From e87d76c5f8644e8bc8003c31bbaf6f8ca9958629 Mon Sep 17 00:00:00 2001 From: Ziqi Zhang Date: Mon, 31 Jul 2023 14:53:26 +1000 Subject: [PATCH 1/2] Add CRL support to Prometheus This commit adds support for certificate revocation status by Certificate Revocation List (CRL) in Prometheus. New fields 'CRL' and 'CRLFile' have been added to the Prometheus config ('tls_config' section). These enable certificate revocation validation with the provided CRL. The Prometheus loads the Certificate Revocation List (CRL) to validate the revocation status of the peer's certificate chain by invoking the 'verifyPeerCertificate' (https://pkg.go.dev/crypto/tls) function during a TLS handshake. Signed-off-by: Ziqi Zhang --- config/generate.go | 160 +++++++++- config/http_config.go | 230 ++++++++++++++- config/http_config_test.go | 274 +++++++++++++++++- config/testdata/client.crt | 54 ++-- config/testdata/client.key | 100 +++---- config/testdata/crl_cert_revoked.pem | 19 ++ config/testdata/crl_cert_revoked_expired.pem | 19 ++ config/testdata/crl_chain_all_empty.pem | 36 +++ config/testdata/crl_chain_cert_revoked.pem | 37 +++ .../crl_chain_inter_ca_cert_revoked.pem | 37 +++ .../testdata/crl_chain_irlvt_cert_revoked.pem | 37 +++ config/testdata/crl_inter_empty.pem | 18 ++ config/testdata/crl_root_empty.pem | 18 ++ config/testdata/self-signed-client.crt | 50 ++-- config/testdata/self-signed-client.key | 100 +++---- config/testdata/server.crt | 54 ++-- config/testdata/server.key | 100 +++---- config/testdata/server_revoked.crt | 33 +++ config/testdata/server_revoked.key | 52 ++++ config/testdata/tls-ca-chain-add-irlvt-ca.pem | 100 +++++++ config/testdata/tls-ca-chain.pem | 110 +++---- config/testdata/tls-ca-no-root.pem | 34 +++ 22 files changed, 1365 insertions(+), 307 deletions(-) create mode 100644 config/testdata/crl_cert_revoked.pem create mode 100644 config/testdata/crl_cert_revoked_expired.pem create mode 100644 config/testdata/crl_chain_all_empty.pem create mode 100644 config/testdata/crl_chain_cert_revoked.pem create mode 100644 config/testdata/crl_chain_inter_ca_cert_revoked.pem create mode 100644 config/testdata/crl_chain_irlvt_cert_revoked.pem create mode 100644 config/testdata/crl_inter_empty.pem create mode 100644 config/testdata/crl_root_empty.pem create mode 100644 config/testdata/server_revoked.crt create mode 100644 config/testdata/server_revoked.key create mode 100644 config/testdata/tls-ca-chain-add-irlvt-ca.pem create mode 100644 config/testdata/tls-ca-no-root.pem diff --git a/config/generate.go b/config/generate.go index 0033dd75..4a29457a 100644 --- a/config/generate.go +++ b/config/generate.go @@ -92,7 +92,7 @@ func GenerateCertificateAuthority(commonName string, parentCert *x509.Certificat }, NotBefore: now, NotAfter: now.Add(validityPeriod), - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, BasicConstraintsValid: true, @@ -186,6 +186,51 @@ func writeCertificateAndKey(path string, cert *x509.Certificate, key *rsa.Privat return nil } +func GenerateCRL(cert *x509.Certificate, privateKey *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, isExpired bool) ([]byte, error) { + now := time.Now() + + next := now.AddDate(30, 0, 0) + if isExpired { + next = now + } + + crl := &x509.RevocationList{ + SignatureAlgorithm: x509.SHA256WithRSA, + ThisUpdate: now, + NextUpdate: next, + RevokedCertificates: revokedCerts, + Number: big.NewInt(1), + Issuer: cert.Subject, + } + + crlBytes, err := x509.CreateRevocationList(rand.Reader, crl, cert, privateKey) + if err != nil { + return nil, fmt.Errorf("cannot create revocation list: %v", err) + } + + return crlBytes, nil +} + +func writeCRLs(filename string, crlData [][]byte) error { + crlPemBytes := new(bytes.Buffer) + for _, data := range