGFiIFRlc3RuZywgVExTIFNlcnZlcjAdBgNV
+HQ4EFgQUFzD2JhWfK/YeOd9Yd5h9aONsFigweQYDVR0jBHIwcIAUj6yrAPzF64dH
+aq1ydL+EE99QDi+hQqRAMD4xJTAjBgNVBAoMHEFtb25nIEJ5dGVzLCB2cG4udGVz
+dGxhYi5jb20xFTATBgNVBAMMDFJvb3QgQ2VydCBHMYIUUAWISiMN6taMN9o92ZeC
+mvF/hWEwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEMGA1Ud
+EQQ8MDqCDXd3dy5wcXNkay5jb22CDWlvdC5wcXNkay5jb22CDXZwbi5wcXNkay5j
+b22CCyoucHFzZGsuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDKpmDVh3TTkojSMDLV
+Fzq6kk7RSvD48lG2FTMwWtE0NAIgdPeRd9DQcuCBCT8/kHxevfcoBXI60o5MVpNo
+sY8hFVo=
+-----END CERTIFICATE-----

cfg/certs/server.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIHwMIGXAgEAMDUxGTAXBgNVBAoMEENlcnQgVGVzdGluZyBPUkcxGDAWBgNVBAMM
+D3Zwbi50ZXN0bGFiLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABECjFybu
+Vwci1atTKO6HpDMwy0FgbpVHAx+gl8VyUkVQzh2qTTEzbIxCMy7zGpw+7V0WsQzS
+DV7wCf83ungPtBWgADAKBggqhkjOPQQDAgNIADBFAiEAwoYmOPkC6fHjInldqob/
+sIkBNQoQG3IG50JZNaXDQ94CIByydf2CoqABEjMJ49/YhgikQ8Cp88qw23M0uCdZ
+avEs
+-----END CERTIFICATE REQUEST-----

cfg/certs/server.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIGS/md9a764Wd2z6+eaIpT+c4pcxMOPY5+KCeZ88xdbEoAoGCCqGSM49
+AwEHoUQDQgAEQKMXJu5XByLVq1Mo7oekMzDLQWBulUcDH6CXxXJSRVDOHapNMTNs
+jEIzLvManD7tXRaxDNINXvAJ/ze6eA+0FQ==
+-----END EC PRIVATE KEY-----