aboutsummaryrefslogtreecommitdiffstats
path: root/misc/botan.rc
blob: aaa1b3f9197cb2576cb63f68aad8457d950920e2 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

# Botan configuration (v1.4.2)

# This config, as shipped, matches the library defaults, but is much easier to
# tweak than recompiling everything. You can use it as a base for your own
# configurations. Read section 10.4 "Configuration Files" in the API doc for
# more information.

[base]
memory_chunk = 32*1024  # size of the chunk of memory allocated at once
default_pbe = PBE-PKCS5v20(SHA-1,TripleDES/CBC)
pkcs8_tries = 3

[pk]
blinder_size = 64
test/public = basic
test/private = basic
test/private_gen = all

[pem]
search = 4*1024
forgive = 8
width = 64

[rng]
# LibraryInitializer will try to acquire at least this many bits of entropy
min_entropy = 384
es_files = /dev/urandom:/dev/random        # path for random devices
egd_path = /var/run/egd-pool:/dev/egd-pool # path to search for an EGD socket
ms_capi_prov_type = INTEL_SEC:RSA_FULL     # prefered MS CryptoAPI providers
unix_path = /usr/ucb:/usr/etc:/etc

[x509]
validity_slack = 24h    # how much wiggle room is given when checking validity
v1_assume_ca = false       # should v1/v2 certificates be considered CA certs?
cache_verify_results = 30m # how long to cache verification results

[x509/ca]
allow_ca = false   # should PKCS #10 requests be able to ask to be a CA?
  # should basic_constraints be included in all certs, including end-user?
basic_constraints = always
default_expire = 1y       # default expire time for new certs
signing_offset = 30s      # offset the PKCS #10 validity times by this amount
rsa_hash = SHA-1          # what hash to use when using RSA to sign new certs
str_type = latin1         # default string encoding (latin1 or utf8)

[x509/crl]
# can be 'ignore' or 'throw': ignore matches X.509-2000 behavior, throw is PKIX
unknown_critical = ignore

# When generating a new CRL, this is the default next update time. Can also be
# set in the call to X509_CA::update_crl/X509_CA::new_crl as the last arg
next_update = 7d

[x509/exts]
# Each of these can be one of:
#  - critical: Extension is marked as critical, if we have the info for it
#  - yes or noncritical: Extension is included if needed, but not critical
#  - no: Extension is not included, even if the information is available
basic_constraints = critical
subject_key_id = yes
authority_key_id = yes
subject_alternative_name = yes
issuer_alternative_name = yes
key_usage = critical
extended_key_usage = yes
crl_number = yes

[aliases]
Rijndael = AES
3DES = TripleDES
DES-EDE = TripleDES
CAST5 = CAST-128
3-Way = ThreeWay
SHARK = SHARK-E
SEAL = SEAL-3.0-BE
SHA1 = SHA-160
SHA-1 = SHA-160 # Don't change or remove this
MARK-4 = ARC4(256)

OpenPGP.Cipher.1 = IDEA
OpenPGP.Cipher.2 = TripleDES
OpenPGP.Cipher.3 = CAST-128
OpenPGP.Cipher.4 = Blowfish
OpenPGP.Cipher.5 = SAFER-SK(13)
OpenPGP.Cipher.7 = AES-128
OpenPGP.Cipher.8 = AES-192
OpenPGP.Cipher.9 = AES-256
OpenPGP.Cipher.10 = Twofish

OpenPGP.Digest.1 = MD5
OpenPGP.Digest.2 = SHA-1
OpenPGP.Digest.3 = RIPEMD-160
OpenPGP.Digest.5 = MD2
OpenPGP.Digest.6 = Tiger(24,3)
OpenPGP.Digest.7 = HAVAL(20,5)
OpenPGP.Digest.8 = SHA-256

TLS.Digest.0 = Parallel(MD5,SHA-1)

EME-PKCS1-v1_5 = PKCS1v15
OAEP-MGF1 = EME1
EME-OAEP = EME1
X9.31 = EMSA2
EMSA-PKCS1-v1_5 = EMSA3
PSS-MGF1 = EMSA4
EMSA-PSS = EMSA4

[oids]
ISO_MEMBER = 1.2
US_BODY = ISO_MEMBER.840
X500 = 2.5

RSA_DSI = US_BODY.113549
ANSI_X957 = US_BODY.10040
ANSI_X942 = US_BODY.10046
NIST_ALGO = 2.16.840.1.101.3.4
PKIX_USAGE = 1.3.6.1.5.5.7.3
GNU_PROJECT = 1.3.6.1.4.1.11591
OIW_ALGO = 1.3.14.3.2
DN_ATTR = X500.4
X509_KU = X500.29