crlData { + crlPem := &pem.Block{ + Type: "X509 CRL", + Bytes: data, + } + err := pem.Encode(crlPemBytes, crlPem) + if err != nil { + return err + } + } + + if crlPemBytes == nil { + return fmt.Errorf("empty CRL to write") + } + + return os.WriteFile(filename, crlPemBytes.Bytes(), 0644) +} + func main() { log.Println("Generating root CA") rootCert, rootKey, err := GenerateCertificateAuthority("Prometheus Root CA", nil, nil) @@ -199,6 +244,12 @@ func main() { log.Fatal(err) } + log.Println("Generating Irrelevant CA") + irlvtCert, irlvtKey, err := GenerateCertificateAuthority("Prometheus TLS Irrelevant CA", nil, nil) + if err != nil { + log.Fatal(err) + } + log.Println("Generating server certificate") cert, key, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) if err != nil { @@ -209,6 +260,16 @@ func main() { log.Fatal(err) } + log.Println("Generating revoked server certificate") + revokedCert, revokedKey, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) + if err != nil { + log.Fatal(err) + } + + if err := writeCertificateAndKey("testdata/server_revoked", revokedCert, revokedKey); err != nil { + log.Fatal(err) + } + log.Println("Generating client certificate") cert, key, err = GenerateCertificate(caCert, caKey, false, "localhost") if err != nil { @@ -235,6 +296,10 @@ func main() { log.Fatal(err) } + if err := os.WriteFile("testdata/tls-ca-no-root.pem", b.Bytes(), 0644); err != nil { + log.Fatal(err) + } + if err := EncodeCertificate(&b, rootCert); err != nil { log.Fatal(err) } @@ -242,4 +307,97 @@ func main() { if err := os.WriteFile("testdata/tls-ca-chain.pem", b.Bytes(), 0644); err != nil { log.Fatal(err) } + + if err := EncodeCertificate(&b, irlvtCert); err != nil { + log.Fatal(err) + } + + if err := os.WriteFile("testdata/tls-ca-chain-add-irlvt-ca.pem", b.Bytes(), 0644); err != nil { + log.Fatal(err) + } + + log.Println("Generating CRLs") + crlProp_revokedCert := []pkix.RevokedCertificate{ + { + SerialNumber: revokedCert.SerialNumber, + RevocationTime: time.Now(), + }, + } + + crl_RevokedCert, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_cert_revoked.pem", [][]byte{crl_RevokedCert}); err != nil { + log.Fatal(err) + } + + crl_RevokedCert_expired, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, true) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_cert_revoked_expired.pem", [][]byte{crl_RevokedCert_expired}); err != nil { + log.Fatal(err) + } + + crl_irlvtRevokedCert, err := GenerateCRL(irlvtCert, irlvtKey, crlProp_revokedCert, false) + if err != nil { + log.Fatal(err) + } + + crlProp_empty := []pkix.RevokedCertificate{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now(), + }, + } + + crl_InterCA_Empty, err := GenerateCRL(caCert, caKey, crlProp_empty, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_inter_empty.pem", [][]byte{crl_InterCA_Empty}); err != nil { + log.Fatal(err) + } + + crlProp_RevokedInterCA := []pkix.RevokedCertificate{ + { + SerialNumber: caCert.SerialNumber, + RevocationTime: time.Now(), + }, + } + + crl_revokedInterCA, err := GenerateCRL(rootCert, rootKey, crlProp_RevokedInterCA, false) + if err != nil { + log.Fatal(err) + } + + crl_Root_Empty, err := GenerateCRL(rootCert, rootKey, crlProp_empty, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_root_empty.pem", [][]byte{crl_Root_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_all_empty.pem", [][]byte{crl_InterCA_Empty, crl_Root_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_cert_revoked.pem", [][]byte{crl_Root_Empty, crl_RevokedCert}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_inter_ca_cert_revoked.pem", [][]byte{crl_revokedInterCA, crl_InterCA_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_irlvt_cert_revoked.pem", [][]byte{crl_InterCA_Empty, crl_irlvtRevokedCert}); err != nil { + log.Fatal(err) + } + } diff --git a/config/http_config.go b/config/http_config.go index 37aa9667..c632f9e3 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -20,6 +20,7 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" + "encoding/pem" "fmt" "net" "net/http" @@ -861,6 +862,13 @@ func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { tlsConfig.GetClientCertificate = cfg.getClientCertificate } + // If Certificate Revocation List(s) are provided + // then let's read it in so we can validate the + // scrape target's certificate properly. + if len(cfg.CRLFile) > 0 || len(cfg.CRL) > 0 { + tlsConfig.VerifyPeerCertificate = cfg.verifyPeerCertificate + } + return tlsConfig, nil } @@ -872,12 +880,16 @@ type TLSConfig struct { Cert string `yaml:"cert,omitempty" json:"cert,omitempty"` // Text of the client key file for the targets. Key Secret `yaml:"key,omitempty" json:"key,omitempty"` + // Text of the CRL to use for certificate revocation verification. + CRL string `yaml:"crl,omitempty" json:"crl,omitempty"` // The CA cert to use for the targets. CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"` // The client cert file for the targets. CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"` // The client key file for the targets. KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"` + // The CRL to use for for certificate revocation verification. + CRLFile string `yaml:"crl_file,omitempty" json:"crl_file,omitempty"` // Used to verify the hostname for the targets. ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"` // Disable target certificate validation. @@ -896,6 +908,7 @@ func (c *TLSConfig) SetDirectory(dir string) { c.CAFile = JoinDir(dir, c.CAFile) c.CertFile = JoinDir(dir, c.CertFile) c.KeyFile = JoinDir(dir, c.KeyFile) + c.CRLFile = JoinDir(dir, c.CRLFile) } // UnmarshalYAML implements the yaml.Unmarshaler interface. @@ -920,6 +933,9 @@ func (c *TLSConfig) Validate() error { if len(c.Key) > 0 && len(c.KeyFile) > 0 { return fmt.Errorf("at most one of key and key_file must be configured") } + if len(c.CRL) > 0 && len(c.CRLFile) > 0 { + return fmt.Errorf("at most one of crl and crl_file must be configured") + } if c.usingClientCert() && !c.usingClientKey() { return fmt.Errorf("exactly one of key or key_file must be configured when a client certificate is configured") @@ -946,6 +962,8 @@ func (c *TLSConfig) roundTripperSettings() TLSRoundTripperSettings { CertFile: c.CertFile, Key: string(c.Key), KeyFile: c.KeyFile, + CRL: c.CRL, + CRLFile: c.CRLFile, } } @@ -1014,6 +1032,7 @@ type tlsRoundTripper struct { hashCAData []byte hashCertData []byte hashKeyData []byte + hashCRLData []byte tlsConfig *tls.Config } @@ -1021,6 +1040,7 @@ type TLSRoundTripperSettings struct { CA, CAFile string Cert, CertFile string Key, KeyFile string + CRL, CRLFile string } func NewTLSRoundTripper( @@ -1039,7 +1059,7 @@ func NewTLSRoundTripper( return nil, err } t.rt = rt - _, t.hashCAData, t.hashCertData, t.hashKeyData, err = t.getTLSDataWithHash() + _, t.hashCAData, t.hashCertData, t.hashKeyData, t.hashCRLData, err = t.getTLSDataWithHash() if err != nil { return nil, err } @@ -1047,9 +1067,9 @@ func NewTLSRoundTripper( return t, nil } -func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, error) { +func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, []byte, error) { var ( - caBytes, certBytes, keyBytes []byte + caBytes, certBytes, keyBytes, crlBytes []byte err error ) @@ -1057,7 +1077,7 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.CAFile != "" { caBytes, err = os.ReadFile(t.settings.CAFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.CA != "" { caBytes = []byte(t.settings.CA) @@ -1066,7 +1086,7 