From 07026c9c51cf5473210a1d07950fa75f9150d274 Mon Sep 17 00:00:00 2001 From: Ziqi Zhang Date: Mon, 31 Jul 2023 14:53:26 +1000 Subject: [PATCH] Add CRL support to Prometheus This commit adds support for certificate revocation status by Certificate Revocation List (CRL) in Prometheus. New fields 'CRL' and 'CRLFile' have been added to the Prometheus config ('tls_config' section). These enable certificate revocation validation with the provided CRL. The Prometheus loads the Certificate Revocation List (CRL) to validate the revocation status of the peer's certificate chain by invoking the 'verifyPeerCertificate' (https://pkg.go.dev/crypto/tls) function during a TLS handshake. Signed-off-by: Ziqi Zhang --- config/generate.go | 160 +++++++++- config/http_config.go | 230 ++++++++++++++- config/http_config_test.go | 274 +++++++++++++++++- config/testdata/client.crt | 54 ++-- config/testdata/client.key | 100 +++---- config/testdata/crl_cert_revoked.pem | 19 ++ config/testdata/crl_cert_revoked_expired.pem | 19 ++ config/testdata/crl_chain_all_empty.pem | 36 +++ config/testdata/crl_chain_cert_revoked.pem | 37 +++ .../crl_chain_inter_ca_cert_revoked.pem | 37 +++ .../testdata/crl_chain_irlvt_cert_revoked.pem | 37 +++ config/testdata/crl_inter_empty.pem | 18 ++ config/testdata/crl_root_empty.pem | 18 ++ config/testdata/self-signed-client.crt | 50 ++-- config/testdata/self-signed-client.key | 100 +++---- config/testdata/server.crt | 54 ++-- config/testdata/server.key | 100 +++---- config/testdata/server_revoked.crt | 33 +++ config/testdata/server_revoked.key | 52 ++++ config/testdata/tls-ca-chain-add-irlvt-ca.pem | 100 +++++++ config/testdata/tls-ca-chain.pem | 110 +++---- config/testdata/tls-ca-no-root.pem | 34 +++ 22 files changed, 1365 insertions(+), 307 deletions(-) create mode 100644 config/testdata/crl_cert_revoked.pem create mode 100644 config/testdata/crl_cert_revoked_expired.pem create mode 100644 config/testdata/crl_chain_all_empty.pem create mode 100644 config/testdata/crl_chain_cert_revoked.pem create mode 100644 config/testdata/crl_chain_inter_ca_cert_revoked.pem create mode 100644 config/testdata/crl_chain_irlvt_cert_revoked.pem create mode 100644 config/testdata/crl_inter_empty.pem create mode 100644 config/testdata/crl_root_empty.pem create mode 100644 config/testdata/server_revoked.crt create mode 100644 config/testdata/server_revoked.key create mode 100644 config/testdata/tls-ca-chain-add-irlvt-ca.pem create mode 100644 config/testdata/tls-ca-no-root.pem diff --git a/config/generate.go b/config/generate.go index 0033dd75..f277a32b 100644 --- a/config/generate.go +++ b/config/generate.go @@ -92,7 +92,7 @@ func GenerateCertificateAuthority(commonName string, parentCert *x509.Certificat }, NotBefore: now, NotAfter: now.Add(validityPeriod), - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, BasicConstraintsValid: true, @@ -186,6 +186,51 @@ func writeCertificateAndKey(path string, cert *x509.Certificate, key *rsa.Privat return nil } +func GenerateCRL(cert *x509.Certificate, privateKey *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, isExpired bool) ([]byte, error) { + now := time.Now() + + next := now.Add(30 * 24 * time.Hour) + if isExpired { + next = now + } + + crl := &x509.RevocationList{ + SignatureAlgorithm: x509.SHA256WithRSA, + ThisUpdate: now, + NextUpdate: next, + RevokedCertificates: revokedCerts, + Number: big.NewInt(1), + Issuer: cert.Subject, + } + + crlBytes, err := x509.CreateRevocationList(rand.Reader, crl, cert, privateKey) + if err != nil { + return nil, fmt.Errorf("cannot create revocation list: %v", err) + } + + return crlBytes, nil +} + +func writeCRLs(filename string, crlData [][]byte) error { + crlPemBytes := new(bytes.Buffer) + for _, data := range crlData { + crlPem := &pem.Block{ + Type: "X509 CRL", + Bytes: data, + } + err := pem.Encode(crlPemBytes, crlPem) + if err != nil { + return err + } + } + + if crlPemBytes == nil { + return fmt.Errorf("empty CRL to write") + } + + return os.WriteFile(filename, crlPemBytes.Bytes(), 0644) +} + func main() { log.Println("Generating root CA") rootCert, rootKey, err := GenerateCertificateAuthority("Prometheus Root CA", nil, nil) @@ -199,6 +244,12 @@ func main() { log.Fatal(err) } + log.Println("Generating Irrelevant CA") + irlvtCert, irlvtKey, err := GenerateCertificateAuthority("Prometheus TLS Irrelevant CA", nil, nil) + if err != nil { + log.Fatal(err) + } + log.Println("Generating server certificate") cert, key, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) if err != nil { @@ -209,6 +260,16 @@ func main() { log.Fatal(err) } + log.Println("Generating revoked server certificate") + revokedCert, revokedKey, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) + if err != nil { + log.Fatal(err) + } + + if err := writeCertificateAndKey("testdata/server_revoked", revokedCert, revokedKey); err != nil { + log.Fatal(err) + } + log.Println("Generating client certificate") cert, key, err = GenerateCertificate(caCert, caKey, false, "localhost") if err != nil { @@ -235,6 +296,10 @@ func main() { log.Fatal(err) } + if err := os.WriteFile("testdata/tls-ca-no-root.pem", b.Bytes(), 0644); err != nil { + log.Fatal(err) + } + if err := EncodeCertificate(&b, rootCert); err != nil { log.Fatal(err) } @@ -242,4 +307,97 @@ func main() { if err := os.WriteFile("testdata/tls-ca-chain.pem", b.Bytes(), 0644); err != nil { log.Fatal(err) } + + if err := EncodeCertificate(&b, irlvtCert); err != nil { + log.Fatal(err) + } + + if err := os.WriteFile("testdata/tls-ca-chain-add-irlvt-ca.pem", b.Bytes(), 0644); err != nil { + log.Fatal(err) + } + + log.Println("Generating CRLs") + crlProp_revokedCert := []pkix.RevokedCertificate{ + { + SerialNumber: revokedCert.SerialNumber, + RevocationTime: time.Now(), + }, + } + + crl_RevokedCert, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_cert_revoked.pem", [][]byte{crl_RevokedCert}); err != nil { + log.Fatal(err) + } + + crl_RevokedCert_expired, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, true) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_cert_revoked_expired.pem", [][]byte{crl_RevokedCert_expired}); err != nil { + log.Fatal(err) + } + + crl_irlvtRevokedCert, err := GenerateCRL(irlvtCert, irlvtKey, crlProp_revokedCert, false) + if err != nil { + log.Fatal(err) + } + + crlProp_empty := []pkix.RevokedCertificate{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now(), + }, + } + + crl_InterCA_Empty, err := GenerateCRL(caCert, caKey, crlProp_empty, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_inter_empty.pem", [][]byte{crl_InterCA_Empty}); err != nil { + log.Fatal(err) + } + + crlProp_RevokedInterCA := []pkix.RevokedCertificate{ + { + SerialNumber: caCert.SerialNumber, + RevocationTime: time.Now(), + }, + } + + crl_revokedInterCA, err := GenerateCRL(rootCert, rootKey, crlProp_RevokedInterCA, false) + if err != nil { + log.Fatal(err) + } + + crl_Root_Empty, err := GenerateCRL(rootCert, rootKey, crlProp_empty, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_root_empty.pem", [][]byte{crl_Root_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_all_empty.pem", [][]byte{crl_InterCA_Empty, crl_Root_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_cert_revoked.pem", [][]byte{crl_Root_Empty, crl_RevokedCert}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_inter_ca_cert_revoked.pem", [][]byte{crl_revokedInterCA, crl_InterCA_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_irlvt_cert_revoked.pem", [][]byte{crl_InterCA_Empty, crl_irlvtRevokedCert}); err != nil { + log.Fatal(err) + } + } diff --git a/config/http_config.go b/config/http_config.go index 37aa9667..c632f9e3 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -20,6 +20,7 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" + "encoding/pem" "fmt" "net" "net/http" @@ -861,6 +862,13 @@ func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { tlsConfig.GetClientCertificate = cfg.getClientCertificate } + // If Certificate Revocation List(s) are provided + // then let's read it in so we can validate the + // scrape target's certificate properly. + if len(cfg.CRLFile) > 0 || len(cfg.CRL) > 0 { + tlsConfig.VerifyPeerCertificate = cfg.verifyPeerCertificate + } + return tlsConfig, nil } @@ -872,12 +880,16 @@ type TLSConfig struct { Cert string `yaml:"cert,omitempty" json:"cert,omitempty"` // Text of the client key file for the targets. Key Secret `yaml:"key,omitempty" json:"key,omitempty"` + // Text of the CRL to use for certificate revocation verification. + CRL string `yaml:"crl,omitempty" json:"crl,omitempty"` // The CA cert to use for the targets. CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"` // The client cert file for the targets. CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"` // The client key file for the targets. KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"` + // The CRL to use for for certificate revocation verification. + CRLFile string `yaml:"crl_file,omitempty" json:"crl_file,omitempty"` // Used to verify the hostname for the targets. ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"` // Disable target certificate validation. @@ -896,6 +908,7 @@ func (c *TLSConfig) SetDirectory(dir string) { c.CAFile = JoinDir(dir, c.CAFile) c.CertFile = JoinDir(dir, c.CertFile) c.KeyFile = JoinDir(dir, c.KeyFile) + c.CRLFile = JoinDir(dir, c.CRLFile) } // UnmarshalYAML implements the yaml.Unmarshaler interface. @@ -920,6 +933,9 @@ func (c *TLSConfig) Validate() error { if len(c.Key) > 0 && len(c.KeyFile) > 0 { return fmt.Errorf("at most one of key and key_file must be configured") } + if len(c.CRL) > 0 && len(c.CRLFile) > 0 { + return fmt.Errorf("at most one of crl and crl_file must be configured") + } if c.usingClientCert() && !c.usingClientKey() { return fmt.Errorf("exactly one of key or key_file must be configured when a client certificate is configured") @@ -946,6 +962,8 @@ func (c *TLSConfig) roundTripperSettings() TLSRoundTripperSettings { CertFile: c.CertFile, Key: string(c.Key), KeyFile: c.KeyFile, + CRL: c.CRL, + CRLFile: c.CRLFile, } } @@ -1014,6 +1032,7 @@ type tlsRoundTripper struct { hashCAData []byte hashCertData []byte hashKeyData []byte + hashCRLData []byte tlsConfig *tls.Config } @@ -1021,6 +1040,7 @@ type TLSRoundTripperSettings struct { CA, CAFile string Cert, CertFile string Key, KeyFile string + CRL, CRLFile string } func NewTLSRoundTripper( @@ -1039,7 +1059,7 @@ func NewTLSRoundTripper( return nil, err } t.rt = rt - _, t.hashCAData, t.hashCertData, t.hashKeyData, err = t.getTLSDataWithHash() + _, t.hashCAData, t.hashCertData, t.hashKeyData, t.hashCRLData, err = t.getTLSDataWithHash() if err != nil { return nil, err } @@ -1047,9 +1067,9 @@ func NewTLSRoundTripper( return t, nil } -func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, error) { +func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, []byte, error) { var ( - caBytes, certBytes, keyBytes []byte + caBytes, certBytes, keyBytes, crlBytes []byte err error ) @@ -1057,7 +1077,7 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.CAFile != "" { caBytes, err = os.ReadFile(t.settings.CAFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.CA != "" { caBytes = []byte(t.settings.CA) @@ -1066,7 +1086,7 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.CertFile != "" { certBytes, err = os.ReadFile(t.settings.CertFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.Cert != "" { certBytes = []byte(t.settings.Cert) @@ -1075,13 +1095,22 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.KeyFile != "" { keyBytes, err = os.ReadFile(t.settings.KeyFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.Key != "" { keyBytes = []byte(t.settings.Key) } - var caHash, certHash, keyHash [32]byte + if t.settings.CRLFile != "" { + crlBytes, err = os.ReadFile(t.settings.CRLFile) + if err != nil { + return nil, nil, nil, nil, nil, err + } + } else if t.settings.CRL != "" { + crlBytes = []byte(t.settings.CRL) + } + + var caHash, certHash, keyHash, crlHash [32]byte if len(caBytes) > 0 { caHash = sha256.Sum256(caBytes) @@ -1092,13 +1121,16 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if len(keyBytes) > 0 { keyHash = sha256.Sum256(keyBytes) } + if len(crlBytes) > 0 { + crlHash = sha256.Sum256(crlBytes) + } - return caBytes, caHash[:], certHash[:], keyHash[:], nil + return caBytes, caHash[:], certHash[:], keyHash[:], crlHash[:], nil } // RoundTrip implements the http.RoundTrip interface. func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { - caData, caHash, certHash, keyHash, err := t.getTLSDataWithHash() + caData, caHash, certHash, keyHash, crlHash, err := t.getTLSDataWithHash() if err != nil { return nil, err } @@ -1106,7 +1138,8 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { t.mtx.RLock() equal := bytes.Equal(caHash[:], t.hashCAData) && bytes.Equal(certHash[:], t.hashCertData) && - bytes.Equal(keyHash[:], t.hashKeyData) + bytes.Equal(keyHash[:], t.hashKeyData) && + bytes.Equal(crlHash[:], t.hashCRLData) rt := t.rt t.mtx.RUnlock() if equal { @@ -1132,6 +1165,7 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { t.hashCAData = caHash[:] t.hashCertData = certHash[:] t.hashKeyData = keyHash[:] + t.hashCRLData = crlHash[:] t.mtx.Unlock() return rt.RoundTrip(req) @@ -1249,3 +1283,179 @@ func (c *ProxyConfig) Proxy() (fn func(*http.Request) (*url.URL, error)) { func (c *ProxyConfig) GetProxyConnectHeader() http.Header { return c.ProxyConnectHeader.HTTPHeader() } + +// The function is invoked at the end of TLS handshake. +// It is verifying peer provided certificate chain status +// with provided Certificate Revocation List. If the +// verifiedChains is nil, skip the verifyPeerCeritificate. +func (c *TLSConfig) verifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + // Skip the CRL verification while verifiedChains is nil. + if verifiedChains == nil { + return nil + } + + // Ensure the peer provide certificates. + if rawCerts == nil { + return fmt.Errorf("unable to get peer certificates") + } + + // Parse CA certificates to a slice of certificates if provided. + var rawCAs []byte + var err error + + if len(c.CA) > 0 { + rawCAs = []byte(c.CA) + } else if len(c.CAFile) > 0 { + rawCAs, err = readCAFile(c.CAFile) + if err != nil { + return err + } + } + + var cAs []*x509.Certificate + if rawCAs != nil { + cAs, err = parseCerts(rawCAs) + if err != nil { + return err + } + } + + // Append the peer's verified CA chain to parsed CA, + // in case there is any missing CA. + cAs = append(cAs, verifiedChains[0][1:]...) + + // Remove any irrelevant CA certificate from CA chain. + cAs, err = CreateCAChain(verifiedChains[0][0], cAs) + if err != nil { + return err + } + + // Parse CRLs raw data. + var rawCRL []byte + if len(c.CRL) > 0 { + rawCRL = []byte(c.CRL) + } else if len(c.CRLFile) > 0 { + rawCRL, err = os.ReadFile(c.CRLFile) + if err != nil { + return err + } + } + if len(rawCRL) == 0 { + return fmt.Errorf("CRL is empty") + } + + // Verify CRLs that are signed by trusted CA and not expired, + // return a slice of valid CRLs. + crlsList, err := parseCRLs(rawCRL, cAs) + if err != nil { + return err + } + + // Append the end-entity certificate that sent from peer, + // and verify the peer's certificates chain revocation status + // against valid CRLs. + cAs = append(cAs, verifiedChains[0][0]) + + for _, cert := range cAs { + for _, crl := range crlsList { + for _, revokedCertificate := range crl.RevokedCertificates { + if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { + return fmt.Errorf("certificate was revoked") + } + } + } + } + + return nil +} + +// Parse all CRLs and return a slice of valid CRLs. +func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*x509.RevocationList, error) { + var crls []*x509.RevocationList + for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { + if p.Type != "X509 CRL" { + return nil, fmt.Errorf("unable to decode raw certificate revocation list") + } + crl, err := x509.ParseRevocationList(p.Bytes) + if err != nil { + return nil, err + } + + // Check CRL exipry status. + if crl.NextUpdate.Before(time.Now()) { + return nil, fmt.Errorf("certificate revocation list is outdated") + } + + // Check each CRL is signed by any CA, if not, ignore the CRL. + // Otherwise, append to the valid slice of CRL. + for _, ca := range cAs { + err = crl.CheckSignatureFrom(ca) + if err == nil { + crls = append(crls, crl) + break + } + } + } + return crls, nil +} + +// Parse raw certificates with padding structure. +func parseCerts(rawCerts []byte) ([]*x509.Certificate, error) { + var certList []*x509.Certificate + for p, r := pem.Decode(rawCerts); p != nil; p, r = pem.Decode(r) { + if p.Type != "CERTIFICATE" { + return nil, fmt.Errorf("unable to decode raw certificates") + } + cert, err := x509.ParseCertificate(p.Bytes) + if err != nil { + return nil, err + } + certList = append(certList, cert) + } + return certList, nil +} + +// Construct the certificate chain with the provided certificate as base. +func CreateCAChain(cert *x509.Certificate, cAs []*x509.Certificate) ([]*x509.Certificate, error) { + chain := make([]*x509.Certificate, 0) + chain = append(chain, cert) + + for { + // Reach the root certificate, stop constructing the CA Chain. + if isRoot(cert) { + break + } + + // Find the issuer by current certificate, + // stop constructing the CA Chain if none of issuers found. + issuer, err := findIssuer(cert, cAs) + if err != nil { + break + } + + // Append relevant issuer + chain = append(chain, issuer) + + // Assign the found issuer as the next certificate that to find its issuer. + cert = issuer + } + + return chain, nil +} + +// Find the issuer certificate from the set of possible issuers. +func findIssuer(cert *x509.Certificate, possibleIssuers []*x509.Certificate) (*x509.Certificate, error) { + for _, issuer := range possibleIssuers { + err := cert.CheckSignatureFrom(issuer) + if err == nil { + // Found iusser certificate. + return issuer, nil + } + } + return nil, fmt.Errorf("no issuer found") +} + +// Check if the certificate is at a root. +func isRoot(cert *x509.Certificate) bool { + return bytes.Equal(cert.RawIssuer, cert.RawSubject) && cert.IsCA +} diff --git a/config/http_config_test.go b/config/http_config_test.go index ca2ed71a..5ee94f3d 100644 --- a/config/http_config_test.go +++ b/config/http_config_test.go @@ -39,18 +39,23 @@ import ( ) const ( - TLSCAChainPath = "testdata/tls-ca-chain.pem" - ServerCertificatePath = "testdata/server.crt" - ServerKeyPath = "testdata/server.key" - ClientCertificatePath = "testdata/client.crt" - ClientKeyNoPassPath = "testdata/client.key" - InvalidCA = "testdata/client.key" - WrongClientCertPath = "testdata/self-signed-client.crt" - WrongClientKeyPath = "testdata/self-signed-client.key" - EmptyFile = "testdata/empty" - MissingCA = "missing/ca.crt" - MissingCert = "missing/cert.crt" - MissingKey = "missing/secret.key" + TLSCAChainPath = "testdata/tls-ca-chain.pem" + TLSCACHainNoRootPath = "testdata/tls-ca-no-root.pem" + ServerCertificatePath = "testdata/server.crt" + ServerKeyPath = "testdata/server.key" + ServerCertificatePath_CRL = "testdata/server_revoked.crt" + ServerKeyPath_CRL = "testdata/server_revoked.key" + ClientCertificatePath = "testdata/client.crt" + ClientKeyNoPassPath = "testdata/client.key" + InvalidCA = "testdata/client.key" + WrongClientCertPath = "testdata/self-signed-client.crt" + WrongClientKeyPath = "testdata/self-signed-client.key" + EmptyFile = "testdata/empty" + MissingCA = "missing/ca.crt" + MissingCert = "missing/cert.crt" + MissingKey = "missing/secret.key" + FullCRLChainPath = "testdata/crl_chain_all_empty.pem" + FullCRLChainCertReovkedPath = "testdata/crl_chain_cert_revoked.pem" ExpectedMessage = "I'm here to serve you!!!" ExpectedError = "expected error" @@ -160,6 +165,33 @@ func newTestServer(handler func(w http.ResponseWriter, r *http.Request)) (*httpt return testServer, nil } +func newTestCRLServer(handler func(w http.ResponseWriter, r *http.Request), serverCertPath, serverKeyPath string) (*httptest.Server, error) { + testServer := httptest.NewUnstartedServer(http.HandlerFunc(handler)) + + tlsCAChain, err := os.ReadFile(TLSCAChainPath) + if err != nil { + return nil, fmt.Errorf("Can't read %s", TLSCAChainPath) + } + serverCertificate, err := tls.LoadX509KeyPair(serverCertPath, serverKeyPath) + if err != nil { + return nil, fmt.Errorf("Can't load X509 key pair %s - %s", serverCertPath, serverKeyPath) + } + + rootCAs := x509.NewCertPool() + rootCAs.AppendCertsFromPEM(tlsCAChain) + + testServer.TLS = &tls.Config{ + Certificates: make([]tls.Certificate, 1), + RootCAs: rootCAs, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: rootCAs} + testServer.TLS.Certificates[0] = serverCertificate + + testServer.StartTLS() + + return testServer, nil +} + func TestNewClientFromConfig(t *testing.T) { var newClientValidConfig = []struct { clientConfig HTTPClientConfig @@ -1980,6 +2012,224 @@ no_proxy: promcon.io,cncf.io`, proxyServer.URL), } } +// Test with empty CRL and irrelevant CRL. +func TestNewClientFromEmptyCRLConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { // Full chain of CA and empty CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and single empty intermediate CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_inter_empty.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and single empty root CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_root_empty.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Missing root in the chain of CA and full chain of CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCACHainNoRootPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // TLS Config contain a pair of irrelevant CA and CRL + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: "testdata/tls-ca-chain-add-irlvt-ca.pem", + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_chain_irlvt_cert_revoked.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and CRL, the Intermediate CA revoke the peer certificate, + // set true to InsecureSkipVerify should skip the verifyPeerCertificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: true}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err != nil { + t.Errorf("Got Error %q", err) + } + } +} + +// Test with revoked certificate. +func TestNewClientFromRevokedCertConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { // Full chain of CA and CRL, the Intermediate CA revoke the peer certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and the single root CA revoke the intermediate CA certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_chain_inter_ca_cert_revoked.