PKCS    = RSA_DSI.1
PKCS1   = PKCS.1
PKCS5   = PKCS.5
PKCS7   = PKCS.7
PKCS9   = PKCS.9

DES/CBC = OIW_ALGO.7
TripleDES/CBC = RSA_DSI.3.7
RC2/CBC = RSA_DSI.3.2
CAST-128/CBC = US_BODY.113533.7.66.10
AES-128/CBC = NIST_ALGO.1.2
AES-192/CBC = NIST_ALGO.1.22
AES-256/CBC = NIST_ALGO.1.42

MD5 = RSA_DSI.2.5
SHA-160 = OIW_ALGO.26
Tiger(24,3) = GNU_PROJECT.12.2

KeyWrap.TripleDES = PKCS9.16.3.6
KeyWrap.RC2 = PKCS9.16.3.7
KeyWrap.CAST-128 = US_BODY.113533.7.66.15
KeyWrap.AES-128 = NIST_ALGO.1.5
KeyWrap.AES-192 = NIST_ALGO.1.25
KeyWrap.AES-256 = NIST_ALGO.1.45

Compression.Zlib = PKCS9.16.3.8

RSA = PKCS1.1
RSA = X500.8.1.1
DSA = ANSI_X957.4.1
DH = ANSI_X942.2.1

DSA/EMSA1(SHA-160)/DER = ANSI_X957.4.3
DSA/EMSA1(SHA-160) = ANSI_X957.4.3
RSA/EMSA3(MD2) = PKCS1.2
RSA/EMSA3(MD5) = PKCS1.4
RSA/EMSA3(SHA-160) = PKCS1.5
RSA/EMSA3(SHA-256) = PKCS1.11
RSA/EMSA3(SHA-384) = PKCS1.12
RSA/EMSA3(SHA-512) = PKCS1.13
RSA/EMSA3(RIPEMD-160) = 1.3.36.3.3.1.2

PBE-PKCS5v15(MD2,DES/CBC) = PKCS5.1
PBE-PKCS5v15(MD2,RC2/CBC) = PKCS5.4
PBE-PKCS5v15(MD5,DES/CBC) = PKCS5.3
PBE-PKCS5v15(MD5,RC2/CBC) = PKCS5.6
PBE-PKCS5v15(SHA-160,DES/CBC) = PKCS5.10
PBE-PKCS5v15(SHA-160,RC2/CBC) = PKCS5.11
PBE-PKCS5v20 = PKCS5.13
PKCS5.PBKDF2 = PKCS5.12

CMS.DataContent = PKCS7.1
CMS.SignedData = PKCS7.2
CMS.EnvelopedData = PKCS7.3
CMS.DigestedData = PKCS7.5
CMS.EncryptedData = PKCS7.6
CMS.AuthenticatedData = PKCS9.16.1.2
CMS.CompressedData = PKCS9.16.1.9

PKCS9.EmailAddress = PKCS9.1
PKCS9.UnstructuredName = PKCS9.2
PKCS9.ContentType = PKCS9.3
PKCS9.MessageDigest = PKCS9.4
PKCS9.ChallengePassword = PKCS9.7
PKCS9.ExtensionRequest = PKCS9.14

X520.CommonName = DN_ATTR.3
X520.Surname = DN_ATTR.4
X520.SerialNumber = DN_ATTR.5
X520.Country = DN_ATTR.6
X520.Locality = DN_ATTR.7
X520.State = DN_ATTR.8
X520.Organization = DN_ATTR.10
X520.OrganizationalUnit = DN_ATTR.11
X520.Title = DN_ATTR.12
X520.GivenName = DN_ATTR.42
X520.Initials = DN_ATTR.43
X520.GenerationalQualifier = DN_ATTR.44
X520.DNQualifier = DN_ATTR.46
X520.Pseudonym = DN_ATTR.65

X509v3.SubjectKeyIdentifier = X509_KU.14
X509v3.KeyUsage = X509_KU.15
X509v3.SubjectAlternativeName = X509_KU.17
X509v3.IssuerAlternativeName = X509_KU.18
X509v3.BasicConstraints = X509_KU.19
X509v3.CRLNumber = X509_KU.20
X509v3.ReasonCode = X509_KU.21
X509v3.HoldInstructionCode = X509_KU.23
X509v3.InvalidityDate = X509_KU.24
X509v3.CertificatePolicies = X509_KU.32
X509v3.AuthorityKeyIdentifier = X509_KU.35
X509v3.PolicyConstraints = X509_KU.36
X509v3.ExtendedKeyUsage = X509_KU.37

PKIX.ServerAuth = PKIX_USAGE.1
PKIX.ClientAuth = PKIX_USAGE.2
PKIX.CodeSigning = PKIX_USAGE.3
PKIX.EmailProtection = PKIX_USAGE.4
PKIX.IPsecEndSystem = PKIX_USAGE.5
PKIX.IPsecTunnel = PKIX_USAGE.6
PKIX.IPsecUser = PKIX_USAGE.7
PKIX.TimeStamping = PKIX_USAGE.8
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 22:55:15 +0000