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.CertFile != "" { certBytes, err = os.ReadFile(t.settings.CertFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.Cert != "" { certBytes = []byte(t.settings.Cert) @@ -1075,13 +1095,22 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.KeyFile != "" { keyBytes, err = os.ReadFile(t.settings.KeyFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.Key != "" { keyBytes = []byte(t.settings.Key) } - var caHash, certHash, keyHash [32]byte + if t.settings.CRLFile != "" { + crlBytes, err = os.ReadFile(t.settings.CRLFile) + if err != nil { + return nil, nil, nil, nil, nil, err + } + } else if t.settings.CRL != "" { + crlBytes = []byte(t.settings.CRL) + } + + var caHash, certHash, keyHash, crlHash [32]byte if len(caBytes) > 0 { caHash = sha256.Sum256(caBytes) @@ -1092,13 +1121,16 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if len(keyBytes) > 0 { keyHash = sha256.Sum256(keyBytes) } + if len(crlBytes) > 0 { + crlHash = sha256.Sum256(crlBytes) + } - return caBytes, caHash[:], certHash[:], keyHash[:], nil + return caBytes, caHash[:], certHash[:], keyHash[:], crlHash[:], nil } // RoundTrip implements the http.RoundTrip interface. func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { - caData, caHash, certHash, keyHash, err := t.getTLSDataWithHash() + caData, caHash, certHash, keyHash, crlHash, err := t.getTLSDataWithHash() if err != nil { return nil, err } @@ -1106,7 +1138,8 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { t.mtx.RLock() equal := bytes.Equal(caHash[:], t.hashCAData) && bytes.Equal(certHash[:], t.hashCertData) && - bytes.Equal(keyHash[:], t.hashKeyData) + bytes.Equal(keyHash[:], t.hashKeyData) && + bytes.Equal(crlHash[:], t.hashCRLData) rt := t.rt t.mtx.RUnlock() if equal { @@ -1132,6 +1165,7 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { t.hashCAData = caHash[:] t.hashCertData = certHash[:] t.hashKeyData = keyHash[:] + t.hashCRLData = crlHash[:] t.mtx.Unlock() return rt.RoundTrip(req) @@ -1249,3 +1283,179 @@ func (c *ProxyConfig) Proxy() (fn func(*http.Request) (*url.URL, error)) { func (c *ProxyConfig) GetProxyConnectHeader() http.Header { return c.ProxyConnectHeader.HTTPHeader() } + +// The function is invoked at the end of TLS handshake. +// It is verifying peer provided certificate chain status +// with provided Certificate Revocation List. If the +// verifiedChains is nil, skip the verifyPeerCeritificate. +func (c *TLSConfig) verifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + // Skip the CRL verification while verifiedChains is nil. + if verifiedChains == nil { + return nil + } + + // Ensure the peer provide certificates. + if rawCerts == nil { + return fmt.Errorf("unable to get peer certificates") + } + + // Parse CA certificates to a slice of certificates if provided. + var rawCAs []byte + var err error + + if len(c.CA) > 0 { + rawCAs = []byte(c.CA) + } else if len(c.CAFile) > 0 { + rawCAs, err = readCAFile(c.CAFile) + if err != nil { + return err + } + } + + var cAs []*x509.Certificate + if rawCAs != nil { + cAs, err = parseCerts(rawCAs) + if err != nil { + return err + } + } + + // Append the peer's verified CA chain to parsed CA, + // in case there is any missing CA. + cAs = append(cAs, verifiedChains[0][1:]...) + + // Remove any irrelevant CA certificate from CA chain. + cAs, err = CreateCAChain(verifiedChains[0][0], cAs) + if err != nil { + return err + } + + // Parse CRLs raw data. + var rawCRL []byte + if len(c.CRL) > 0 { + rawCRL = []byte(c.CRL) + } else if len(c.CRLFile) > 0 { + rawCRL, err = os.ReadFile(c.CRLFile) + if err != nil { + return err + } + } + if len(rawCRL) == 0 { + return fmt.Errorf("CRL is empty") + } + + // Verify CRLs that are signed by trusted CA and not