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Missing root in the CA Chain and the full chain of CRLs, the Intermediate CA revoke the peer certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCACHainNoRootPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err == nil || !strings.Contains(err.Error(), "certificate was revoked") { + t.Errorf("Expected error %q but got %q", "certificate was revoked", err) + } + } +} + +// Test with expired CRL. +func TestNewClientFromExpiredCRLConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_cert_revoked_expired.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err == nil || !strings.Contains(err.Error(), "certificate revocation list is outdated") { + t.Errorf("Expected error %q but got %q", "certificate revocation list is outdated", err) + } + } +} + func readFile(t *testing.T, filename string) string { t.Helper() diff --git a/config/testdata/client.crt b/config/testdata/client.crt index 5e68bd44..189a1c08 100644 --- a/config/testdata/client.crt +++ b/config/testdata/client.crt @@ -1,32 +1,32 @@ -----BEGIN CERTIFICATE----- -MIIFgjCCA2qgAwIBAgIRAMMSh5NoexSCjSvDRf1fpgQwDQYJKoZIhvcNAQELBQAw +MIIFgjCCA2qgAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fswDQYJKoZIhvcNAQELBQAw aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo -ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDhaGA8yMDcyMDYyNTA5MTUwOFowNjEL +ZXVzIFRMUyBDQTAgFw0yMzA3MzEwNDUxMzlaGA8yMDczMDcxODA0NTEzOVowNjEL MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs -aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKE5sMf63irOiAEo -a5GMONLHDji9ATAVs1erm6NW/17UPOSjN1Q1n6JGTp2XLKb5gle7gdGdjXW9IB6n -PhXwQp4ZvTaucMxcZ+Zik19tn+azKdfj/FXU0c9R5oEv4B/1jfKG258dQF5es/Ga -A2WW3nWA6IwQkHcBcN7cBQCZZ1GcM81rxybuyU4k/FyMheehcJ5MN8iy0Y0YrMcZ -KxmRfAR/EfVYjenWXjZNncsUXotQr5I4wBUJ/pj5pYQWpSuyO6oADX1EzcxuL6bO -XoEHfGFqmr90lM/x19bHzllu1UxIwqmT8jW3Je89EhlBxb0htNWNg4hKY7658Khq -L0tx0AsdIru/JuoQGXrDs4yf+3xL51zSeMr6jewl6AyGQKCc5E+c/zwklCdsVFw7 -zapbT6Hok5HjSoMnRi/EGLtd33CQjvgGooPA4LLzWpbZhoA7QZLBXhvAG3qIkTXr -1SaDQcP6GvYItEo3Yvqle7hWqhJB5E7QJ2+0j0ztbOLZBkuQGmiT4Ebsx5IJrRaT -jDCkqYzuHjdTAtwDQR6Tuy2Sc+AuAxI4kDH6EwpX5X7E2mkE2RyYusiu6o400K6F -QhRysPf1BXxSwQgcvsQTjcl8InyY/JT+7q7TCOLaXoj5rQDwIQdao0IRgr1+M7FQ -5rsuLRD92EI/vLfSikk3MxcwZ1qzAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFIDAT -BgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMaa -Hh5g0+YopeLd1IkizXyK9K/zMA0GCSqGSIb3DQEBCwUAA4ICAQA1qIgzzSid9YZS -v3kfqaDmZ3ickDuoJg4DjOz4AoZF+o2SnS/kXrIs/pTABUcfhgxt6xNJUFPIi2Pa -IQXkS24Ya85RJxNUrJmqwhavONoxNoC9RBdNqwQy30DxrBcB+881Y/Ln3VQu6mfj -aLFk09LFddz3Uc26spc257GkWfvdKjki5xDiFYze8KO0s+J/OWluNOiBG1Pehj+c -CkwPzy9lwX0JCbAhsDkJGSY4rh+MO/bg9RemuqCPrmOIH8laBnJFvMTZyZRUTQlB -pAcS8Oa6Bth5DUV7XSwWD6ZOe8Jo5BzJmw5hd5/EA+0+LwZqxmB9d7lGMKgEOMJw -rIQZCN5PlYYkp31y190rw5XklHMeUJUNzcZKa/tNhjwmU5Pj01gdS5/AnFqO3zRW -w3jUI6GR7rqj8g4P/kigIUyuX1Our6K27HUWVmt/SC+DHrhF+J7xet0q3R+UwUx1 -4wTzXnA1++s19G9wzo/HenCOTvU2bprl/WQ66/lICU+xxwHfs6kltY3SItvczqOf -+iZrmDn/0jmoarkhaND0EpiG6FbsNWsCprPP1uj0ICqvcBD7VfqT4NWY8QWcoqqr -JxiOAuuh0iNj8dmax3suNmd+XKIhVHZ3lRBRxrsqqi67axk3mgQby2j9sLxNmrqD -Lc+UGxJB/WZg4NvzZSaj2MZmt4zOHQ== +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKIvHXO/uIiJGBRU +5L9h3Hg5n7jDy6Hcc12m99SUKnoRQxV7Td7w3VxmyhQ+t1WtNKPCb12ChTO4U0j0 +zctQbF1zg+R1dKIGA+TtzzRFNvrqSDkhA7z/4k2JH8GVpMRrmi8DDMntSwKp5Doq +YD/dShuofRm+xfzsjvwj+fUHZKhR9lQhiGbdTdi+wlSdpiCCs2F1v92BC+PSy1kP +F0V65lrvRJTxZ0y9BK7GqLgGscMYxP1VMjSZ2xdVIcnXk7xgJ3QaG0I3vGhJGGmm +cgfvdUMLP6ydnPp7OUPJuCt2GqIvkILiHvctbKhuptAgDR0+S87bL7xDcGl5VldL +SpyWAIgFp7De2AksI/QySSaOrSwORWFYPi0/8ybIUjanTjJBQx05Mv4IVHlBQESk +dojG+BtccoygbT3vYk8tRjByi7XHZFqy34U+bRJ2pi6yw0RMHdO8QUihUeTxqw2r +hRLleqofvlt20XIHCdlDzLTaSwfZrvw/Gaphv6rnlZhZwFCF0SULpFNH9CI/Sud7 +nWoI//SnQcyNBnZtDReTYlDCl5UfZGiuZeZYG/Vr8Y6X2y7PVvOsxnCxc8a8RdZL +sjiNzP3yRzrYY23hZu+nwvWq2Xm4/iYdGowSftT0ThaD9GhMhUKgXUu8e/n1kHq3 +GKr7ph2Gu1sLWVGkRMufhKbefXf1AgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFIDAT +BgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFAoA +zCK5fa32Yi/QFHlVTvarRTuBMA0GCSqGSIb3DQEBCwUAA4ICAQCebDl3YIEK+4Z8 +eOfSVbURIY6KC1eeh1/MPJRIR/5kI1Njp3dFLveqpaLWUlV1VQeVJxq5bLWeuh1a +JcZyEUPoB8A0Yk3Vl6FkT2Ff4gp1F9B8or5V3swrOLKvTXcBWWquHp5v8H7nbmzB +4KOAD2jcUYS45UB/wYSPJiL3frHigHBf7j9X8xrdTap4xHmSeXUH5qfgj7hAaMIR +rf+19AwRrBWnqEnledUPDheEm3ZAvU+9kvTaqGvD01VW1mvmbKSA1VZZX17Ob5ol +vXZ3Kn3gKBVu3KxYup13jPyirLhZEBgvBW4O1gYT3aRKvqGfAU8kCDDZoYipQlva +67zUGdbnOEz8HPpTJSCtSiHb+y6nUcwAVB6NN3bGtL4ZOa/R2h9zEQaqggWuzeej +bNArPWVbMiDhH+HwIeS3+IghHj82Wlinp0uqHvAVcn3Bi8SflcMTCCo8wET25EOq +852bf3v9+NVYjEGfYSKRYtKcu2Uz5R8Y3Fkg9cd8eH+rbSS3S7bJmPCFKxYKVuGl +iH0qlAKKTLBd1FS6tdeanrkI76REOKU6Qvx1TNwio+6XsC3oobvEjVqnZ4nD04dp +Yyj/9whS4G8bwl4UWgTHCMsTENKhn0y/YY5/hDRxa5yBmEanmxX+3QG9wDnmr5ls +sfVQAwvCPssjj2jfrb5Bb18R/MZ6dQ== -----END CERTIFICATE----- diff --git a/config/testdata/client.key b/config/testdata/client.key index 9c768235..42c142eb 100644 --- a/config/testdata/client.key +++ b/config/testdata/client.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQChObDH+t4qzogB -KGuRjDjSxw44vQEwFbNXq5ujVv9e1DzkozdUNZ+iRk6dlyym+YJXu4HRnY11vSAe -pz4V8EKeGb02rnDMXGfmYpNfbZ/msynX4/xV1NHPUeaBL+Af9Y3yhtufHUBeXrPx -mgNllt51gOiMEJB3AXDe3AUAmWdRnDPNa8cm7slOJPxcjIXnoXCeTDfIstGNGKzH -GSsZkXwEfxH1WI3p1l42TZ3LFF6LUK+SOMAVCf6Y+aWEFqUrsjuqAA19RM3Mbi+m -zl6BB3xhapq/dJTP8dfWx85ZbtVMSMKpk/I1tyXvPRIZQcW9IbTVjYOISmO+ufCo -ai9LcdALHSK7vybqEBl6w7OMn/t8S+dc0njK+o3sJegMhkCgnORPnP88JJQnbFRc -O82qW0+h6JOR40qDJ0YvxBi7Xd9wkI74BqKDwOCy81qW2YaAO0GSwV4bwBt6iJE1 -69Umg0HD+hr2CLRKN2L6pXu4VqoSQeRO0CdvtI9M7Wzi2QZLkBpok+BG7MeSCa0W -k4wwpKmM7h43UwLcA0Eek7stknPgLgMSOJAx+hMKV+V+xNppBNkcmLrIruqONNCu -hUIUcrD39QV8UsEIHL7EE43JfCJ8mPyU/u6u0wji2l6I+a0A8CEHWqNCEYK9fjOx -UOa7Li0Q/dhCP7y30opJNzMXMGdaswIDAQABAoICAHKXAmLgl09tg5TvGaVVOH33 -JNCG5XU7t0A0pGYvy0mnJ7CJoSWlB1TbC71OWVpENLQOfXJyvLxWM6IV1DbbkT21 -pZpb2agmdWJ15bEJxYC/Dpp3XD3VCVqFJ4PidzW/3afm2en5bGqmfNbXVFq8JFj3 -ylDi5QrwZzy+vH90iM6kat0yIVY2mbWE7CkLZ5D+WYDpQyzOi8nxI7xO0ydVFARO -HIF480SkLEoEWIaib6AtNNyEoWFSvTYVGeMMBVFNWMK3Tt8eK/eEyTGRs/GZVHoY -vuwc/Dff+Dybvrop4Ehb3p+Qm7I5/ihQC7EP4m9Oqayu7DHOTZ6docLR1dOVjPt4 -F0qkeMGaGTDnfGmocqaKskGmhNWEnav5+aaYtFRXEqkLW53lIaGcWv2kyaFfvCYg -L810FEn9D5OVmlLjgUrzeEctFmhO2Br33dLl90imtuVI3Kg/qzsM9fiV0KbsONzq -I7aIvZZjXrevCOFtNSTfxNT8PrkyjWYN+2sbLWCR7hRvuzSTHI/qh2TzvyhqKeWc -ZPVlIT2qvBN5OP+j42J54VXwJNIwUmbKfnETvHMp3Cht/UaEtj/vzAkYB0paEQUs -O80vWwN4zk6H/qRV0HewUoNIGYlnTFLg/uOlLwbkctYH9ubEaobtVtwx6hsZ12AM -m7N27FsiAf6KJOGN2CqhAoIBAQDBuQgDxtf3XaoUc8YJKnvGRFMmuq8VWIELF2E1 -/u+IWP8f89BoUon7J5VMHvKiuvsVa6bOJpENrp/fV9+5IA7a925U7il8LmGis+v7 -Sg5pWMJ6gUXq65jssXw0PPDyHEHL0WTwI6KlcI0+Pt8zPujq0TPeHBOadlaPHdg2 -lHEWPvuoAeZknLnYWF7Eq0y3cD2LBiFiZWNRO0wccFf7CA1O5ToUDkFB0zXB5ZOJ -RgVSUQ5Gnva2OSB+dfFc3HwOADqjnBW+nMDi/ofH2rQEysEp4iTV4N+HkWxpNUPU -9Z3KRUN645P1BK9ufwNnqsagJU8gKNR9EJKITiPU3jqKi/IvAoIBAQDVDjDi574a -btsUQcUcip2na+D5jRts+/5lugA5OT6GzIRyYP8WgH7JMbwC91cB3avV08y5SHMB -P1wo04qaBL+p1by19ewZ6f4Kfytoad7ZGb/P9tX8H30N8Q/k9kucn4igpJ6XaQXU -tJIKWoBsNuUTZkPwa0+FMBBbRFRagu+mbOwnKR6zNIXNh18K7/LCJSb9jy73xG7k -DEuRJH10Ow0Ijo4/UACm0CLdavtVtbkGfarETfZSUPuKMHs6dyAME94+IG3WgmWW -B1WbtrWXw6RNhaecYDfjeW3iFOjgo+MpaQpnfiz7nqNrUu5zbteJYM2EdHI1baJ+ -/VXsXsc4hdK9AoIBAEyWkJqdpIiBmVpYozTAfQrXvGAVcl7oDKyL47zrO1wWg1bo -l76G01JeReJAYgEAF4BSfTIHgVV9cmtkXGjeScE8DXy6Y+BanfMrWuKQVr5Dfy/b -p/7GgkEhsk8cwM2XalPgRx3BmO37X3v6c1fZSVB8wRrQ0tdAbdxLGk4JxePbpra3 -eZTReZAU7/KlHsFvOIWcONqj5u4YmXCs4bu3ZTuJ2LpRIG+bxycPUpL1AemXbiNx -eWx1jWkxy+jAqrMGWCiS7u3bH08e/iN/TaiPWGrso0+Dhhwc3FWD33t0V5u+Yn1V -OAuofIsc4AW+OKTb2zqFqex//s6wxe3EpjRcO7UCggEAXVL5APtn3yY92pKwp77k -LejoRAeWQtfi6GZgILC9fchqH7vzIMUqRDD/3QDA4PVbhq9e1q4wihRZ5xw6cxqv -ZdJU9hOB1xwTBkAMIJF3ZvuLdKn3s5eLbKbyQmXMWw/ahht1yHbdcf2iltxrsnsd -PrEmA1LOI1YZZBD7LiZ6mRjPHJw7cV4JWiz46c6PNJGXkau9dBRcSpJEK5CjT11q -aRwgnQULNAaprvlknHecU4aKXbCUvBvzAuYXpFV3+TJewDHuSu8VVnFiA3I1+wNc -ngR0ld/ju0V+Z3CnTXccUxBK2WiAhbtIdAOApZmg2fFINMPZHyQl8KBBmecuNskP -tQKCAQALxoCzLhdq6Kl/mqqdPTlvncIuAoaH2VjEc5ZpMIHShPd1YfPv5/sQkD4B -8X7QNLPITaSGvNTevyg/KtVPuWyyCxEjmIXDXOCXkylmJFY9tgaaSGPLRJ62sIbz -EJGmUUOBYD+/ybV+dQd3GgkGJ0Hytp+FM8NCWukCFRAxb1m56xfs+RTBuLdJpou7 -AV+RafQV1roAQ+Pj3dFsoR6jBJIM4w0S5Q6609W062hrR6hBrlVBGfZpo/Mgmv5K -HEnQ7X+AqPaK7BLdzBQb2Qd6hGF8DMVTSBRlc/THnhK/HlVCuWMNuEliGtmIuGYE -0FRrwC2EvZmAS7m/FHfkpry76CRU +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCiLx1zv7iIiRgU +VOS/Ydx4OZ+4w8uh3HNdpvfUlCp6EUMVe03e8N1cZsoUPrdVrTSjwm9dgoUzuFNI +9M3LUGxdc4PkdXSiBgPk7c80RTb66kg5IQO8/+JNiR/BlaTEa5ovAwzJ7UsCqeQ6 +KmA/3UobqH0ZvsX87I78I/n1B2SoUfZUIYhm3U3YvsJUnaYggrNhdb/dgQvj0stZ +DxdFeuZa70SU8WdMvQSuxqi4BrHDGMT9VTI0mdsXVSHJ15O8YCd0GhtCN7xoSRhp +pnIH73VDCz+snZz6ezlDybgrdhqiL5CC4h73LWyobqbQIA0dPkvO2y+8Q3BpeVZX +S0qclgCIBaew3tgJLCP0Mkkmjq0sDkVhWD4tP/MmyFI2p04yQUMdOTL+CFR5QUBE +pHaIxvgbXHKMoG0972JPLUYwcou1x2Rast+FPm0SdqYussNETB3TvEFIoVHk8asN +q4US5XqqH75bdtFyBwnZQ8y02ksH2a78PxmqYb+q55WYWcBQhdElC6RTR/QiP0rn +e51qCP/0p0HMjQZ2bQ0Xk2JQwpeVH2RormXmWBv1a/GOl9suz1bzrMZwsXPGvEXW +S7I4jcz98kc62GNt4Wbvp8L1qtl5uP4mHRqMEn7U9E4Wg/RoTIVCoF1LvHv59ZB6 +txiq+6YdhrtbC1lRpETLn4Sm3n139QIDAQABAoICAB0be5u0gvfuMuYjPlKiy6DA +JsxQR5GrMQFT4BLE7MKvqmyGjrk+XVwiDo6HmvvDdDkXwkj0Ddf0cu4bEXw12N0E +yF0OP3p8veIuVAu7iFyMA55NMJCRFBp6S7rAkqu17BwX3gm3jsjRmOZfiJqtqolA +OgOO25XDFv5lroytYQFchGshAYwEl94YjmQFTzVyf6M0MNUePfYLdPds3+5WWlVj +r9lTYgjBu79qZAlzGiA7p88XpUUPf+S2ILRK/nbGgw4xSUcfHa9RvxHnD3whG9iG +gk0GlI/X4bUq1OTn82u8QaFb19bgzimEgmfD+NaQwaZEbFLLf7dOUZKlLqTfvwRh +a5YsMifFw3z/3D/xizT+To/IT/NKrczCBt0S3/sAWjSYvfwEEXeYmuVYMdGF5ILZ +qm/lToEjb7Hjzgd4hdjo3mJsZ+yeg1Kqnhqu4zBruyPzDo48J/eMlW9UKaAh4hoX +M0L3xSpuWflTKElSEgRzV1n77rtcDYKwI/Vb07mbFtqdd1TPyZLiOBd2eCFi2CSJ +nhKwVUnkiyf+05r8zpoXBPj7zeHWVQwQppFy1JHw9WndXC8ONIaviLDdqxfKMC1o +mqcZE56XhlsBpCJWOZrTZt0YQEnemDmC4D/jglmLPD/kIf0R5k+nidNbw3rkv/fy +nejqqVBJgpbD5FVrK+oBAoIBAQDL10NGqINEGHPrm3APSrSAaoFgcT8sByX6QbsW +JZXORlrZ4X/fepQA9RDuf6/n9Enqfz7hXvj0b0dIxs04cQ3AkG4oLsftai17q4pP +QaE4QR4Bl1YYh1mFkNE616JFQh2BV7Japts2/9GiS+e+ppSCFG8ZXQEvHjj5SFk5 +M1bhFqf20My8AxoH2BfOWgWkqjzpd11UCl9xfOlLZSwuyUuLQneoHDn38JFJKePe +eVzwjfz/+61hmvVQrvOQK+ArqozjQut/E33wVO+VeNn9E9TAoH8tZz6rU+lfa3v6 +H/rYgonBYIeeqYTF1XT2ZLzxhLjTZd1w14tBA+zOx4n4Mz61AoIBAQDLrxfNMrOS +OEbfyjqz5ntaEF8OfEcKGpevCSVL1f5tkDfh+5dzCZyZFZL5aRN4Bax7+lJSkftJ +Bie5UU4aV5EzjGtqH1Oz//PIKat2ZrT97rz+j0dnAevUSrr9m15anH6pKsJ3L0k1 +iteXt6N8Sx2aHzO1dRztT9qKhFKtQnbRbH0/nhCOU8l+jieuqkG4iDnbmHSRZQkk +zowtAkiRVWKSt2xqTQhv3VVMd8mDUUL4swzQnb5tlkjoqikoAKICG6jkAgJkyd8+ +qeiQuCcIRa/UrY/4xJ/qq3ZJq6bzH6sDfXPH1P87kQq3HsYTyIx72wifLsJTMyOc +bsnd8qt4m9xBAoIBAQChwIa1OiE31wOdkbHBoLFNObbCdfsAEAgV5zTzZQ3UKsYL +IULcbqOlgtJVv2Mx+Arzltep9Tgul2MEoCTXRfb4uGOBZWXmwpunCD9vlw+82Qdb +keCTBEyIjZtKSzSMKuPI8HMqNj+8DBIo7HzQL9Wmx1pF0SSQZDYnsj6DAndNlDHi +zFu6UefFE7gIWi0iNqixRrP7bWPBZbKmznjaA4f70NmswAFL+0z+tswIjVuv06xQ +4UD7NAC4bqv92qM/Y037RO4k363PGUco4EZy6dqopHNm7weu4p5MxrkRiXD/f86a +ceQMhk5CwpjWsKeyK3SS48FtuszY4al3iKW2G8wFAoIBABvovgYr8FcUxwFbIHgO +GNDadWvys3k685XUVvvxMo+otz+LzdDBfGetgRoTv8suW9gREL6nqhrzcPX/oggR +/59kmkNMT5fWdnzy2L+8iwhQci0fTNVcegf4xW6Cn4ci8mgTp9nU7N8dSzVKwGgD +kubPZ7Jxfak2y+c3Am0jMky35OGWswYNjQp+SAmy4pZ6dBMW7MIPahVVB/gS3Aau +AHfCEmTucT2CwnFb6IzJ0bdqMVNUigdSFGNtDX6ht5E6YQX9EH7m+mQHvAo4cYC8 +q78kmRmpN5BcNjUaBCJEMJal1fuHwAFVenZlDRcg378I4EGPkqj71OFWfOqgmcZI +9QECggEAT7aZ61D5by+D1MucBTlFf8coSasPUmFEnbF79r9A4Qd1Cok0H01/2wXt +X5ZeuwRX50+9x3MwlDsAUgK6DprBls+ReB9Qdwy/IXNYGLYuOG1qcoVSJtdGNXWK +1rP/5J9nZAkZbma/j/sLfj9p+oRW5eDncHSfZCUF4IiJSvbpV4kqna1iWQ4Kwg/e +1162pOL/vS7CpoIYvmTK0PTSKW9I6sb/sVaJmaspjDNR1Wox/Un4ykN0T0FWLH6d +IZxvXyv7Tsx1aZlWXicDjFg4c+7SgoJupgUNgzRZUmFOTKXBUA4EsFmzDi+mfDcy +SkiztxLj1Lqz7t/tItLbXl2+cXX2fQ== -----END PRIVATE KEY----- diff --git a/config/testdata/crl_cert_revoked.pem b/config/testdata/crl_cert_revoked.pem new file mode 100644 index 00000000..e470bcb9 --- /dev/null +++ b/config/testdata/crl_cert_revoked.