expired, + // return a slice of valid CRLs. + crlsList, err := parseCRLs(rawCRL, cAs) + if err != nil { + return err + } + + // Append the end-entity certificate that sent from peer, + // and verify the peer's certificates chain revocation status + // against valid CRLs. + cAs = append(cAs, verifiedChains[0][0]) + + for _, cert := range cAs { + for _, crl := range crlsList { + for _, revokedCertificate := range crl.RevokedCertificates { + if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { + return fmt.Errorf("certificate was revoked") + } + } + } + } + + return nil +} + +// Parse all CRLs and return a slice of valid CRLs. +func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*x509.RevocationList, error) { + var crls []*x509.RevocationList + for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { + if p.Type != "X509 CRL" { + return nil, fmt.Errorf("unable to decode raw certificate revocation list") + } + crl, err := x509.ParseRevocationList(p.Bytes) + if err != nil { + return nil, err + } + + // Check CRL exipry status. + if crl.NextUpdate.Before(time.Now()) { + return nil, fmt.Errorf("certificate revocation list is outdated") + } + + // Check each CRL is signed by any CA, if not, ignore the CRL. + // Otherwise, append to the valid slice of CRL. + for _, ca := range cAs { + err = crl.CheckSignatureFrom(ca) + if err == nil { + crls = append(crls, crl) + break + } + } + } + return crls, nil +} + +// Parse raw certificates with padding structure. +func parseCerts(rawCerts []byte) ([]*x509.Certificate, error) { + var certList []*x509.Certificate + for p, r := pem.Decode(rawCerts); p != nil; p, r = pem.Decode(r) { + if p.Type != "CERTIFICATE" { + return nil, fmt.Errorf("unable to decode raw certificates") + } + cert, err := x509.ParseCertificate(p.Bytes) + if err != nil { + return nil, err + } + certList = append(certList, cert) + } + return certList, nil +} + +// Construct the certificate chain with the provided certificate as base. +func CreateCAChain(cert *x509.Certificate, cAs []*x509.Certificate) ([]*x509.Certificate, error) { + chain := make([]*x509.Certificate, 0) + chain = append(chain, cert) + + for { + // Reach the root certificate, stop constructing the CA Chain. + if isRoot(cert) { + break + } + + // Find the issuer by current certificate, + // stop constructing the CA Chain if none of issuers found. + issuer, err := findIssuer(cert, cAs) + if err != nil { + break + } + + // Append relevant issuer + chain = append(chain, issuer) + + // Assign the found issuer as the next certificate that to find its issuer. + cert = issuer + } + + return chain, nil +} + +// Find the issuer certificate from the set of possible issuers. +func findIssuer(cert *x509.Certificate, possibleIssuers []*x509.Certificate) (*x509.Certificate, error) { + for _, issuer := range possibleIssuers { + err := cert.CheckSignatureFrom(issuer) + if err == nil { + // Found iusser certificate. + return issuer, nil + } + } + return nil, fmt.Errorf("no issuer found") +} + +// Check if the certificate is at a root. +func isRoot(cert *x509.Certificate) bool { + return bytes.Equal(cert.RawIssuer, cert.RawSubject) && cert.IsCA +} diff --git a/config/http_config_test.go b/config/http_config_test.go index ca2ed71a..5ee94f3d 100644 --- a/config/http_config_test.go +++ b/config/http_config_test.go @@ -39,18 +39,23 @@ import ( ) const ( - TLSCAChainPath = "testdata/tls-ca-chain.pem" - ServerCertificatePath = "testdata/server.crt" - ServerKeyPath = "testdata/server.key" - ClientCertificatePath = "testdata/client.crt" - ClientKeyNoPassPath = "testdata/client.key" - InvalidCA = "testdata/client.key" - WrongClientCertPath = "testdata/self-signed-client.crt" - WrongClientKeyPath = "testdata/self-signed-client.key" - EmptyFile = "testdata/empty" - MissingCA = "missing/ca.crt" - MissingCert = "missing/cert.crt" - MissingKey = "missing/secret.key" + TLSCAChainPath = "testdata/tls-ca-chain.pem" + TLSCACHainNoRootPath = "testdata/tls-ca-no-root.pem" + ServerCertificatePath = "testdata/server.crt" + ServerKeyPath = "testdata/server.key" + ServerCertificatePath_CRL = "testdata/server_revoked.crt" + ServerKeyPath_CRL = "testdata/server_revoked.key" + ClientCertificatePath = "testdata/client.crt" + ClientKeyNoPassPath = "testdata/client.key" + InvalidCA = "testdata/client.key" + WrongClientCertPath = "testdata/self-signed-client.crt" + WrongClientKeyPath = "testdata/self-signed-client.key" + EmptyFile = "testdata/empty" + MissingCA = "missing/ca.crt" + MissingCert = "missing/cert.crt" + MissingKey = "missing/secret.key" + FullCRLChainPath = "testdata/crl_chain_all_empty.pem" + FullCRLChainCertReovkedPath = "testdata/crl_chain_cert_revoked.pem" ExpectedMessage = "I'm here to serve you!!!" ExpectedError = "expected error" @@ -160,6 +165,33 @@ func newTestServer(handler func(w http.ResponseWriter, r *http.Request)) (*httpt return testServer, nil } +func newTestCRLServer(handler func(w http.ResponseWriter, r *http.Request), serverCertPath, serverKeyPath string) (*httptest.Server, error) { + testServer := httptest.NewUnstartedServer(http.HandlerFunc(handler)) + + tlsCAChain, err := os.ReadFile(TLSCAChainPath) + if err != nil { + return nil, fmt.Errorf("Can't read %s", TLSCAChainPath) + } + serverCertificate, err := tls.LoadX509KeyPair(serverCertPath, serverKeyPath) + if err != nil { + return nil, fmt.Errorf("Can't load X509 key pair %s - %s", serverCertPath, serverKeyPath) + } + + rootCAs := x509.NewCertPool() + rootCAs.AppendCertsFromPEM(tlsCAChain) + + testServer.TLS = &tls.Config{ + Certificates: make([]tls.Certificate, 1), + RootCAs: rootCAs, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: rootCAs} + testServer.TLS.Certificates[0] = serverCertificate + + testServer.StartTLS() + + return testServer, nil +} + func TestNewClientFromConfig(t *testing.T) { var newClientValidConfig = []struct { clientConfig HTTPClientConfig @@ -1980,6 +2012,224 @@ no_proxy: promcon.io,cncf.io`, proxyServer.URL), } } +// Test with empty CRL and irrelevant CRL. +func TestNewClientFromEmptyCRLConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { // Full chain of CA and empty CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and single empty intermediate CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_inter_empty.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and single empty root CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_root_empty.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Missing root in the chain of CA and full chain of CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCACHainNoRootPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // TLS Config contain a pair of irrelevant CA and CRL + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: "testdata/tls-ca-chain-add-irlvt-ca.pem", + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_chain_irlvt_cert_revoked.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and CRL, the Intermediate CA revoke the peer certificate, + // set true to InsecureSkipVerify should skip the verifyPeerCertificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: true}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err != nil { + t.Errorf("Got Error %q", err) + } + } +} + +// Test with revoked certificate. +func TestNewClientFromRevokedCertConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { // Full chain of CA and CRL, the Intermediate CA revoke the peer certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and the single root CA revoke the intermediate CA certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_chain_inter_ca_cert_revoked.