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDCTCB8gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA4MzAwNDUxNDRaMCQwIgIRAJhzsQ9PS6cSzJuE6HX04foXDTIzMDcz +MTA0NTE0NFqgLzAtMB8GA1UdIwQYMBaAFAoAzCK5fa32Yi/QFHlVTvarRTuBMAoG +A1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQBBgnGL2IxYkHUtVEsHJr+/u9Gk +Lw8sCcadLDSCT3z7VbJbyxSwEP9oAofKDoH7ycSg/P2aPwtmSYbK31UJuHsGUNHI +tb14DGtWYz0Uq8DKE+biXquRW9lLTOulCU7L7jraHgnZTEMku3q/ngamYZhvfViT +zPQiVKTp9i89QgqYh8DiFhhmD2urA/kzmyo93/uAAsrhzdcOwW9bfLhAP0iQty22 +Lx839auxO//3VqBCF34/XkoSDXwNIsU1ezk7f3kTjNhlLv4XPPQfx6NdIZhgDJ6a +HQS0ef4/7Is4pOPeCSpee961EOOW134xWSnlZ8BIA53MLnlwLYBqse3iYKnxF+nu +IwBWexgakhEUm2pem8V2xw3ww6fMlaXIaH635s4ZuGRFvyYI6/2BXrsCXpNpRHrm +pb10mI/fX3kuqQeX/fZ0oUIXnTLGuLMM2ruzN6V8gUpdEIU6m3jToI6h85qVSMRa +4Ki5QOWLng3lhs/swYPZbbz1VMpdTMAL16a++hfDkV0S4or93XCfxyjT42JI6Vfh +dsc0Xqg1WrA9n3Mc/Epja3A2Epme48/W1urnmUdpwzHalaeKL054jR1KAZzj/DEW +mY/XnGmv1pwYPfz24wbbkFtIk1jF4Z2fwudfG+RMAuhI6mK5YM0ACawlF4EVuZ4g +odbYxmxO/SbHGldMxA== +-----END X509 CRL----- diff --git a/config/testdata/crl_cert_revoked_expired.pem b/config/testdata/crl_cert_revoked_expired.pem new file mode 100644 index 00000000..9248b7b0 --- /dev/null +++ b/config/testdata/crl_cert_revoked_expired.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDCTCB8gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA3MzEwNDUxNDRaMCQwIgIRAJhzsQ9PS6cSzJuE6HX04foXDTIzMDcz +MTA0NTE0NFqgLzAtMB8GA1UdIwQYMBaAFAoAzCK5fa32Yi/QFHlVTvarRTuBMAoG +A1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQClxhuga0SCqdEpMn1uj5ALxKbz +7P8wyfEBfRRJIp+sTx8H0oCRV/rc4YxUOwTinlrI77il0+rkEAw4lr++74fZBLNZ +UgkggqR//upMwq7wvLxMv1j7b5178J681/1lxtpLmZWkC6wbHZsNxzRkVTDpDylE +cWGs73orr9Z6yiZbAryVFgbDXRy6N+B/nrLehAoW8GZRXUxSdCF4iuzi5EmdAK6I +0j3NqWGZ8D33DA772AF6n90ecVXT0uFFPX4TXeuE0vPRq6StgloKoutI68A+aivU +rIBNomV8SN9GnKQy6C0Wu4A9qT756ON6BSs5EJ05gJCBCCjP57s3r5lruGguQfAH +TJCFijtdD64OsT095TmhI4zNbvdA09+uxSSjJJ9oRk2Wq7WJ0kSoQFg/IxM/dy5U +I82P6C+RnJ+3UkcgJcSpsEZYWocQbPgUr6RA5cFwRsNud4npuKAuzpGKxXeZQJZy +GKqF1LkWG5t9Ci1BAXm8a/TFevNkHxnZqurm88APcsEMepwTJO3ZPgrcGckTQA72 +/uiufF25/NXKNOVJH4nOr/7qG9THm7odbLTJJmc4UaaHOZTb/DQkt9I7eFav2tmn +2kUbMBgDOe2WxNbpq1rHJa7GcFmE5bOm5UDOs+K6kWtqLF0fMoVfFwLRVeX0Lpgy +MGDXUxdS2IRwkY9c3w== +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_all_empty.pem b/config/testdata/crl_chain_all_empty.pem new file mode 100644 index 00000000..05d43f54 --- /dev/null +++ b/config/testdata/crl_chain_all_empty.pem @@ -0,0 +1,36 @@ +-----BEGIN X509 CRL----- +MIIC+TCB4gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA4MzAwNDUxNDRaMBQwEgIBARcNMjMwNzMxMDQ1MTQ0WqAvMC0wHwYD +VR0jBBgwFoAUCgDMIrl9rfZiL9AUeVVO9qtFO4EwCgYDVR0UBAMCAQEwDQYJKoZI +hvcNAQELBQADggIBAAPPar7DIQC/ouHWq4kKUlInhyc/8d5WFloaLwb6NYJRsoEz +H//oUBuh2uaY8QxR30a88ulujQYUj+5CvxGgqQxLXn3ktGJC0quiugRIP9eKl1ny +cQ2C9boPTEJUAuh+sPof/ZKKKv1jKe2nPuSBtD1e/aN80h9lHtT9S9BQUBnAbrgA +3DJTLFg1HDTggayMgxRi+nRwngRB4/yRG88RSDG3wp8izxnDnoCU6G6Iu3ekTaN7 +/Q9frQF66H29O13lHNeTZ5C/o8MHXWi9BwZymGw3V3HIfDj3mAlJvvwAATOrYkON +AAtvd6EgM3x7gEyrVNO3VMZfKA9XFdkMK8BfRuaFTU2E4oJHNeBxtyCTlcuoC0mK +KcsY0TRZQws8oynpMF8+WF+4ySlDHN0z4ZzOm4Y1MglA/6b9fKmP2de2Gid/mCLg +XuDOqoqm5Dd2DLIaT5Zcn6y75o5okrr5k185Ms+iNXojJreN9no65xg6tlHon4if +9vYbq5QPUSKr7Yh5P7nGfSeAaP8ISu/peJ0OiwN0FJWATy8lPQfwTJ3ZlEvpHaf4 +D70PVIgO9BmvyYlQuGmH6cEKKjOZ2QZ2a7DyLlHlGyowWNbnZqOQX1gAjNeZxz6R +J5UjjXVmMeSgrAlQGWp6lKzxOowSAQ5d556CaLdqWdHwa0Z742kXAeRRa9M9 +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIC+jCB4wIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwNzMxMDQ1 +MTQ0WhcNMjMwODMwMDQ1MTQ0WjAUMBICAQEXDTIzMDczMTA0NTE0NFqgLzAtMB8G +A1UdIwQYMBaAFIyFWoNHt08m0ox3NtZvy80ffbtWMAoGA1UdFAQDAgEBMA0GCSqG +SIb3DQEBCwUAA4ICAQBRheDo6/ZE6kUF8/9HQPy5Is+HoHYUs2wRm0NN5avQnvI0 +PpFbqvnSOmuxfloDDED+qExlXmCEus6qYmQ6OW+Mb5Dt07olAgqRxWlRb8/MB9vr +HMkyB3dcmp1okqroUhpLctsFjK7aCmkjur0dtI4uRwHyHerGKylBmS/7wMZDZgRh +tFKlNaGKDDEwiTqlixtr04Nk35UDDqGvG0xMbCrmNcTpj0EMq7OnesXI5qMIBTxE +jGkjJ9MONuZRihUWpXyKgi1HjDWn4Qn5o/m6U2SN4601vwHmkdDuvtDCoQtwaziT +cOPzQ/0TzPdvOGbyupubyH0mkYzs9t3RYmSbDM/EWmhcHWuhzzG398sIbOYK7Ile +rQ2w86uZH/vygeZAp7dUx/NfjKlFWydukf8Lw2L82Ux3K80zTuuI3+YGW+k5hoWr +k/FrwxOIZIGW+1TLYpC9nStpSuAiJ/P8/XH+V1xO0uoq4iEedvhZQOR6psvuR/nP +PZ6nJSpkBKtaZOsTimKYvHJLuI86fVEn+VEIqoBClkXtjTGns1bFQ+GwWedtM5F3 +uYwlIrIcOWIttTxoTq9lz6Q0i1n29dkgQTBI+LE/u1vc7miHe4DKoDpZTc+NbrAj +eKkuKCONbFgvpuD59BBI8NJNR1AdgqIUJDRXYudlOUVGnLRHfNE+UvrxmIevMg== +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_cert_revoked.pem b/config/testdata/crl_chain_cert_revoked.pem new file mode 100644 index 00000000..14d8f3eb --- /dev/null +++ b/config/testdata/crl_chain_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIC+jCB4wIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwNzMxMDQ1 +MTQ0WhcNMjMwODMwMDQ1MTQ0WjAUMBICAQEXDTIzMDczMTA0NTE0NFqgLzAtMB8G +A1UdIwQYMBaAFIyFWoNHt08m0ox3NtZvy80ffbtWMAoGA1UdFAQDAgEBMA0GCSqG +SIb3DQEBCwUAA4ICAQBRheDo6/ZE6kUF8/9HQPy5Is+HoHYUs2wRm0NN5avQnvI0 +PpFbqvnSOmuxfloDDED+qExlXmCEus6qYmQ6OW+Mb5Dt07olAgqRxWlRb8/MB9vr +HMkyB3dcmp1okqroUhpLctsFjK7aCmkjur0dtI4uRwHyHerGKylBmS/7wMZDZgRh +tFKlNaGKDDEwiTqlixtr04Nk35UDDqGvG0xMbCrmNcTpj0EMq7OnesXI5qMIBTxE +jGkjJ9MONuZRihUWpXyKgi1HjDWn4Qn5o/m6U2SN4601vwHmkdDuvtDCoQtwaziT +cOPzQ/0TzPdvOGbyupubyH0mkYzs9t3RYmSbDM/EWmhcHWuhzzG398sIbOYK7Ile +rQ2w86uZH/vygeZAp7dUx/NfjKlFWydukf8Lw2L82Ux3K80zTuuI3+YGW+k5hoWr +k/FrwxOIZIGW+1TLYpC9nStpSuAiJ/P8/XH+V1xO0uoq4iEedvhZQOR6psvuR/nP +PZ6nJSpkBKtaZOsTimKYvHJLuI86fVEn+VEIqoBClkXtjTGns1bFQ+GwWedtM5F3 +uYwlIrIcOWIttTxoTq9lz6Q0i1n29dkgQTBI+LE/u1vc7miHe4DKoDpZTc+NbrAj +eKkuKCONbFgvpuD59BBI8NJNR1AdgqIUJDRXYudlOUVGnLRHfNE+UvrxmIevMg== +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIDCTCB8gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA4MzAwNDUxNDRaMCQwIgIRAJhzsQ9PS6cSzJuE6HX04foXDTIzMDcz +MTA0NTE0NFqgLzAtMB8GA1UdIwQYMBaAFAoAzCK5fa32Yi/QFHlVTvarRTuBMAoG +A1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQBBgnGL2IxYkHUtVEsHJr+/u9Gk +Lw8sCcadLDSCT3z7VbJbyxSwEP9oAofKDoH7ycSg/P2aPwtmSYbK31UJuHsGUNHI +tb14DGtWYz0Uq8DKE+biXquRW9lLTOulCU7L7jraHgnZTEMku3q/ngamYZhvfViT +zPQiVKTp9i89QgqYh8DiFhhmD2urA/kzmyo93/uAAsrhzdcOwW9bfLhAP0iQty22 +Lx839auxO//3VqBCF34/XkoSDXwNIsU1ezk7f3kTjNhlLv4XPPQfx6NdIZhgDJ6a +HQS0ef4/7Is4pOPeCSpee961EOOW134xWSnlZ8BIA53MLnlwLYBqse3iYKnxF+nu +IwBWexgakhEUm2pem8V2xw3ww6fMlaXIaH635s4ZuGRFvyYI6/2BXrsCXpNpRHrm +pb10mI/fX3kuqQeX/fZ0oUIXnTLGuLMM2ruzN6V8gUpdEIU6m3jToI6h85qVSMRa +4Ki5QOWLng3lhs/swYPZbbz1VMpdTMAL16a++hfDkV0S4or93XCfxyjT42JI6Vfh +dsc0Xqg1WrA9n3Mc/Epja3A2Epme48/W1urnmUdpwzHalaeKL054jR1KAZzj/DEW +mY/XnGmv1pwYPfz24wbbkFtIk1jF4Z2fwudfG+RMAuhI6mK5YM0ACawlF4EVuZ4g +odbYxmxO/SbHGldMxA== +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_inter_ca_cert_revoked.pem b/config/testdata/crl_chain_inter_ca_cert_revoked.pem new file mode 100644 index 00000000..f7c450a3 --- /dev/null +++ b/config/testdata/crl_chain_inter_ca_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIDCjCB8wIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwNzMxMDQ1 +MTQ0WhcNMjMwODMwMDQ1MTQ0WjAkMCICEQCYc7EPT0unEsybhOh19OH3Fw0yMzA3 +MzEwNDUxNDRaoC8wLTAfBgNVHSMEGDAWgBSMhVqDR7dPJtKMdzbWb8vNH327VjAK +BgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAgEAY1ad7uo/hqV2d81hUJc/iFVC +mPcK9xS+Q7JSd+CNtiQ/gFwaZWAkaMF2ckny2JPsDEy/20q9fOwsk7G22hppI36g +xlgOh1CWEOK5C0DWdVA3cRJJw9Rl16dAfN7iw3DXMTp99s1/nh5qHWhljTWPSRtm +BeDDNUqj7ZHzV2H/sY5WkirD5nwTEBa9/jNnHroV9iVzda1QJd8IODzAHm8yZBpm +ZzSxEpwxObMSoPjqOFSc/0pdoZ4zulyVyvNBV+lUXP2cXOxjt3TM++JZ4+OxHOaq +i2Yf0e/P71u97nVf2DWbf5a9voIFIO79TbayX5pEzYK2lEuy6nnf8+M6zV65/EbH +BMmfWRlyMYfEd8CZA2Bc5Cagu/wLI7EaoO+14efGnN5MxOj6loD+oUCLDGnj88or +V3LzAoqO+WVVt0275uzoIOzgVMeV4NvN3ZC+1IRfXsROEwjJZzx3e3iGfCboqATT +5U/j8W9j3PZQ4gVqsQIp70mNteWuNFNCHrF7FPXLCDlxD5rAiHuoMMhtt3lQ4F9W +wCmEEuFzHB5lcCqkIktZlhJ2jQWByjiKksBxv9atMM7UYFZ2VD/hdIOL6ZlKovLM +hz/5VzqMyI/mHhbpM1evg9aPtNgVhpj1qQdxwefKXdg4woMHOisGCI+02RjeSVUC +s3nE+AmagioczzM+0q8= +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIC+TCB4gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA4MzAwNDUxNDRaMBQwEgIBARcNMjMwNzMxMDQ1MTQ0WqAvMC0wHwYD +VR0jBBgwFoAUCgDMIrl9rfZiL9AUeVVO9qtFO4EwCgYDVR0UBAMCAQEwDQYJKoZI +hvcNAQELBQADggIBAAPPar7DIQC/ouHWq4kKUlInhyc/8d5WFloaLwb6NYJRsoEz +H//oUBuh2uaY8QxR30a88ulujQYUj+5CvxGgqQxLXn3ktGJC0quiugRIP9eKl1ny +cQ2C9boPTEJUAuh+sPof/ZKKKv1jKe2nPuSBtD1e/aN80h9lHtT9S9BQUBnAbrgA +3DJTLFg1HDTggayMgxRi+nRwngRB4/yRG88RSDG3wp8izxnDnoCU6G6Iu3ekTaN7 +/Q9frQF66H29O13lHNeTZ5C/o8MHXWi9BwZymGw3V3HIfDj3mAlJvvwAATOrYkON +AAtvd6EgM3x7gEyrVNO3VMZfKA9XFdkMK8BfRuaFTU2E4oJHNeBxtyCTlcuoC0mK +KcsY0TRZQws8oynpMF8+WF+4ySlDHN0z4ZzOm4Y1MglA/6b9fKmP2de2Gid/mCLg +XuDOqoqm5Dd2DLIaT5Zcn6y75o5okrr5k185Ms+iNXojJreN9no65xg6tlHon4if +9vYbq5QPUSKr7Yh5P7nGfSeAaP8ISu/peJ0OiwN0FJWATy8lPQfwTJ3ZlEvpHaf4 +D70PVIgO9BmvyYlQuGmH6cEKKjOZ2QZ2a7DyLlHlGyowWNbnZqOQX1gAjNeZxz6R +J5UjjXVmMeSgrAlQGWp6lKzxOowSAQ5d556CaLdqWdHwa0Z742kXAeRRa9M9 +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_irlvt_cert_revoked.pem b/config/testdata/crl_chain_irlvt_cert_revoked.pem new file mode 100644 index 00000000..e7f97743 --- /dev/null +++ b/config/testdata/crl_chain_irlvt_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIC+TCB4gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA4MzAwNDUxNDRaMBQwEgIBARcNMjMwNzMxMDQ1MTQ0WqAvMC0wHwYD +VR0jBBgwFoAUCgDMIrl9rfZiL9AUeVVO9qtFO4EwCgYDVR0UBAMCAQEwDQYJKoZI +hvcNAQELBQADggIBAAPPar7DIQC/ouHWq4kKUlInhyc/8d5WFloaLwb6NYJRsoEz +H//oUBuh2uaY8QxR30a88ulujQYUj+5CvxGgqQxLXn3ktGJC0quiugRIP9eKl1ny +cQ2C9boPTEJUAuh+sPof/ZKKKv1jKe2nPuSBtD1e/aN80h9lHtT9S9BQUBnAbrgA +3DJTLFg1HDTggayMgxRi+nRwngRB4/yRG88RSDG3wp8izxnDnoCU6G6Iu3ekTaN7 +/Q9frQF66H29O13lHNeTZ5C/o8MHXWi9BwZymGw3V3HIfDj3mAlJvvwAATOrYkON +AAtvd6EgM3x7gEyrVNO3VMZfKA9XFdkMK8BfRuaFTU2E4oJHNeBxtyCTlcuoC0mK +KcsY0TRZQws8oynpMF8+WF+4ySlDHN0z4ZzOm4Y1MglA/6b9fKmP2de2Gid/mCLg +XuDOqoqm5Dd2DLIaT5Zcn6y75o5okrr5k185Ms+iNXojJreN9no65xg6tlHon4if +9vYbq5QPUSKr7Yh5P7nGfSeAaP8ISu/peJ0OiwN0FJWATy8lPQfwTJ3ZlEvpHaf4 +D70PVIgO9BmvyYlQuGmH6cEKKjOZ2QZ2a7DyLlHlGyowWNbnZqOQX1gAjNeZxz6R +J5UjjXVmMeSgrAlQGWp6lKzxOowSAQ5d556CaLdqWdHwa0Z742kXAeRRa9M9 +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIDFDCB/QIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxJTAjBgNVBAMTHFByb21ldGhldXMgVExTIElycmVsZXZhbnQgQ0EX +DTIzMDczMTA0NTE0NFoXDTIzMDgzMDA0NTE0NFowJDAiAhEAmHOxD09LpxLMm4To +dfTh+hcNMjMwNzMxMDQ1MTQ0WqAvMC0wHwYDVR0jBBgwFoAUWTCoYlK7Heg8oL1N +PLi3eoZDXMcwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggIBAMjkKE8vODNr +eBs/+9MssfPupEykuMSunlEEUlbQ+IQ623Qtt8YN4zUP+5vo/wMqkBHERgEqd2xK +NprdBg0NEqpoQXFBwcsR5reS/nwZDer7dFYpkB0j84bRLDUUpuU4K76r9j2cNEjW +qUTSOY7DQMOGqh7Y0rNXMRP6lY/WINIEbaXV+wSXxl3a3iEODsa7nC8W51y+beC9 +VYMMjZcyPLBLAcY2Z10s4YwUCc4nqsSnIfHyAmP7sUFfBb0sav+j/A+wnH/Ab/BK +/LxQmTv+8ycjeqpjCPSZhr1NWwTAsW2T1+pnjAOf4GxxB5BJ33tnSutJMK7/qLDG +P53Sp739d5XjN88vrzLvwaDVhKoOU9h0/2aDGQzeN4AmN+Yvrw4WVWmHBHK7a4z/ +ly2xCTO3w49YILCnZFIXmdQAHQpdJkBg6tAcuWS7cyK092r0tyJOFXybkAWuQkQu +lQmoC4rKKhBkkGy6sEYFIq0AJiYqkj50px9tce2uM4qtKO3orlHyYXMDZymiVZMw +29G2yikmP6yT+nPikdGcV9h+ONEJ22QJtNpHFh6ZVccDHQliG0ZqhkAwtBtYQ3SW +4+Y1XwiGu2+G++A/plcGBcUnsT0tcwTiyEdF7yF3nN/fPnBinkmzJRobnWQDqv1a +z4KBtUWLnuHQAGQ7cvdc9Uknvqpb/dCX +-----END X509 CRL----- diff --git a/config/testdata/crl_inter_empty.pem b/config/testdata/crl_inter_empty.pem new file mode 100644 index 00000000..2935397b --- /dev/null +++ b/config/testdata/crl_inter_empty.pem @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC+TCB4gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA3MzEwNDUx +NDRaFw0yMzA4MzAwNDUxNDRaMBQwEgIBARcNMjMwNzMxMDQ1MTQ0WqAvMC0wHwYD +VR0jBBgwFoAUCgDMIrl9rfZiL9AUeVVO9qtFO4EwCgYDVR0UBAMCAQEwDQYJKoZI +hvcNAQELBQADggIBAAPPar7DIQC/ouHWq4kKUlInhyc/8d5WFloaLwb6NYJRsoEz +H//oUBuh2uaY8QxR30a88ulujQYUj+5CvxGgqQxLXn3ktGJC0quiugRIP9eKl1ny +cQ2C9boPTEJUAuh+sPof/ZKKKv1jKe2nPuSBtD1e/aN80h9lHtT9S9BQUBnAbrgA +3DJTLFg1HDTggayMgxRi+nRwngRB4/yRG88RSDG3wp8izxnDnoCU6G6Iu3ekTaN7 +/Q9frQF66H29O13lHNeTZ5C/o8MHXWi9BwZymGw3V3HIfDj3mAlJvvwAATOrYkON +AAtvd6EgM3x7gEyrVNO3VMZfKA9XFdkMK8BfRuaFTU2E4oJHNeBxtyCTlcuoC0mK +KcsY0TRZQws8oynpMF8+WF+4ySlDHN0z4ZzOm4Y1MglA/6b9fKmP2de2Gid/mCLg +XuDOqoqm5Dd2DLIaT5Zcn6y75o5okrr5k185Ms+iNXojJreN9no65xg6tlHon4if +9vYbq5QPUSKr7Yh5P7nGfSeAaP8ISu/peJ0OiwN0FJWATy8lPQfwTJ3ZlEvpHaf4 +D70PVIgO9BmvyYlQuGmH6cEKKjOZ2QZ2a7DyLlHlGyowWNbnZqOQX1gAjNeZxz6R +J5UjjXVmMeSgrAlQGWp6lKzxOowSAQ5d556CaLdqWdHwa0Z742kXAeRRa9M9 +-----END X509 CRL----- diff --git a/config/testdata/crl_root_empty.pem b/config/testdata/crl_root_empty.pem new file mode 100644 index 00000000..f00cc4e4 --- /dev/null +++ b/config/testdata/crl_root_empty.pem @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC+jCB4wIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwNzMxMDQ1 +MTQ0WhcNMjMwODMwMDQ1MTQ0WjAUMBICAQEXDTIzMDczMTA0NTE0NFqgLzAtMB8G +A1UdIwQYMBaAFIyFWoNHt08m0ox3NtZvy80ffbtWMAoGA1UdFAQDAgEBMA0GCSqG +SIb3DQEBCwUAA4ICAQBRheDo6/ZE6kUF8/9HQPy5Is+HoHYUs2wRm0NN5avQnvI0 +PpFbqvnSOmuxfloDDED+qExlXmCEus6qYmQ6OW+Mb5Dt07olAgqRxWlRb8/MB9vr +HMkyB3dcmp1okqroUhpLctsFjK7aCmkjur0dtI4uRwHyHerGKylBmS/7wMZDZgRh +tFKlNaGKDDEwiTqlixtr04Nk35UDDqGvG0xMbCrmNcTpj0EMq7OnesXI5qMIBTxE +jGkjJ9MONuZRihUWpXyKgi1HjDWn4Qn5o/m6U2SN4601vwHmkdDuvtDCoQtwaziT +cOPzQ/0TzPdvOGbyupubyH0mkYzs9t3RYmSbDM/EWmhcHWuhzzG398sIbOYK7Ile +rQ2w86uZH/vygeZAp7dUx/NfjKlFWydukf8Lw2L82Ux3K80zTuuI3+YGW+k5hoWr +k/FrwxOIZIGW+1TLYpC9nStpSuAiJ/P8/XH+V1xO0uoq4iEedvhZQOR6psvuR/nP +PZ6nJSpkBKtaZOsTimKYvHJLuI86fVEn+VEIqoBClkXtjTGns1bFQ+GwWedtM5F3 +uYwlIrIcOWIttTxoTq9lz6Q0i1n29dkgQTBI+LE/u1vc7miHe4DKoDpZTc+NbrAj +eKkuKCONbFgvpuD59BBI8NJNR1AdgqIUJDRXYudlOUVGnLRHfNE+UvrxmIevMg== +-----END X509 CRL----- diff --git a/config/testdata/self-signed-client.crt b/config/testdata/self-signed-client.crt index a0a5cdc6..ef7de8d3 100644 --- a/config/testdata/self-signed-client.crt +++ b/config/testdata/self-signed-client.crt @@ -1,30 +1,30 @@ -----BEGIN CERTIFICATE----- -MIIFLjCCAxagAwIBAgIRAMMSh5NoexSCjSvDRf1fpgUwDQYJKoZIhvcNAQELBQAw +MIIFLjCCAxagAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fwwDQYJKoZIhvcNAQELBQAw NjELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxv -Y2FsaG9zdDAgFw0yMjA3MDgwOTE1MDlaGA8yMDcyMDYyNTA5MTUwOVowNjELMAkG +Y2FsaG9zdDAgFw0yMzA3MzEwNDUxNDJaGA8yMDczMDcxODA0NTE0MlowNjELMAkG A1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2FsaG9z -dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALtrXxnHr7eUM7Xh7awY -LwompmuznbTa/8+OsihSaelUN6RDsAdm7eOMA7KMqZB5NOfeDqEqMIUoaoQ1gzIm -0BJ4dCgi99SnA8b0MjAGqUpRJ3gLLSXsPa5647gxUSP5zQ0hWMMgGaw4rJ9LDOtU -z2S8dtqKTHrXl34mpdsLrZyLXwyz8UJ83Jq2Ngx4cApZrbs+g1XlMRV8Vh89Z2bk -bbKmDYmIOhTeE1wLdrZ/XecEOvkGZcj3bWiO/yTnP8mTER2hTvSxUrpyHn/55LkU -8PR6wCO7hntZ9LLWxg85XTRdWL7cIyjgJgfL9+hVQQyNEjWC2+LTq1QExqa+IxoH -iL4xX/1y+6o1W5XKLf/uplgaWuSK+mjQeqc387DwYbj61QWOjCoaJA1wl6RHuGGV -6ygpdAO1l8o+2U8nuULHW5lx+1BtMG5ytAXy9dWPercs5L8gh1IRNCVXWKsQCCWg -iG67nErFV5iRFLuAIX7ixLKJ5MGp/fVKUI9V1EViM2GUU46PVAPhhlZ1qcygjbZ5 -CelBnQ/XvGof5b4zm4eEgCc0ZkqsQDeS5jPjTtES8/y5WEKqbyijmvx2P40nuO/d -aTxNretMwaptWzu+WXHih0WG2Sq85m41070xsIMEwlqSfdiOOPdax6393NJgkdM7 -5NKC3+pzcHK1S1+x/Guawv0NAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFIDATBgNV +dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMQmav6J830Zg9KDziF+ +/hZVo7Vj+jqujqPrwITKvVM8FWTPsv4KyniLoApKvLpetOEEqoGNHboMXMEmtu9E +FQYB7J4xqyCwo8BIyAxpqj3FqX1J8lkpRrSYeYPB/W2vfMX4spP6jJkg3KCQmZjf +zVliCY9xg+S5vObxGBQIa6oIce8zVVLWLgwHzcGhspF2boh31OyKU0KgnxAI3TSV +mNThVi/rbP2Jus8/yAuZKy1F9U9MF7XpLLPp4JZfzUsE8FBEIN+yUIzthteg1stF +qiJGknTcWHpmq1nOmV41CBEf9fvHhyQHpMFWhfHY2ga/JE+4UuJTUjtZSiXpC/qM +mJAYHwD816fqREWl+zWX7MuYBx/NY3LQCFn9TWBkm9zqND+UWXp2oDYA+/TIPzDU +xiHt6k3UhIfEZYc/ue3I6pgGv8B3mnoG58uQ1Z8HI1X2za5cqiFahw9z13SoKaoB +tM12ZB5/0FlLQfTmFCVDM12rtDDpKCWiaPlXYEs8QPbr0t1ik70aE2tDQtlwTgnG +1NQ3Wq7sNyPui3zQfhVsrRQRTu14ZzAp5GgEtbF6pHXoNxygXkH4pSnmpHeFjrVA +6efSu5grCiinJamLmf9YNxkqebp2YJcXxi0+65h/2cv+QyQYNuFdqbQQiRv5jYUK +Mkcp4cSPg9d13+tTf/dqx+uVAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFIDATBgNV HSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IC -AQBTLnU8jFCmYpPUBOqj/xzBqokiQK92axG/h/3JgB7fFSLzUCV3NtvwBVCU28rA -wHwBYPjmGhi1vyHha/hb6V2WMPt0jhMRpNxCf16dAMoyIoWNas88vU2Mef90Chfj -8e6wLtzqAquX/ruwIfsOMnbcSGuh+y54DspCXgsTZ9cnCI2lnQroXZi4WUqi3Enj -mFPpVc+mMlffGW6LISo3ehRLA7k3/01yJhqzpTQw44k9ZfJ7VXZTRJKJsaqeljzV -VfzDbDfW8ftbZ8IWQGAOQfTa23aHIYcvJfvyxpfQRyrwRxjGytLHoOH/G+1TZuOt -KBJ2Xdi9qrr+Wep4eNJm2cTBd1Fpr0hWZ9K27BwwYdZZF8Eu8eP8hSeRmA4PqzAj -HauCl8PgWJIWzMloXVZaGxiYX7sGVs79m/Yl9A6+p8RTpK7DVB9+sDIiD2bhiZqL -i9YWM8aD2cR20t2ZkuBBPlVTOouF/WotOWrLhT4J+SngkdmLkAjP/5jPFvpTfeGi -THyAmp4gigwaM0nIZskPcPCbkk+zFYPToyS49ZJwQMzqK2hkjyQ9LyzUdo9vlDjL -8lFjlUZzqaR0DF3pbf8fs5/16gPurR65SU/ebOs+uxZLYJrP2zKmeISE+q4AMudc -rQ0Z6KmGUiXnIvpB105UJ7jlXCxbsruc8gRTbjkgW7yoXg== +AQCm5wZAYYrdQzRKOpFhlCB0rY9HH5c8ugKt4N+h/vSC4mMKT3rFhSaW5Gq47auY +797o9sC7rFazwmcnnpg6EbGHPtSr0BKy9L1gtRLnL+yEOW2Rj7yCvsEU4Ha9IZj/ +Ui9932BVkZlVKSpSxC6RYf9RBRjzF1FS1rP/XWCXjagKEecnuMY04AkCuLYEhMVt +bT53vuG7MkYO+Az0sIlN5nBIczM46uI9MBGXzOTPtRVkb4owOG1vSgsyAWmJJsJz +BT+Z09JB/6EfItQ1lHPMuRevxKDA9JNGpXIss9sZdrCSGlZYDW0Qv5VnevWEJrMq +nLJ+V3B8Qk0Ug2a4A73mZElbdDNeNlntfOGY4xD9naWkwUEYP8K281o0pKcSndH9 +UBNHmoEeWBNKz8BdYDM45LaAN7Q/vLen1MyWDhPfCEghx5muBg0xmgBVLZpIhJaW +h6TOnxeoN2zCAtWiX0a+suCNxQFXpm+z0D3JuMK6uZPX+DLR7XJi+XAFXbqT5WCc +tvv+wEuzobyxXpTSo282pxjvHKVd9/5dPw6FOQU1QFhdsjCvFjkIyPu1yg3Ss1c1 +GelgihSTTUgS3k/zmJf/4r/HnZDW80cX7pIjXXFox9vBpcLDFah608WX3UedGzNl +zJdcYCbc4BBcEGXQjW6kDkEAxw/Bl2O/A/jJGAhE+kZ4+g== -----END CERTIFICATE----- diff --git a/config/testdata/self-signed-client.key b/config/testdata/self-signed-client.key index 4e4b2c2e..46538e40 100644 --- a/config/testdata/self-signed-client.key +++ b/config/testdata/self-signed-client.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC7a18Zx6+3lDO1 -4e2sGC8KJqZrs5202v/PjrIoUmnpVDekQ7AHZu3jjAOyjKmQeTTn3g6hKjCFKGqE -NYMyJtASeHQoIvfUpwPG9DIwBqlKUSd4Cy0l7D2ueuO4MVEj+c0NIVjDIBmsOKyf -SwzrVM9kvHbaikx615d+JqXbC62ci18Ms/FCfNyatjYMeHAKWa27PoNV5TEVfFYf -PWdm5G2ypg2JiDoU3hNcC3a2f13nBDr5BmXI921ojv8k5z/JkxEdoU70sVK6ch5/ -+eS5FPD0esAju4Z7WfSy1sYPOV00XVi+3CMo4CYHy/foVUEMjRI1gtvi06tUBMam -viMaB4i+MV/9cvuqNVuVyi3/7qZYGlrkivpo0HqnN/Ow8GG4+tUFjowqGiQNcJek -R7hhlesoKXQDtZfKPtlPJ7lCx1uZcftQbTBucrQF8vXVj3q3LOS/IIdSETQlV1ir -EAgloIhuu5xKxVeYkRS7gCF+4sSyieTBqf31SlCPVdRFYjNhlFOOj1QD4YZWdanM -oI22eQnpQZ0P17xqH+W+M5uHhIAnNGZKrEA3kuYz407REvP8uVhCqm8oo5r8dj+N -J7jv3Wk8Ta3rTMGqbVs7vllx4odFhtkqvOZuNdO9MbCDBMJakn3Yjjj3Wset/dzS -YJHTO+TSgt/qc3BytUtfsfxrmsL9DQIDAQABAoICAAyGlIiIi/nc8cfKHbROuXYY -Ny8jhfq8WDRq+QUw3Ns3QbC8xVr5ShTXGrgoJnz9XMfSU2/5/dwoY1YKrYYAig9x -9XFpRN71eo8lauVCzLWmzth7Br1uGIE8vVNmGGIrI8Uo4WHJF24nK4JJ5cckl+fH -oLniXFIpbnqD4rnNAgFgXy3eKNWkuqmsW9hhhDts2uuUtfpbovgooyjbVbnOsnYq -GuWCMT+LyAdyzLBNutzhr39NKihQQQOn6u1wdxbluVMdoMVBxKGpVth+vwaPm7r7 -KTQ6KDa+QFhjekEyOERzqKa417C3qlMDEsJ4UCyikQD6ie+S7fRjjVM/ieEHd+AA -66CbJ8u3yfXxaicn+SPCeHVKd4GKmJgsg1KDSSg0+w5JWwmAiCJjEydX2HOdx2ys -SV2C4o+gxhA48U8ZgGTVoom0OgouQ7rnMd6n3juBDq2/Xp1FeDcE39yEffN7t4XN -vHfD7Hjp5capxVyEnpzu0tTVf8KP00NJKtS6I7d8IavUBCgFiJZFXJWdsbhgSsg9 -UdypUMd6rW81VaaKvi3JSjWwFpmUVAhr3hFNyQB9+2rxvDCWhUqFKWqjWdPfMgxx -qO6eam1S22vrZcyJVkfTzArFQd0J/41Ak0yErLJKLTDEYaBRxFPV0ujWskrmU96c -f+m4/k7p3sD8KooXfrERAoIBAQDWSmsFzSOugShur9phJV162XrtbOnV7n1Ko0Vu -U/ftohC5FNq0kHxAkY4kGMz2QHdJnqpQoJaCK8pJ+8nA1Osutt31tS3YrOotlNwk -KsFSiy+i9xf4NcOr9xKoSEstFPJeM650xPfVP1p4sq87BB2Z3uWfLtWnRxTJnpA2 -nwwtdrK5fO3pZnVlWQ4akqbndCjUWURXVOVxDHCyDdwoiz3BpGmVV6jCYanC3e3S -E7/OlRLJfRAXoCEbzFsQpsOYncaEG7cAz9pBBXA6VVyEPlVyMG0GHs30W7aG5Bfp -IcbhacGyjdV5Wwx8WGun1pOHoclLX7pJ6jOXLobpUVH4FUNTAoIBAQDf5gX9aBqK -QxBYcqhZ0aby9K9ZAXSRr03drf4s+TXSU7rUdBqV4BRj1cjQLB6pxpo2ryLoHhkf -tLVRnEWpRgSlfu7qSYxU8rNUacAKAPnebjQxU6NMVzFx7zDQz4TJT2StsxoSIw+l -O4MwWDvIxHcpjIrl1eZh79BSzrq5dsf3vrPCM+Xxivdkx82WJqiVX/LrY3l9R+kC -ud1b3O5vFdhpo8e0sygCdF0+sC0jwE82SCjMMGHMZWd74rmkuHFpJ1xSQf9/jRCf -yKhITI/su21FS4rn1rApWpzAvhfhV7HqnwWzFTtmLeGsI+yW4fb1j6oK7t/rVZ+p -lnwISXpOPBIfAoIBADnMttNIwsAV7F72pdOgLXeuY37Y6rWeb0MLiPW6RlxdY19Y -pakgc7NCz3EjE120g7hiyJOYzR/tSdHszT1q8MiX4ISeyu/vq/aBeWNz+NMX4dB2 -D4wOjGm86dZkMYrGZJ1OGVc7rZFiVjfKEoO7l3Rib9Mg4dYN0SiU0Vc6TSGSK6Dm -dpGG5lFg1PIL7mLtrPmh3lIj/wMgFOGh5Wk2LYEmpKf4jfdoOk7qZ3RLiWfiQ7// -MLD+qw+BbmquYIGwxNPrWdApQDhbjCrfzWWKHqf/Mdj9xBWOC0yVB3IFf0xbpzhP -E255RYPgoaESupZR6CahenDnb+TuUstp+M8OhSsCggEBANw/9gJ65yi9ohWv7MY2 -g+maI+gFk3tAnPOGFnR9TqGxdidKc2CeBtDS2/FUhXFzif5jOI5oFUToSjmW5bwH -wchfXn0gjqh9+0T9pkjw/tv9QuCHKyuM1noC1t2CVliF/j8U4X+X9+sN6RakpWLx -SVuZAoXnbfNHqoHbFToei8W9Vi2jSf7bOlRsbGPZcZtHwLonp7pDBAeHeSbF5dNn -BPWehHTQjHolqBhjzHPP2NxIDcIXkg00b6Ehvoc4XXAYpSvR+pmp1gGorUo57pbt -JSe2kVVRDwgPOAYuuWUWFFH9zuiE6WKxnb7ts+4VKRAVHCwXIjTpjN+Rxj+MsIDH -fPcCggEBAIRgZPwB6eI+rvYOPUGSeU681O+8/ZgjyAi8HSOk3dCc3J2fX31m/GsR -xM+FExbGYJ3BfdgB9YbLSI8eY7weJRodm0FoCuHePu81z4xj9yEi5hBodXhhDjQM -/xbgsSWeotQ+5lTmc5hgve1hl+3t09qNttHaELWASD+0ixBC6A6J4GB68ZKRIunW -+ZGiEvrNey6Uunf7T/Wgc+VDcA3HsniaY2yTZY/jWsmDxt/BAwUaQrNwAbHvm/1P -J04mvCreWfOITe7CURcLq4FMGzsCEXtdQ77/uJllew1Uv2Yn2WFUiqVxH+UicR1P -vOJ7/LvbOa8BlIMsprB2rz3PDSUSaIw= +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDEJmr+ifN9GYPS +g84hfv4WVaO1Y/o6ro6j68CEyr1TPBVkz7L+Csp4i6AKSry6XrThBKqBjR26DFzB +JrbvRBUGAeyeMasgsKPASMgMaao9xal9SfJZKUa0mHmDwf1tr3zF+LKT+oyZINyg +kJmY381ZYgmPcYPkubzm8RgUCGuqCHHvM1VS1i4MB83BobKRdm6Id9TsilNCoJ8Q +CN00lZjU4VYv62z9ibrPP8gLmSstRfVPTBe16Syz6eCWX81LBPBQRCDfslCM7YbX +oNbLRaoiRpJ03Fh6ZqtZzpleNQgRH/X7x4ckB6TBVoXx2NoGvyRPuFLiU1I7WUol +6Qv6jJiQGB8A/Nen6kRFpfs1l+zLmAcfzWNy0AhZ/U1gZJvc6jQ/lFl6dqA2APv0 +yD8w1MYh7epN1ISHxGWHP7ntyOqYBr/Ad5p6BufLkNWfByNV9s2uXKohWocPc9d0 +qCmqAbTNdmQef9BZS0H05hQlQzNdq7Qw6Sglomj5V2BLPED269LdYpO9GhNrQ0LZ +cE4JxtTUN1qu7Dcj7ot80H4VbK0UEU7teGcwKeRoBLWxeqR16DccoF5B+KUp5qR3 +hY61QOnn0ruYKwoopyWpi5n/WDcZKnm6dmCXF8YtPuuYf9nL/kMkGDbhXam0EIkb ++Y2FCjJHKeHEj4PXdd/rU3/3asfrlQIDAQABAoICAQCBWBQV5UH6rGiQ2PmEfQlw +EOjzJApNx+2nij5ZUpel22kAITYW72a0Nt5B6yaofusntrv40eVYWe6QL8dR38M9 +QueVKYt+8vwIP/YquULZmQ464Bg/U0icri7zA2jqe1377hNUIVO1ZkYWW0Pt2ya+ +WjeTr3cZzKEUaMdH7oWQiiEXavJIvZN/u2Wi2c22vjIFK3/suwpMVT6OhEnZ8wvk +1PLQhp5IUhotsBFqFIa0Q/2PXM4F1szzlrXSczoczhTp2QMUf7E+PSM97YG2aSnX +kFHjXam6jRlRDztzM+Ut5bV/YgNrbt7l3vhUknqzGDgJmbKOLAN9v1N1zEdp4Gx4 +8KzD1e+5LPBI+C3qIWJVFmeBmRcPK4Oy2DmnpvtCePNexTOxZ6Iic6486TePX5RS +ZSWttjZssRHbfEgMnA/w1P7fdE64KayCBAxobeU1WDj442uCEDoQWLcvwQDt+AP6 +EXgw22mP5ZuqSTX+T/KeKi62KUP6PaonkBcAAYBxwQYRdSQcxxLcFZNGoGmpqGy1 +PqKeiKzIF/XG8YLjMzJlxCRL83EazLOchbPUBoSyGp4mBef5J9U/yjig+sKxMXzN +arKP/aqMBh0WeeOnaV7Y+C0ds6wiuAn5RMsTzfOmS6LqDcYlTkrPshYEvhdIMEh9 +AgShzcYkCJvB/UurCzoBwQKCAQEA14h10ualNZ6h949ui7ozJmrwJgkiGubqXkCr +9PDjoeLKscjoB9JdApWhZ1+R8X1TBcGYVGKMRVGAkfwv5RQkkakqIjk7yizLO40q +3MLFoSUK12whAfuHGLaFdIWW6rEfDLIvUxNRLNQiyNuzVbrKgTe/CgMb+J6BNhie +yuGFXy58YX7j7GXsu95cTbgmODut91XSZOMweoA/gN5Dv9TFndNRGgzMBIZo1Kma +gLVtztrk+ozf3qKsQjGrS27ErfwWzWgKjPNhtGrTdwYSpQwNdvvgj0GIPdyCM5V4 +O/Iv1tTceEKU6Rg3pN0+iTljsVPmJIaAoUf95zmDA7+SjHw3JwKCAQEA6PpR5qBz +/LflmQ4G1qsFrEyGFttzefiYfthjHIdgF/IoQJJVbCEZaNVPKfg2Zfa3oTdJwqTC +3lcmiSKhJbrjdS9MYvG1U1rrkrWpLl83uxU/7anUA6U27Hnh4lDdM7iaehQcvhGa +Xm58Hrw9MeV86WQVmo8TUjA7UMXra8c1QsMq6dPRb1y5JcXx4cEkwMs09/CYaO5v +9ztMn0aaejMNZLt95gATmKDzkcNWCc4XjV59AKD00l2fq+LbFl7+AgXNX++XkWu8 +tUIzrnCoqmlNV4TswmIfysSBukYm8O2mlYKfq8zyY2mYfmdkwoa0lwpHLbkTGtP1 +5111hu1db0dc4wKCAQEAzwZuVkPhEN3sqYQGJQSXOSGixoYjUj/Xgu0PvtjbbZYQ +KDDYXxr66A6d2FN+Nb2xT2gjT3rRTYv5uT/JKXrtnVQl+nWLLqlUFUGFmEMl3aFd +BosAMY1OuLgo/EGNMqUrM+C7gEqfwDWLq+8MFR60gOXxBEb0SRzG9BU2AZ4Zo9Fc ++7EMcPd+Kv5tHuHxJDZ+5YJz8yAeYqxpUvkrjklsACsITcNY/Ee2zf6TP2oFrZmo +M9m493q9h196L5yYIp5vsKFs8PKeONQbhso4gnxPOqi5jCDgIrt5/N5nfP0mYm5X +ztP1gOgYGq3A8cJENgJmn1LqnwAtrDob1C/hLjvqJQKCAQAa5Xs7Et8RF/Hrv5DO +i6P2Bkecr+0e8bI5QqX+jypq2UwIWFyARTn3vliLUdqF3vvIIufjDr5oiMssHdFY +18CWsMUyzxDN9LspjstfTSLT+FoPCAIwAYzbtB590DQZWoCLA3NmBgY6TKsLqVOv +RP0svJ853rauUF8orhDFupPNh1aW9BtDrgK596Y7F980WsFctmwCATTv5+qqoK4I +2Yf8TyDzwqKAhmRYOaLfMunJKlVoEyzwdFqQr3n3lTPh6+WP48stwLBihKgOxXbT +ZaDGL9RdhJKDCDip1pt8SRNoQ1JHtTtueqxeO3WId6C1pzwcbTdla38CHOoKj7Cv +vh9dAoIBAQC7/8tr3EntcFd9SEMU7i+WnIekDrAR3fMoYnJyMqyzWZkombc8lj7v +iilWKV3HnPvH8Muy2Iw5FUp3OUxOGGa1S1SJKSf7CdCvvdJBRLvMvjQ4BFuje0/G +rxcphxbqdmuOjieakNa24i41cNE9SESCfx3zPzMJIUFXGmdOE4sYts3FOErATZ+a +FXzM0AMrEtrnpScKZKiIcy9PqfaMRUbSfOB5e/4IM4kt+xwgbpa4jEBK684z/Kh+ +P2KEB5mwwsjXaWXyZzhA0S3BeNf78NkJ/Va/20YlBM/0rFzjgzOMHfOvFpqsfVwW +1PI3stXnaLqhAbfnoTRRyM1/QKwBhw9a -----END PRIVATE KEY----- diff --git a/config/testdata/server.crt b/config/testdata/server.crt index 1b86f58f..f1da09eb 100644 --- a/config/testdata/server.crt +++ b/config/testdata/server.crt @@ -1,33 +1,33 @@ -----BEGIN CERTIFICATE----- -MIIFsDCCA5igAwIBAgIRAMMSh5NoexSCjSvDRf1fpgMwDQYJKoZIhvcNAQELBQAw +MIIFsDCCA5igAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fkwDQYJKoZIhvcNAQELBQAw aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo -ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDdaGA8yMDcyMDYyNTA5MTUwN1owNjEL +ZXVzIFRMUyBDQTAgFw0yMzA3MzEwNDUxMzRaGA8yMDczMDcxODA0NTEzNFowNjEL MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs -aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANPl1Iv/z+M8jHHU -SggOhvCS/0IfNi82+OprwalmhSL1FyRrGeHDpKArIrHhal7oukizJq96wKTddUVu -hjPR7srSYX7J2oPznjb2FmLHnD8y+zxO83XNA5WCDB0yA/KhWHhDmd2pihTTZOo9 -jvGi3+LyIqXUeiwIpxuNnH2ghoUy+DTzNCknLkIKAVnDPoM1AI0Wu24rs14A8ZVW -ivzY/P8xGwlMmDndrrHwJzMSEMeH7IJi9hx4zJalpoYTVq6Z0Rv0+7SpS+iswi/e -MILDhmSvLw0R4x31xkzsPOtUsocVjgBCGGGHo70ISsAxsL6E9QFe2uwZSvbBKfou -JaM0txRIZahMeHy5egh2+J08vuZKo9PDBWwKwqQZ4Kb7WtgekiycLmFa/OYHLUX+ -Ow8QXu5HU9v9XlP9GV2FQDka2IuMTtS5JCEt5e9ddSb4KVbkRAhfL2snA+w0nmrf -CBlrlThFz5Evy5QNAo1ORwiE+8gNUc12EAu9K3TK9WSUYNrLCbkN3oBL+DVp8Y6q -quUpKEbElhsJ9V49Err3LPaXpz5aW7Th6oFq7UOB7chqKQ2SNl3/hTlNUw8wFb9Q -i8AXs+4SzHo41IEe9QZBvpeucVmdewbJKvNS8Uxs2wmtTq2G2Ae3qGzWl682J7aU -w1X6Y46OanQDNtDVQvGN1CW5kvCXAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANKg3RLmRpZ8XZhc +YGrU9SwG0FTzr58cb5SetDlkaEIaSuGetAAdw1GXVDGwqqkORqVhEJ8fkhxmA5so +SGfVRLeKH+SVQ6uP353C4x7PWe3SvtxoN/IIaks4rUHJHZLs3ceE0BM+muPw6CCG +rD7rmBK01HhKPiCYNklcJX9T4SlsQ7WHLx4pgQdeCDhj2f9hNRHXnl7dHxqxHu9c +YiC+3Qw0IUBYToU03qDdYqtiXnLoeKzHUWAznhsMJxbIyPI8cbmwPSBgWK5LqqoB +ZtWvn2mCUAr9nU2XpjBiPlclVSlROnEZATJyL+552icgrqhOt740NvRw3dXcrfQD +8SlLXYH9h7vZCF8lq16Nzrpalu8q25VFbta7ZQ0Cw7sjxivrm4448s8pN94eqoYp +aEG/C6iydX6uK2/7cdRG+e4R8ZQ/4F1oggMMP9GWY08ttKhv3nTLyB26NdYzoaEu +4Ef7Ja45hf3nxzK2iQCqjeCrA2ufWWi/qPwtYqUn/woY6zJ44R2qFo3YIoo5qwf+ +PdRbJIMWzUOSf9vdsdUHHxT+G7ny3KOI8NiJwdsvxTS21Fll87HkC8SATrsl9qYd +TdNu1P3XB3hE6qFQXl4pmZtw9dVuSi0DwwnRTKdleR/Qx+1XuJGLFqY7GER7ZYQ4 +3ethni02ZOlz1FGXgis6Qtmlr8L/AgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G -A1UdIwQYMBaAFMaaHh5g0+YopeLd1IkizXyK9K/zMCAGA1UdEQQZMBeCCWxvY2Fs -aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAUXL/lzbgbs6whVrE -3wkp0oDGVZ0Jti1hpeQk7Slt3PHsgu9OQOSGcv9QHs0ybhkDWZQjoCH6Nurx5QaY -GnpNQjylfy3zAziO0c7C1uXf7Z9AEMQwbOHFLefnvq86MtnwJ7sadQo+ViwtMgOW -He4YhkTyu2CqK8GFXRQUNm/SunffXp5zErPCNQURh4hrDUGlXPzyxgx1DyqFvF4S -X8IpsoED3d7cbEL7E9dgXNl7wuy3qoPi9P9KydFTIELBGt1oco980S1attSM9159 -t9iUIUMT4EdzmZxpIyJMCD+Lz9Y3zWVyz7DTqFWOtAtmhM4lu44K4S4d/JfAGEal -3h3SMCbBPKwpsloO4r9TeGi2f+T7hfiFMdCezEyG8sXrObCDyVudyUnXnxDkZ5TQ -NOzqJaUJHeKzb+Z9WSovce3Pb8ok3GoDugmwqyjuN/rz/0jsDTJm18I6HHtONbUp -AIV/H/4+Kewc+Ztv97J7MeQB/2VKcY3vpZpMSEkg2ummRhXUfi0haxfoSCKvRwiD -BElUVtwHTsn3OBnKMGcBt32iLVsvbb/0AtNpohznPdQT7dqDVguejmwHn/fc4u4Q -vfAay/ACARti9XKGplQi7xn+OoYcAVPLYitYBRNEc6t+4f3EKehrDIMRCnxOFBVX -9Dnm1DebturSQQEOuX5rP15lG1I= +A1UdIwQYMBaAFAoAzCK5fa32Yi/QFHlVTvarRTuBMCAGA1UdEQQZMBeCCWxvY2Fs +aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAwPVi2TjlgpW/sheF +GIsJba8hcBWzyHs8Ha0UQ2PPFTAWegnPnOt/9oiP+eBLh3Ej8CTHCEzmucrbU98q +hZHAw3TbZiBsicbNUlzdDqdUPr3hbGfPhwRAiytYx1rnuSocWxhue1gPEkoWZV4R +hrpCZBHCm9eLWFOXPHRzLx/NjR3Vc6JZXrIE5lD2rwThANawMkpqzgvilGvPdJxo +ueM7eCcacWblGCePwdLPQGnrV8gYOU7xb4lFwpPRgRU60S1vuUx8B8nb4NLxU2DL +i4v5B28HntzX/+uXOtSRoxyvjhJTLyaA9j6mUJtTRJ1BKRTLFlA+7AzHvAg3R4LN +P/sqjDptbP0y8H7t3vRzVPkAUZ7fVXtIvQB15ycjyo5fNDotX4zyQI1fVztkFSxF +DgePisY2fMu6PZw8JSjHem9MEt4DSP+Kc+r3RW44N0py22r4c8/fE5fHAFXip/sH +C6J34c06q5reP3jtczc8wuHhBpQr/ctz3QJS6VqlenfJKnlUjDKvBqp3qeNkzX6t +TGdH6pIfLg9tTUqOI1qFHBxCexP6urjRI/U75/ye5ds/qiPi6e4o0XSED7QrMhFO +atPJcGQ7C0vESbjVJDvhxVpZ+uBT7Gopbwg4NeuPOCRG7XsBsba6s3rM2DJKl9ly +8xsFhNDnRqayXTMnwTfwhoPRSSo= -----END CERTIFICATE----- diff --git a/config/testdata/server.key b/config/testdata/server.key index 678da7b1..fdfd056a 100644 --- a/config/testdata/server.key +++ b/config/testdata/server.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx -1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF -boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq -PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV -Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv -3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6 -LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F -/jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q -3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO -qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/ -UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2 -lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy -yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW -7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ -fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck -E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE -HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep -TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus -wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5 -mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa -mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8 -zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7 -tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq -SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG -pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr -sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ -wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF -JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB -5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X -Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e -X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv -05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U -m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7 -xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU -q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z -RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT -BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y -iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD -qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM -URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak -I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI -kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c -pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n -xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3 -aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV -psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0 -Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk -NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe -SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP -Rri7hsjysanKPyaPM1oofbRyWApMyRo= +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDSoN0S5kaWfF2Y +XGBq1PUsBtBU86+fHG+UnrQ5ZGhCGkrhnrQAHcNRl1QxsKqpDkalYRCfH5IcZgOb +KEhn1US3ih/klUOrj9+dwuMez1nt0r7caDfyCGpLOK1ByR2S7N3HhNATPprj8Ogg +hqw+65gStNR4Sj4gmDZJXCV/U+EpbEO1hy8eKYEHXgg4Y9n/YTUR155e3R8asR7v +XGIgvt0MNCFAWE6FNN6g3WKrYl5y6Hisx1FgM54bDCcWyMjyPHG5sD0gYFiuS6qq +AWbVr59pglAK/Z1Nl6YwYj5XJVUpUTpxGQEyci/uedonIK6oTre+NDb0cN3V3K30 +A/EpS12B/Ye72QhfJatejc66WpbvKtuVRW7Wu2UNAsO7I8Yr65uOOPLPKTfeHqqG +KWhBvwuosnV+ritv+3HURvnuEfGUP+BdaIIDDD/RlmNPLbSob950y8gdujXWM6Gh +LuBH+yWuOYX958cytokAqo3gqwNrn1lov6j8LWKlJ/8KGOsyeOEdqhaN2CKKOasH +/j3UWySDFs1Dkn/b3bHVBx8U/hu58tyjiPDYicHbL8U0ttRZZfOx5AvEgE67Jfam +HU3TbtT91wd4ROqhUF5eKZmbcPXVbkotA8MJ0UynZXkf0MftV7iRixamOxhEe2WE +ON3rYZ4tNmTpc9RRl4IrOkLZpa/C/wIDAQABAoICAGYFhQ+ieo5pruwd0pXskNTC +eCat4mMvYtyaArHJ8LYUBjFCre1gfTsIEb//0qoQQCfa3DI3GI6o2xZMbMXeh2pf +fRM7OYvgJHBF9bz2sph/e/NGh9K0QMguq70xrSF9me8KZb7slBnUlpsqoEPZ2c81 +x7R8QZuIHsNp3r/N4UIvLpy+3hO+BsGKynCF7RHGA+6gghVxBZ/oKxPFq8IwsOE4 +XuLL4zyiXzOMCD77ZsRB1jHaWZA/cFWpjUV7+9lZbbyDoRgNkubZv9CY3Taj2pNA +i4THU2pCCj1lWMzdSGK69ZPSiMHmjVD1tLU/H1pmxplasUO1Z74vJhML1cQqvR9Y +tI1XueypBgUEnWHOQ1kvsEiO6J6PGJCnV1gWTlTujHsssCVz9My4rg+MvyMPUyov +WJtDIxrf3UVjbsM3urtdjrdZ6kNnkcQUe+L7MV6cjM7qh2A2evV2TzLJWe89q4nT +jwV/TGW8+LifpgzGJHWJ7jFc1HI2IDik24feNAGZjmdM4fAWzeil35FKLHe6tkbu +4ipDb4NoESS35wlXExRVDlQP5wNTjpqpOsDGE+JpNZRju0JYoN1iqXABxF2tcbvG +wQ7wb3UdGJcdaR9em0cPxT9hcCnpAexM4SNThTgaDXgxuGFexuPP3AXJaY8CWJ7g +GNaD6z7/cz99mMluO2ABAoIBAQDk2osJ1V+NGJZMimQiyqyp/1/4JhhIh2sGVooj +NcrEN2qlI5f3E6LMWlMWvtWpe3vwBOTYkEp9BwwFY/nQwuTAO8SZHCFfhyeY16GE +yuZUq+EpA4PsX+mVWcdAcHLQu7uccIFZujX7lz+k5A5bfxvMjaWSUHTcoShdoEP3 +RblGe6KiLQVImUBNg2hpqluhf6u1w8EAgZEV2qxPsl8ldtiUhl2+Zk4SbE1lzzvd +rxBmtsW/HrVXCPNwDtySHNWi3IcMqsXgJn82xAZoWjyv3JKXQWFnp3KLGmnh5uom +xgzLkoe4oBG7GcgvMF+zaxLRthV4C6IN/S2N29NnZrANEMzjAoIBAQDrnOJCPMT9 +15J95IsG+2zuNAM+b5pi7/UVZPAeMIwEioMdyFwQ5cZPQjKZQMdSi5T/UhBSAZ02 +OO71z3LpdPuwmAqMB7Wo8A3PnENov75hjpz++azrCS7NNfizftwzfPvpRUjTlXZ2 +DbV4g0UNDicw9ZtYp2ABH4/YqLxgIZqiyJIJYtkipjJHcYBGqJ4WLRYMD4Az2Zd+ +Ymko4NRQKCSoYUu9rXuKzXBvdy6E2ZqRoAngJ5dCR2i24fWVF3KObUr651xRKopB +wB2DT2Vm0btEWrzYoKkivvi/2ZAUAMBLlmhHv7do9bDCZwhZMiIDt08HMJSV04Ec +24NM/J83jMg1AoIBAEiS4YrBxqZpCKjHLlA2M6FJYfbApezCPPdqlC3sThwBculh +qzxoVrU1Y6oP5JP1m+0WsDfZMjYJ+Q7wkHVaiM5JZeQkHpU7uBvpLch9y6NISoQG +IFziYaHCMcTGpDJ7hlhq+SoqOhpJ8Z3p0H/FhFxPAxWuPBEHblSakVMmIkYuyPlj +C4zlRJYQORlhM+O4KAzhQiBV9luW2BQB/dhUowQexDWwHcwL2lOR72syrCHWjkk4 +hMtQBFsh62LOkBUwmAc1VMDrlGYaremDzED80uPykOAdIt7oBnHkF5cqMT6RfkbX +RCgwWeJVFdRA/VvRwWcrUT3cbwjQkG73CpdqH38CggEAVT9OHeke3TlCJ4qpQr11 +jDoFcnGuyl1Hr5X1yvaFsp7rEbuMlBCOz96DsC9f7t3R6w8mGIW8/AFddFK6oP1S +k3JvXnrrn1Q7qwI+4Yd+uo1/AEIV7nREGruMYGVmBrsR6jTHRMavNceAATp9oVud +knlK26izc7SXtyxV+/IsoPkw3XSGW6MGThMi9m3LxPpLH9H78MapqXCx27h9GQNt +P/70CIzcRjxOkgXtLuQMqOPertukPrbXjFP1Jxx0tlOU7XMIU9WwcFmyU/BGIA2C +VBkAeuCmUYwHNGLjXllnOfIRiOQ02CUM70mYG62n4PBSB6fsGsmLzYUe3JwKf27Q +gQKCAQB/rMm4fzG9632stM1LfDICF7r8veYrzW4Tx0pwfR0tPJmB0AB7cjBYiPd4 +KnwifNthduhLsQh90Z3E13GcsOtRhuJanfnmZrDIw3Yh1K0IukfPlPEyqAV63Kbb +2pFoDFffC0oADTRWkEZvDIoCyiTzxzGCUrC74k4/v6VQ7E+W34DoSfMDJ7imaWQ2 +vX+ynPKDIYpW63mOSfUpyQ6/aF6LEPcUmhGGssnu1Lh+gO8NGMGjsx1VLTK7mjQ2 +pGS4Du/lFwRi+ssnZcOvHFnCvwePoma6YcuRK7mYGIrUKBq3URIes2NxAeNpuwUw +m0RIojd5xiU0ak99bluF3jB2Zte4 -----END PRIVATE KEY----- diff --git a/config/testdata/server_revoked.crt b/config/testdata/server_revoked.crt new file mode 100644 index 00000000..54651cfd --- /dev/null +++ b/config/testdata/server_revoked.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fowDQYJKoZIhvcNAQELBQAw +aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo +ZXVzIFRMUyBDQTAgFw0yMzA3MzEwNDUxMzZaGA8yMDczMDcxODA0NTEzNlowNjEL +MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJGAv9axdu5lGDAF +dD2C1vpgNd/HfERW66zf1ubV62cBgZUSiQGYsFeVi+tokD+RPSb7nB0SF3pczZgt +n2ktH+X7+Y1Le8ETI44ttMho7TWlti2m73he8eWUxoWV5XDjZTEVCYZYeiA6cgY+ +Vzr5fe8OuJcm5X6xfRxlH0BnhVwG1VNdj2wcxKW1H6TSBPV6hzqnXiHh7/cMUqfO +4cCnYOfBhandd3G8HRBGvnguP/n9EkrWQY6wfWSg6CMot14kofJ73ADlRrr7b203 +07s4ruWzyZv4RMLpkQfz/UOPwLM1W/f6FNWY0f/DWmbrxXG3r6sdJCw3ESLImTDD +rdSnFK/LphZSfNSi7OzSAqnhF42dS+hg0cXOLxue/TMpg+RAqJveceryIcMigYhj +MiKDX8cJHBYnrZmEkC+UpDzugxxdqhOR9RbgbbHIE6q9TAqNUunOXklQ3OxTHw7d +0xqT3fCKvHMpp5gnz05woayyuLbYfqivonlTnuTtzv7g32cxHEM3CvSPL9Y5T8w0 +FvT+qFu25iG0Cn8jJ+X0tsE1ItX5s2tRo+sZesI9kSQ75yiGlySLtRYY3d/lLwQz +ZX8XRMwGfgVsW/I21i/FNpCiLU2hoMpK4evCAZa4Rbh5dJ2qpgQaERCI1IH6Zxfp +Zlad5fGXJXH3OjRO6qukFqUJJiDhAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg +MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G +A1UdIwQYMBaAFAoAzCK5fa32Yi/QFHlVTvarRTuBMCAGA1UdEQQZMBeCCWxvY2Fs +aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEABq5gfNmpPrYz72oC +driGu3AzX7jNjYOZ9QTRSN/MzpxR+UkHn/S2u3DCrdWYG8tXzk//UJgqxu9THvEv +NKyTkQqM7rrNelu5tUUDqz2B16f+rCtEy1ntQn3ofNhPI9zjfA4QBkVTD/eZBrk5 +iEr8NqoqunrgbFkzV+WG3lmwVVYzgmp4/o8kxB7oIrdPvns4cUEDd9lf/tFJPX9x +kcCRYeFPH/PwJUqmTd5lL904UgczPP25iLjbG/Vt27QwfFMbZ5Dfpz3oA+MHV8PE +aYsqRd+JLcCGbKqSt5Gawy8M8eCsmznQqwfW70WLPQJVlWeLmK6uwJJDmmZMlIk7 +uCXvYVTmgvOGZXfBvrAcZVDdH5W/RBKCmFvVzGBllHzeo/Xp41z771oMCc0Paz1S +m9gN1RjQlJI/SF75t7jNgJ8TYMsIudHzJmHnroqbufMMZZZY83FzGaL+Yr3CEGU+ +NOT08cFFWp4o42Tx81oOK4Qhcn43lYUIiXHrXZgwNR/oaValS9pxVrabdYMZxuBy +0Uj/RLmVSlcRfZ17SPk+BgLtldQyJrmF1Q7uR7M/Ggcv49qX0wbEkFnEI+oQDsqR ++Xmd7UAJRyOLjZh9xYgpYKjarHMnqwCHytKbLjYmz2czfaMDnbSjVdlEbMvCSW5a +4aTZryalxu/zBs19haqwrlxQmc8= +-----END CERTIFICATE----- diff --git a/config/testdata/server_revoked.key b/config/testdata/server_revoked.key new file mode 100644 index 00000000..8aa48603 --- /dev/null +++ b/config/testdata/server_revoked.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCRgL/WsXbuZRgw +BXQ9gtb6YDXfx3xEVuus39bm1etnAYGVEokBmLBXlYvraJA/kT0m+5wdEhd6XM2Y +LZ9pLR/l+/mNS3vBEyOOLbTIaO01pbYtpu94XvHllMaFleVw42UxFQmGWHogOnIG +Plc6+X3vDriXJuV+sX0cZR9AZ4VcBtVTXY9sHMSltR+k0gT1eoc6p14h4e/3DFKn +zuHAp2DnwYWp3XdxvB0QRr54Lj/5/RJK1kGOsH1koOgjKLdeJKHye9wA5Ua6+29t +N9O7OK7ls8mb+ETC6ZEH8/1Dj8CzNVv3+hTVmNH/w1pm68Vxt6+rHSQsNxEiyJkw +w63UpxSvy6YWUnzUouzs0gKp4ReNnUvoYNHFzi8bnv0zKYPkQKib3nHq8iHDIoGI +YzIig1/HCRwWJ62ZhJAvlKQ87oMcXaoTkfUW4G2xyBOqvUwKjVLpzl5JUNzsUx8O +3dMak93wirxzKaeYJ89OcKGssri22H6or6J5U57k7c7+4N9nMRxDNwr0jy/WOU/M +NBb0/qhbtuYhtAp/Iyfl9LbBNSLV+bNrUaPrGXrCPZEkO+cohpcki7UWGN3f5S8E +M2V/F0TMBn4FbFvyNtYvxTaQoi1NoaDKSuHrwgGWuEW4eXSdqqYEGhEQiNSB+mcX +6WZWneXxlyVx9zo0TuqrpBalCSYg4QIDAQABAoICACtIycjschzpJhDjDnld+uXw +yRYRGf6afPGohR2Wdbjm0c2u/eLjsVHcwwr8yCyg4DhAkWh0gVd9VAv5RnrbWanp +E4vc8Ku3LdSV9DnKPQbAjTl3d7WvSParE4OZ2++BNhEr2PGGUI5V1KXW1cxNfBEp +p/APOiY+VqGj03AtW5bM0ZlDM+9Nf5JsF0XI1IDSOnhQYchilihAGjahbLcLE+Dd +yQ2HPIkxFNRKt065M38CsfZhVo9EIYlV9LjA3Au9ig/AmOoLSsdFFRjAitQfQKhE +m60yZgI1yVc8VhNLKGAnd3yFgL0qAQ685p/Hc60on7GfsasVlptqYWgITiX8rkJK +1pymtmCzBYIwwIIdzjJ5/JKIv/4vEaD7BibFN8Cg+UQRRy+vKmV1qPwkDVf987A4 +QaC0r4STXFlFu1OsHUPfqlTJgZAKJTMWrZ5xUuaVJM7dZuF6vuRvoUalBSHXEOYx +8dVhRyD9+5K1SLKfpUNZXI6pRq5ctCJaboMnegimBznghn/3nrZXw4pOvZ7w2rkx +iI3CQuF+IaS48Ha0NockJ3Sw3zdY6vFp7sixN5GXyYysQzOlvatCl5flIRfYVJwY +fBLxLAty45Q/EI6+ovYNy0K0OIZ5sjgpmukoOJL5UIEjagxmfitmZd7BdcRM5LdS +nEvm3BBb0v9KG4z6mC4BAoIBAQDA2FcV60kTFkNcXk+MwFgZuAeR8A4w6Tns6lNN +Ii94ptA0vMbvfUizuPhajZdM3PigK179HQh+ZfiZeNk13gsPgl9b/aZRPharAFI0 +pMRVAkyVNKE1Zc6w+nlzi3ZR3y1cxfC21l9VZ5B52sYt2Tam97S3Dhbu6cdipT6x +qt1bCuBb6TWvRtIMg4Aq89x0bfRfXR9FxujndZmZGbpmYOHZjR9RTCn6Rj2AFVE1 +7XWc8qRUCeJS2lV8ZxnbgQ++Nn8XAxnSWNbDzB/Lt7cBOzWBhnhHnC7qs4yGJN4K +9qyW6qX4/d5nbMLYHHLiuxSxH5jlYCra4lVJAlDcoARXr0bpAoIBAQDBJ1vlp5zg +VAUVYiKtNNrbGC2h/k3YGhOIK9ok4jUIy9cUZI6MwJH2a3eYv3ziHBgZ66kcsg9b +qULS+yeJXHrrA51CmAlastiezK/XhrX9VsJhh8sr8+ws8LaHA2A8tPNA+eFD6DKO +lwET73MsNvc64Km7KXN4vRyDECahvlvTINRPagL4TGruYBI600paMyDniC2sVqf5 +Di1VxIdt1d5YeSsDILTvRgfhTVvmWk4uTVuwlGh+q2SWwQ3/UxbhI3ZB1b27bjHW +owXAE6Atr790pgbOSUYbyVdADytG3c7OkK+zDHmpF60BgAvFYBK5Sc9oFcNx9Qgz ++rJtMMiHzD85AoIBADYrTuMIUWF8KnXCxCOsT9MBn5a90K6qhKvo8ndDOARzDx8R +O+w/y/E37wM4rJxZobkUFb2RrzYaHKe3i4QXGBJGM9UaPeKqRyHHmE/TTJb4a1yq +CPJ/43xRD1aGgTjkMNDThRdGxkauLaYc7vgoALML94ZH/eckYe5yrlanwT/2oSkQ +LBVNFmmPcqweDfnifPdgqA0on3mMzhV0ZaimZCqA+qASfeQgYNweoM4+IoBwo/o7 +QIi3bbXhHCFNcoeitTZYl6M/cyxSpUfLFivRXulARX8P/xnMT5fKuVhpC/fkd7Sm +UxfIND8SVq8bj+dlEcS0q7UKSJyWevJOPIoI4SkCggEBAJSxzBkb07UOeWtgxPk6 +O1F3Z4nRz/OQ/4BQ4fqK+fDvm3/jean5hWSCjutUXrtijVtHBEVG/nO99eed2W3x +d978RVBC4tCj5gc55BSza96/r5yNgWcwvJxMIvgFLU0OsEVRGI3Cb0k+DmJeb/eV +yPXWhlPDMVW9n/l1sYfKl74NA+Su4+JqUdd4tg/7IL4XpjkXqLGHdIBS3autQ+TW +Q/kwLmCWCTQ6YU6c0yaeVplmjDN/zIHXR/SWYkQwnuhq+FruRMXJqyxlC8Q2V5VU +Ort+JLchyYsSkMyL4PEJSG/VCq136SC3TUReYrFrqH5jx/uE5ZUQ4WPClyFf8MA6 +CGECggEAZRyF7w77w2d7u3tObGx6G4wF7FUI+HcQm1Y3voWPeSnwZSX3wU8cVUBf +NSbDGaLpjsBZRK9es0iBGpVTk0LNpTR/4CdMwU2nSG4qzkE7hlMdgTNnpV7fU7Nv +lg67f5hpQWG1H2Q8uHl3EWX793T18DTtxrPdgeZwkl6y9PUT5vFFoiU9V56E1VR8 +aoywhbuv+AgbBvM+KaUVLWONhRv/uVPXRkT+oJs3u/DBCb0EMlFerno1pEJHYdsc +k5jNG7atq/1OxUDytKWITBhCyCBOdbymy8yzB7ExCET4t64+C9gFdt9deaSEmXyV +R1B9WgmlgDHaJ2TfG6iDG2mQ2LbIrg== +-----END PRIVATE KEY----- diff --git a/config/testdata/tls-ca-chain-add-irlvt-ca.pem b/config/testdata/tls-ca-chain-add-irlvt-ca.pem new file mode 100644 index 00000000..32208b5d --- /dev/null +++ b/config/testdata/tls-ca-chain-add-irlvt-ca.pem @@ -0,0 +1,100 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fcwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwNzMxMDQ1MTI1WhgPMjA3MzA3MTgwNDUxMjVaMGkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCuw6dfOUW +ogpZcsw0/6kH2AWi2STZnfPoib5gkoGlFSDyHPNugIS/aynHf60/LfmwbQuOj06A +/eIgYVN1n0skJMOVITkbVzPS6Bbo39b1AfL3jhRDu/WGlXSlRB+joUhf8pP4aaZz +lZ404lC5a8E0qTqsWVUchQMOdJtisK2cOhVAdUwNfB/2tOqAMr5iQ97J0RivD7Yq +7y/l/ylmQv82tVR5XSiwWa71GsNLMJyv3fl7KrLb+ErbgQOfkk1XuGpE8/3oTNhg +u/2fSo4lDbak9NMrBryGYpzYnNX7XBeR+cEigjUvwdQtBIX+jC+qn2IJqvZF3izL +qWJWYISfg14RJmB2A2Qdp3+363KQSmOh1kmeu7NeVWdIYRiR2+e8a/E/Ez7n6k9m +a7xkljQtQc0eNz35ob2R+uCNgTkR2Fjy8HQ8jNjl3YTd5WMTdhvx/74hgbaNV1nf +VeAsEdoZTf/KedpEwcgcwCVv6MNDsSu5NAjA1lg+iA8hyalCXRsPbiNVYSk52SEV +r+DNw63NdaOE/roQ37YEsWgTiq4zrcnhZl4tSmhag/l1gKucnGFzxP0Mg77gNgyI +XO1r0BX1XUJ4eNbKwRju7CV1FjRI/gv3lqZqvEkYX0LP1ynZw0dN33b2ERdEi5YK +k4wqk46C4oSyDK/BNH606qclLNHLoEl9bQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQK +AMwiuX2t9mIv0BR5VU72q0U7gTAfBgNVHSMEGDAWgBSMhVqDR7dPJtKMdzbWb8vN +H327VjANBgkqhkiG9w0BAQsFAAOCAgEAGWjhP8z2LJBUo0jfGGBMxUNhiutosvvk +9XqVqRG6R+TynzR7Jsyi8Jf5ued9UUVavq2urqx4ar61etH2c1at2AQe4FACrrWe ++Bj5iMywEc3ypKKy9zLevvPM37pVBWCG8OlvI0WINxfYmZh9rR/xD2+FHbw5Dbyt +VUboFRVBMxDHgvkAPMRmJQooQjxBXY5ElB3DTHsyYrDGOQskUPrn6m1gbdSbSqNy +Mxmhaxw5i3CMBaKHUQ7ztm85K8d8ZV8eojCNcRFNTDYT3/x7zIxtPpZKux2Kjm4T +S6kY3seZSjFurs2YkMvumVV0M8PsVNvrw1F1otIMFdR8pj4gA0lAcil/QdHeg/Tu +GGv23QedsvTQYYhx7C+t+nh+M34vVV5DEBa9p0TKXzS2QJuzGcEtuTuCfJrbVHO9 +dRCLNEC2leCc1EhBnMj0LjBTRjOluC8y/08nzJJBNoQlDUrL+kZ2STvkzhJ15PmA +uddX5wleINDx+qc+e/hqf/o28o5dsUf0B4iqWo5dzKRIB4eeVu0WG91r7NMDgIe/ +bn42VolPjHquPgibE2zDISFUBukJsJIakOzkHbkorbupIaa5n0uzDs9D8wg/6vAR +o1VgW0XC0KUTmCiuqVYbAwsm7GiJcCOIP+588/RvbVvAqQkpN/PcQJ2uT57cXPxY +Rq4oaSeLcio= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFtDCCA5ygAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fYwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwNzMxMDQ1MTIwWhgPMjA3MzA3MTgwNDUxMjBaMGox +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMSUHJvbWV0aGV1 +cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4PctUOlH +K3x4a3EmOwP1PhBYc1D4TaSmR35Uer6cosLLhDI9YW4kBuAsdavjUyGYHBTOC3h1 +YnaREOLs7fCOntRa7DjxwgKdVvu1YGFrnXg/n9AsXMtkEPenFJYhF588h+xQD4Kp +2KISOYBe/QEyj7ql/VESrfHLsRL3PZOjZyuYV9XQH2B64OnGnwZpALKuD0aesUor +iIpGghnvY9VlJa2yuZb77HRetrBSusaOO4SFuvatA7OD7o06CM8uad8nlTqiwCX8 +49mT3AGjzZezSTZO3LvXVLIhjbzDWjceXH5zdNL0FRmLYXRRo9iQ7QrO2YP+hVQd +m13/+/S+YkyWzhi/G1Upx2aAPUErS1c862yGeqK+l55qRfAnl7JzIZmcqAZKtwL2 +ChcupLyoY2UYFBEFAFFjfqlyHt26QCiQ0RASGy7pLjWo3dDqPAM0DLXQfZO38UQl +VGeK0X3i8BsgaHI6AHhp12Bzas3i/zk9YdevlMrbQ04/OmxFXyUMPD3k2nornjcI ++fnOk6nGyGAAAtVk9HDdP5Z9zyrtQYhUOe4BT0fi5gSnvIZB8Bq5mzdKK4xiFhrA +TqcyPSp/l4HQKYgQhIuezO8eMIuBWvDNZ17MNf6LdlBDdvFGWM5myPUMk4jllEZ7 +RAItzdKd8sV/9vPd5r7knFF3W4QtYeFC1iUCAwEAAaNTMFEwDgYDVR0PAQH/BAQD +AgGmMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +jIVag0e3TybSjHc21m/LzR99u1YwDQYJKoZIhvcNAQELBQADggIBAFs7zA9s8kd0 +hrFDAMBS/c3r48u8+AkAVVskwBMhUEohuCEKkHhObJbVTczx6Vk18sCWz/opDNAP +Op71MT1Kl797EfCJNUEynED3zJqQmqpI+Z+4+PaIjst5E/nGdoqtomgo1jMxIbJP +Bu5ZHYWOueJFIMYnGgE7OGRndhzlJSWI8uafu0NazbANfnfA/jsRL5W/YDwuMEPb +vkbrYpfZs65ICATauSnrBZ5dFEHJ1Tdl0SYujRO/e/E0w1Sc5cVMV+1jlKTmt4IJ +giojJ82+CV6AQh3EC3A7CTGWwsYGkXnovEoTBOwHthSDnswkm2DyAquHVnOegIgW +FiJXQIQnIzP3QoEIlSy7jsQHvKJ0jt4W3M76Jd8PQQ3DnC95pR0llYMjslc+stin +RI0S2HRIxHS5qQ1XowquMdwAJFBZpM805Tp4ieDPfS9sZT54ah4SE/7MzXDjPS3w +W4Q2kp5X6bcbhkMH4kt1jYFggm2KdFcL3huXw6qakveDWelaLRY8c47y98zYmNPP +MCREDXhLpR5J7udX1kInmFZ/JI99zWC/V1HXGJ5eND/1USrmSABJlgxU0gdvLJ9o +jFO2ULVuF14vraAItqtMT9z/ge4zNJC7rQnSiAtdjvQOeS5asbRvatE/jDlsqBdI +X1AyiJu2jRQxqARA5J6iIZ5sHTzHJ6vH +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFyDCCA7CgAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fgwDQYJKoZIhvcNAQELBQAw +dDELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYDVQQDExxQcm9tZXRo +ZXVzIFRMUyBJcnJlbGV2YW50IENBMCAXDTIzMDczMTA0NTEyOFoYDzIwNzMwNzE4 +MDQ1MTI4WjB0MQswCQYDVQQGEwJVUzETMBEGA1UEChMKUHJvbWV0aGV1czEpMCcG +A1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgNVBAMT +HFByb21ldGhldXMgVExTIElycmVsZXZhbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQDYgx/DdoBGBVxVVl7A9y0jeNqfNC34Q3LFQbwq7iISNi8o +nfQlsWXCBcygzlitCMhTv2bBH4wBtzhvI10qWWb1x9h3UW3AtYIxxHn4kfIuTfbu +yuwqnxvzFnPqiJqzKIdiZc2bqbPnZYtkcM6JwNb4orvViZdQ1CfQnOBKbp+CYcLf +V8M2qYQi1w0HW8Bdcz0rqOsdudK9hDlsGju7yZPrKOIIkEy9Qxmlaz3GJM9qyGrm +WHErKlIjXlZOFlN2lGTdTYSkXy06Cr9wsDSl/hE2tbmDurmB6C8vNRD+IKtCAqyd +egO9ot/mYq52zRnGefA6bBsI3BRERlOw1NUJirni3z9p1cyg+B5LmeOq7zPwFoZI +1vH8xcFN+diJIHmBR7j7U2yiGSM8QwtRw+jXTJsl4wpcLAuZNfW/HjjW9BBztK+7 +BxhCQ3guyHM8V+tZh7Y8H/r6CPR+IoVboNTgVIuvJ7f8Xjzq7HPF8dnYdX5PHxtJ +UwSYPoQQ2Lp9BeBGeNnGO2MXl6Y736+dj8ZWnHOsEr6KBorXa6HX8TK5BstHFsfs +nvdllNwEKVtu8neCTeWZNGD+2JhihXF1FoAROIV7N0sUjfrphoKLIkHJxA6AHY8E +ARILzHdpwXzZ0aSLgphwqwHiSp3WRV+mqZZLX0464nmJNPHAc2HuFjt7vKRE6QID +AQABo1MwUTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBRZMKhiUrsd6DygvU08uLd6hkNcxzANBgkqhkiG +9w0BAQsFAAOCAgEAC3kVo2h2dnogDcOMKyjJrDsIrM8cLVzJBJ1XhUGRdfaZpkyp +DzgtwoB06kxePLeu3qJoeFitml6zYZzlFC15E5f79hXd7BTjL5qIfWV2u0iDewte +VMMNb36iDGyNgpkWAKGpahbjh45pjB4iL0+5ZuPLBmcdd+T/wQzGS5VtyHQczvY8 +XPk1DT8wnnExiRKR7xaZibVGrsqYqUtYhMqZT6vNmiwjwpoik9zQbTGWYxr8EEu6 +3RW0F31ovonz5yC++/UavnBl5C+TwD0677CsKWC41sErqaiKylSIyd8oUrlP0lIS +l0G7UvmBrtmBkbNb0x/u97MYN5L87JpN+wpmOF4dhyjnL9CnwPEMl43EkHVfaOEN +9/dBl0IQalGbJZyhDAnLPgGEi6U7OolLv41ENAuFhSarFGjFyoRMOBrkRikg8+Li +n2iSPzobtrt3VTgnT2Ir7hE7elI5TyUWZoM9fGjuO2l5SYDU2PEA1u1XsZMUBjxE +RX1Oa1m9wGoU4SbTiWcm8cL/+XSkZxFF5aNma+3Oe2rskp/rNhi+XN8V3yqdyL5Z +sknP8kljATJvILBdhx6IOUFIActJmOtzxO7IUo8NtvgOHira+kcphaMuykrw6JSB +61zJplX0KPjZGdazEK6XBpo8cHJcyNAyitBv670euK61KeRKwlBqrdOv3uA= +-----END CERTIFICATE----- diff --git a/config/testdata/tls-ca-chain.pem b/config/testdata/tls-ca-chain.pem index b67023a7..246b4d80 100644 --- a/config/testdata/tls-ca-chain.pem +++ b/config/testdata/tls-ca-chain.pem @@ -1,67 +1,67 @@ -----BEGIN CERTIFICATE----- -MIIF1DCCA7ygAwIBAgIRAMMSh5NoexSCjSvDRf1fpgIwDQYJKoZIhvcNAQELBQAw +MIIF1DCCA7ygAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fcwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo -ZXVzIFJvb3QgQ0EwIBcNMjIwNzA4MDkxNTA2WhgPMjA3MjA2MjUwOTE1MDZaMGkx +ZXVzIFJvb3QgQ0EwIBcNMjMwNzMxMDQ1MTI1WhgPMjA3MzA3MTgwNDUxMjVaMGkx CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 -cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXtUbZhHR2 -xElyGJ+BwcZh4hm4dh1OhlJ6g98H2rEOK6bBxeO5YZnthfCnHI6WYN270ylusUc6 -JVkuU/1PO7NLYsl1D4ZIrRKQBWfg88BYrDO38HUkrm4aohlpT0+f7SiA7eRl1Mb5 -x6fi5BAVE5wnQJTE8VPBU+lXJB+SfZEixu+o1PlxVAdMYPAu1Yijakr1lDuZex+/ -j/700mihSAcwOvJ/+p4u2WNj0CMvQWiV5+VBZYrfpRN4/201FoyWILIv3HLq5OKp -Bpl/TvJ4J8oG1Cbzjm52qLgUOvHkAJ0I04DxWWywHF0VRumwLSqae0xo+KPPijj7 -bdnCx+vy37PbFOghzKzSIbPuccfKivVpChgy9n0kkgQhm9cgFE5SBuO6jfRwto0g -drSOMIzyXELDG0h0nB2gsPUHjD/OD1DT0VsW/9xXOPBfVgtPFn5LoZ8ninAFmk2r -ZiRJhCXhh+Rlw2F/s2STP66RnUGVdfP2syV+UlgJlE7EPE8cDbyfQqg7FTflq+t+ -HgXFCAkJ4S34+/qCbGv3DlbnC1lq+FiVwexm1TcfL/lYfhPr/J6VoeFZw4bjTPNa -jUILpsXv6IQzgPfCBxeZC6dDkK1D0cEXAqRRYKEFxdLnMjBcUZlWUV9uTuk01fDc -58bmlHt5sEqhcdUqHrR5PdoWJVOSbFwYBwIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC -AqQwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTG -mh4eYNPmKKXi3dSJIs18ivSv8zAfBgNVHSMEGDAWgBRJPrEOm2ZrMgr9AFTz9LZy -0fDNNjANBgkqhkiG9w0BAQsFAAOCAgEAoc0OImcyyKSbVK63QA8VmD2o9Xr7abxX -o+f+QXWDqKAlNDAuXLYBjHMCc9YFsxXa9XkuKZeIxzop4h9iGG+fxMVPTx3T0gTm -MAuHcPka10z4Gy6ZxLzDmxJPkJ46b1n0K2fsv9XshzsHERz3VavwHXbC5mBo1CwI -6xLLtTWMuJdoyt0261D7Dat1JAFIWm2j+kxGvyIP0gNtRsUKOFA22Tlt42sEYnXa -7wmY7b15rndG69Xg9ZiVI5Mb/10gDJQcym23PXRn+JEgssE+WcYhll8f/LRmD49v -ZlBBD1dVoc9JyrgT+An+2Z8lE6wCSPqWSwhzvBW4dyB/u7Jn23dlV1SwJR8x/IaW -j/DhCELNqD6cSlRK3yjE/a2/iK0F6pNrVgKDY+/9uwFxwkjIRwqfcFtT6YpZ33mg -kSdTTbYpeg3XkLYZayE3ntzEhooyQdrJR6YyFVwsgcBCkeLrEbC7y/AG1MQEdKsZ -i3q730vztGQBR1ymPwgbB6qzGOXhmnhJHnQjeP2CJWnzDeOh2Vs4CxLAQZJ/dhYd -qrbYPAT8FJkp2PvoJP8zpmD7a8QC+6Gr17kl9OupPQrIIfxCXYZKDdGOlkDSUC16 -6y0E1WZnI+LVbQB1M584lB2/8jU4xqMqUPfoIcbjkjih9nvVA6t547527MeeTvXT -0ig2QvMFWMw= +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCuw6dfOUW +ogpZcsw0/6kH2AWi2STZnfPoib5gkoGlFSDyHPNugIS/aynHf60/LfmwbQuOj06A +/eIgYVN1n0skJMOVITkbVzPS6Bbo39b1AfL3jhRDu/WGlXSlRB+joUhf8pP4aaZz +lZ404lC5a8E0qTqsWVUchQMOdJtisK2cOhVAdUwNfB/2tOqAMr5iQ97J0RivD7Yq +7y/l/ylmQv82tVR5XSiwWa71GsNLMJyv3fl7KrLb+ErbgQOfkk1XuGpE8/3oTNhg +u/2fSo4lDbak9NMrBryGYpzYnNX7XBeR+cEigjUvwdQtBIX+jC+qn2IJqvZF3izL +qWJWYISfg14RJmB2A2Qdp3+363KQSmOh1kmeu7NeVWdIYRiR2+e8a/E/Ez7n6k9m +a7xkljQtQc0eNz35ob2R+uCNgTkR2Fjy8HQ8jNjl3YTd5WMTdhvx/74hgbaNV1nf +VeAsEdoZTf/KedpEwcgcwCVv6MNDsSu5NAjA1lg+iA8hyalCXRsPbiNVYSk52SEV +r+DNw63NdaOE/roQ37YEsWgTiq4zrcnhZl4tSmhag/l1gKucnGFzxP0Mg77gNgyI +XO1r0BX1XUJ4eNbKwRju7CV1FjRI/gv3lqZqvEkYX0LP1ynZw0dN33b2ERdEi5YK +k4wqk46C4oSyDK/BNH606qclLNHLoEl9bQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQK +AMwiuX2t9mIv0BR5VU72q0U7gTAfBgNVHSMEGDAWgBSMhVqDR7dPJtKMdzbWb8vN +H327VjANBgkqhkiG9w0BAQsFAAOCAgEAGWjhP8z2LJBUo0jfGGBMxUNhiutosvvk +9XqVqRG6R+TynzR7Jsyi8Jf5ued9UUVavq2urqx4ar61etH2c1at2AQe4FACrrWe ++Bj5iMywEc3ypKKy9zLevvPM37pVBWCG8OlvI0WINxfYmZh9rR/xD2+FHbw5Dbyt +VUboFRVBMxDHgvkAPMRmJQooQjxBXY5ElB3DTHsyYrDGOQskUPrn6m1gbdSbSqNy +Mxmhaxw5i3CMBaKHUQ7ztm85K8d8ZV8eojCNcRFNTDYT3/x7zIxtPpZKux2Kjm4T +S6kY3seZSjFurs2YkMvumVV0M8PsVNvrw1F1otIMFdR8pj4gA0lAcil/QdHeg/Tu +GGv23QedsvTQYYhx7C+t+nh+M34vVV5DEBa9p0TKXzS2QJuzGcEtuTuCfJrbVHO9 +dRCLNEC2leCc1EhBnMj0LjBTRjOluC8y/08nzJJBNoQlDUrL+kZ2STvkzhJ15PmA +uddX5wleINDx+qc+e/hqf/o28o5dsUf0B4iqWo5dzKRIB4eeVu0WG91r7NMDgIe/ +bn42VolPjHquPgibE2zDISFUBukJsJIakOzkHbkorbupIaa5n0uzDs9D8wg/6vAR +o1VgW0XC0KUTmCiuqVYbAwsm7GiJcCOIP+588/RvbVvAqQkpN/PcQJ2uT57cXPxY +Rq4oaSeLcio= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIFtDCCA5ygAwIBAgIRAMMSh5NoexSCjSvDRf1fpgEwDQYJKoZIhvcNAQELBQAw +MIIFtDCCA5ygAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fYwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo -ZXVzIFJvb3QgQ0EwIBcNMjIwNzA4MDkxNTA0WhgPMjA3MjA2MjUwOTE1MDRaMGox +ZXVzIFJvb3QgQ0EwIBcNMjMwNzMxMDQ1MTIwWhgPMjA3MzA3MTgwNDUxMjBaMGox CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMSUHJvbWV0aGV1 -cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArkzRPi21 -E299vXw4FBbMfCXI258SxvvjRVRuKdAHLOBpEEqkYH6r6ScbZaisBFtIePv4ddKl -rmv+nDwN84/KS54OOtw1cWD4AnDB0kL3B0pWXjTS1F/u57hRLxM6Ta0UubKbta/h -WqSOR/fAA5sgcl+JbbR61QWVeYYXg9bM8YGTwQMeJod26tIUeX/Reo9BHuiW4jPb -pvVf7rsOs8E2cGwfYjZu6Zj2qcCxQ/ivCpopKFLNlaKko/KlGDGz9KxK5X3ik+sE -fPK9LzLC0k2RLGc3EmcMkdyqE3VNih9nV9SalAXN5yBdYaWWjJXykty7ilU32MBF -yO4myL48vif2K68pD/CFhG8YmIOud3woMm1IYS9xlsYKf7+f5CNlxqz+eSoOGhcG -dSDNft3h5nuq9J/qb2rIgWMSc2puFNRsx+fis0kS5GvjVadR0lxtArbrNm4S+F22 -EjGxeBF5VIWiu31uppbdASIw6DTKcrSVVoWxq+Fk3OOB+7q+rornosop9a/omXGH -0cTmgarjJtMqa0TEQiUPQPPnmpC1joeC7/kh7aks93wfHtY73uAVnTjLGTOwlr50 -CgRShcRoLLN049V93l46AFHU/4HWns8dqgdcdGnvIdUCFik916pKDSvEc/DfMLGh -H6w9Xlg4+2LgCyG2/FBEMTj+bLoraydzyaECAwEAAaNTMFEwDgYDVR0PAQH/BAQD -AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -ST6xDptmazIK/QBU8/S2ctHwzTYwDQYJKoZIhvcNAQELBQADggIBAHM79R/uQwQX -vsBDfKyBXWFlrhHAgX8XAwMKHjstpQYCcJoiGLRJaMMjxj31T1tylqPdcxz88THN -uj9kVFYMo1GU5K9E9lq0LoWQBmX2R7/RgxWqB7FNS+S0xfGyeUb3YPVPI1yhtsKa -6mCtTuCVgsgs/hTa+umjtffxj7l+IQxD8Fq0RFBae+S0v5mjVC2sUVd6usqVt7F6 -LUVuYShyAI705guIV9nkz8ZyLzUBJnQAJ8g6DU+nLmdizigUG+JoD/hBbK2hvcjX -SL7JLAhYRI4kzWcYR0GUfDf2knFEWNhU8gCPnw70FHMD9QC3NKkQsPvyQRyJh99+ -ipwUFbGJJRYWjFBbUxlqZNqBg6+ylZNFGEnG42u2KvPXjgPdivlQWkrX6nG0ayyl -rYrvi0FawP3OBpCrhYhqsqkA2m+5L2Pl+J2SsDv4qmPB6fh7K0YDVB37AZSG+nfL -oXXpUtwfc9tR71S7GmgkcqYOkHfSzl7ecxXtE2xyl3zhkUPR9YcG+rQhXRRp0lxF -kR0EtGOGuvXMCQ/vBVPNEDS3jdceqIrIRI1yPUdhFkF7lrLsfFULllOt6qQWnhn2 -A2ObxHToohwuyri/v8QhqNI2Bg0jJHcAJi8I8taToAstCWrtn+WXyfj/QknAik47 -aOK9l5wSyyqPfkHybKvT6z9pqWUchJsz +cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4PctUOlH +K3x4a3EmOwP1PhBYc1D4TaSmR35Uer6cosLLhDI9YW4kBuAsdavjUyGYHBTOC3h1 +YnaREOLs7fCOntRa7DjxwgKdVvu1YGFrnXg/n9AsXMtkEPenFJYhF588h+xQD4Kp +2KISOYBe/QEyj7ql/VESrfHLsRL3PZOjZyuYV9XQH2B64OnGnwZpALKuD0aesUor +iIpGghnvY9VlJa2yuZb77HRetrBSusaOO4SFuvatA7OD7o06CM8uad8nlTqiwCX8 +49mT3AGjzZezSTZO3LvXVLIhjbzDWjceXH5zdNL0FRmLYXRRo9iQ7QrO2YP+hVQd +m13/+/S+YkyWzhi/G1Upx2aAPUErS1c862yGeqK+l55qRfAnl7JzIZmcqAZKtwL2 +ChcupLyoY2UYFBEFAFFjfqlyHt26QCiQ0RASGy7pLjWo3dDqPAM0DLXQfZO38UQl +VGeK0X3i8BsgaHI6AHhp12Bzas3i/zk9YdevlMrbQ04/OmxFXyUMPD3k2nornjcI ++fnOk6nGyGAAAtVk9HDdP5Z9zyrtQYhUOe4BT0fi5gSnvIZB8Bq5mzdKK4xiFhrA +TqcyPSp/l4HQKYgQhIuezO8eMIuBWvDNZ17MNf6LdlBDdvFGWM5myPUMk4jllEZ7 +RAItzdKd8sV/9vPd5r7knFF3W4QtYeFC1iUCAwEAAaNTMFEwDgYDVR0PAQH/BAQD +AgGmMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +jIVag0e3TybSjHc21m/LzR99u1YwDQYJKoZIhvcNAQELBQADggIBAFs7zA9s8kd0 +hrFDAMBS/c3r48u8+AkAVVskwBMhUEohuCEKkHhObJbVTczx6Vk18sCWz/opDNAP +Op71MT1Kl797EfCJNUEynED3zJqQmqpI+Z+4+PaIjst5E/nGdoqtomgo1jMxIbJP +Bu5ZHYWOueJFIMYnGgE7OGRndhzlJSWI8uafu0NazbANfnfA/jsRL5W/YDwuMEPb +vkbrYpfZs65ICATauSnrBZ5dFEHJ1Tdl0SYujRO/e/E0w1Sc5cVMV+1jlKTmt4IJ +giojJ82+CV6AQh3EC3A7CTGWwsYGkXnovEoTBOwHthSDnswkm2DyAquHVnOegIgW +FiJXQIQnIzP3QoEIlSy7jsQHvKJ0jt4W3M76Jd8PQQ3DnC95pR0llYMjslc+stin +RI0S2HRIxHS5qQ1XowquMdwAJFBZpM805Tp4ieDPfS9sZT54ah4SE/7MzXDjPS3w +W4Q2kp5X6bcbhkMH4kt1jYFggm2KdFcL3huXw6qakveDWelaLRY8c47y98zYmNPP +MCREDXhLpR5J7udX1kInmFZ/JI99zWC/V1HXGJ5eND/1USrmSABJlgxU0gdvLJ9o +jFO2ULVuF14vraAItqtMT9z/ge4zNJC7rQnSiAtdjvQOeS5asbRvatE/jDlsqBdI +X1AyiJu2jRQxqARA5J6iIZ5sHTzHJ6vH -----END CERTIFICATE----- diff --git a/config/testdata/tls-ca-no-root.pem b/config/testdata/tls-ca-no-root.pem new file mode 100644 index 00000000..e0338fff --- /dev/null +++ b/config/testdata/tls-ca-no-root.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIRAJhzsQ9PS6cSzJuE6HX04fcwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwNzMxMDQ1MTI1WhgPMjA3MzA3MTgwNDUxMjVaMGkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCuw6dfOUW +ogpZcsw0/6kH2AWi2STZnfPoib5gkoGlFSDyHPNugIS/aynHf60/LfmwbQuOj06A +/eIgYVN1n0skJMOVITkbVzPS6Bbo39b1AfL3jhRDu/WGlXSlRB+joUhf8pP4aaZz +lZ404lC5a8E0qTqsWVUchQMOdJtisK2cOhVAdUwNfB/2tOqAMr5iQ97J0RivD7Yq +7y/l/ylmQv82tVR5XSiwWa71GsNLMJyv3fl7KrLb+ErbgQOfkk1XuGpE8/3oTNhg +u/2fSo4lDbak9NMrBryGYpzYnNX7XBeR+cEigjUvwdQtBIX+jC+qn2IJqvZF3izL +qWJWYISfg14RJmB2A2Qdp3+363KQSmOh1kmeu7NeVWdIYRiR2+e8a/E/Ez7n6k9m +a7xkljQtQc0eNz35ob2R+uCNgTkR2Fjy8HQ8jNjl3YTd5WMTdhvx/74hgbaNV1nf +VeAsEdoZTf/KedpEwcgcwCVv6MNDsSu5NAjA1lg+iA8hyalCXRsPbiNVYSk52SEV +r+DNw63NdaOE/roQ37YEsWgTiq4zrcnhZl4tSmhag/l1gKucnGFzxP0Mg77gNgyI +XO1r0BX1XUJ4eNbKwRju7CV1FjRI/gv3lqZqvEkYX0LP1ynZw0dN33b2ERdEi5YK +k4wqk46C4oSyDK/BNH606qclLNHLoEl9bQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQK +AMwiuX2t9mIv0BR5VU72q0U7gTAfBgNVHSMEGDAWgBSMhVqDR7dPJtKMdzbWb8vN +H327VjANBgkqhkiG9w0BAQsFAAOCAgEAGWjhP8z2LJBUo0jfGGBMxUNhiutosvvk +9XqVqRG6R+TynzR7Jsyi8Jf5ued9UUVavq2urqx4ar61etH2c1at2AQe4FACrrWe ++Bj5iMywEc3ypKKy9zLevvPM37pVBWCG8OlvI0WINxfYmZh9rR/xD2+FHbw5Dbyt +VUboFRVBMxDHgvkAPMRmJQooQjxBXY5ElB3DTHsyYrDGOQskUPrn6m1gbdSbSqNy +Mxmhaxw5i3CMBaKHUQ7ztm85K8d8ZV8eojCNcRFNTDYT3/x7zIxtPpZKux2Kjm4T +S6kY3seZSjFurs2YkMvumVV0M8PsVNvrw1F1otIMFdR8pj4gA0lAcil/QdHeg/Tu +GGv23QedsvTQYYhx7C+t+nh+M34vVV5DEBa9p0TKXzS2QJuzGcEtuTuCfJrbVHO9 +dRCLNEC2leCc1EhBnMj0LjBTRjOluC8y/08nzJJBNoQlDUrL+kZ2STvkzhJ15PmA +uddX5wleINDx+qc+e/hqf/o28o5dsUf0B4iqWo5dzKRIB4eeVu0WG91r7NMDgIe/ +bn42VolPjHquPgibE2zDISFUBukJsJIakOzkHbkorbupIaa5n0uzDs9D8wg/6vAR +o1VgW0XC0KUTmCiuqVYbAwsm7GiJcCOIP+588/RvbVvAqQkpN/PcQJ2uT57cXPxY +Rq4oaSeLcio= +-----END CERTIFICATE-----