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Missing root in the CA Chain and the full chain of CRLs, the Intermediate CA revoke the peer certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCACHainNoRootPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err == nil || !strings.Contains(err.Error(), "certificate was revoked") { + t.Errorf("Expected error %q but got %q", "certificate was revoked", err) + } + } +} + +// Test with expired CRL. +func TestNewClientFromExpiredCRLConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_cert_revoked_expired.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err == nil || !strings.Contains(err.Error(), "certificate revocation list is outdated") { + t.Errorf("Expected error %q but got %q", "certificate revocation list is outdated", err) + } + } +} + func readFile(t *testing.T, filename string) string { t.Helper() diff --git a/config/testdata/client.crt b/config/testdata/client.crt index 5e68bd44..f92eb39b 100644 --- a/config/testdata/client.crt +++ b/config/testdata/client.crt @@ -1,32 +1,32 @@ -----BEGIN CERTIFICATE----- -MIIFgjCCA2qgAwIBAgIRAMMSh5NoexSCjSvDRf1fpgQwDQYJKoZIhvcNAQELBQAw +MIIFgjCCA2qgAwIBAgIRAOSykfzsFL0kachzbNI8PrgwDQYJKoZIhvcNAQELBQAw aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo -ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDhaGA8yMDcyMDYyNTA5MTUwOFowNjEL +ZXVzIFRMUyBDQTAgFw0yMzA4MDMwOTMxNTJaGA8yMDczMDcyMTA5MzE1MlowNjEL MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs -aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKE5sMf63irOiAEo -a5GMONLHDji9ATAVs1erm6NW/17UPOSjN1Q1n6JGTp2XLKb5gle7gdGdjXW9IB6n -PhXwQp4ZvTaucMxcZ+Zik19tn+azKdfj/FXU0c9R5oEv4B/1jfKG258dQF5es/Ga -A2WW3nWA6IwQkHcBcN7cBQCZZ1GcM81rxybuyU4k/FyMheehcJ5MN8iy0Y0YrMcZ -KxmRfAR/EfVYjenWXjZNncsUXotQr5I4wBUJ/pj5pYQWpSuyO6oADX1EzcxuL6bO -XoEHfGFqmr90lM/x19bHzllu1UxIwqmT8jW3Je89EhlBxb0htNWNg4hKY7658Khq -L0tx0AsdIru/JuoQGXrDs4yf+3xL51zSeMr6jewl6AyGQKCc5E+c/zwklCdsVFw7 -zapbT6Hok5HjSoMnRi/EGLtd33CQjvgGooPA4LLzWpbZhoA7QZLBXhvAG3qIkTXr -1SaDQcP6GvYItEo3Yvqle7hWqhJB5E7QJ2+0j0ztbOLZBkuQGmiT4Ebsx5IJrRaT -jDCkqYzuHjdTAtwDQR6Tuy2Sc+AuAxI4kDH6EwpX5X7E2mkE2RyYusiu6o400K6F -QhRysPf1BXxSwQgcvsQTjcl8InyY/JT+7q7TCOLaXoj5rQDwIQdao0IRgr1+M7FQ -5rsuLRD92EI/vLfSikk3MxcwZ1qzAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFIDAT -BgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMaa -Hh5g0+YopeLd1IkizXyK9K/zMA0GCSqGSIb3DQEBCwUAA4ICAQA1qIgzzSid9YZS -v3kfqaDmZ3ickDuoJg4DjOz4AoZF+o2SnS/kXrIs/pTABUcfhgxt6xNJUFPIi2Pa -IQXkS24Ya85RJxNUrJmqwhavONoxNoC9RBdNqwQy30DxrBcB+881Y/Ln3VQu6mfj -aLFk09LFddz3Uc26spc257GkWfvdKjki5xDiFYze8KO0s+J/OWluNOiBG1Pehj+c -CkwPzy9lwX0JCbAhsDkJGSY4rh+MO/bg9RemuqCPrmOIH8laBnJFvMTZyZRUTQlB -pAcS8Oa6Bth5DUV7XSwWD6ZOe8Jo5BzJmw5hd5/EA+0+LwZqxmB9d7lGMKgEOMJw -rIQZCN5PlYYkp31y190rw5XklHMeUJUNzcZKa/tNhjwmU5Pj01gdS5/AnFqO3zRW -w3jUI6GR7rqj8g4P/kigIUyuX1Our6K27HUWVmt/SC+DHrhF+J7xet0q3R+UwUx1 -4wTzXnA1++s19G9wzo/HenCOTvU2bprl/WQ66/lICU+xxwHfs6kltY3SItvczqOf -+iZrmDn/0jmoarkhaND0EpiG6FbsNWsCprPP1uj0ICqvcBD7VfqT4NWY8QWcoqqr -JxiOAuuh0iNj8dmax3suNmd+XKIhVHZ3lRBRxrsqqi67axk3mgQby2j9sLxNmrqD -Lc+UGxJB/WZg4NvzZSaj2MZmt4zOHQ== +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM8m31zviB6E15Jm +UmTIwtSmmNh9/jZ0oxz5i9tOz+jCZc+rEJm/QbkrDVo3XlKibwcyIW/Ou++k7kjP +ha6iRKy/FPH0Wx1uYc4QrgIBl7R9YO+2d034AcKKnltWKwLhCOq5va4IDOpto58I +ZUBTkNhzPbXuo3KewNwYqS8MKvc/ARvFJLjSDbiMneshQLBbHckxDJ3LjT8/YLuG +Cgr3cF7tqU2RxiKa3QuWAqFmTdb90TsFpCXWTaHMokgMbVmCb8gsmw8nRYXWOKSA +N6nx+wHMvEecooxojTxV6J/2xWw12wk4/Z2d3J2zFHHgtKpoYrerCrAGh4xYbqKb +mgeZVurkix1CX9jALa9jTLUTJW0zhp2D74gjOBQ26xHo6IaHMCDePR4MIWq++i87 +7EWREDnG4A+NPCji9HHZ0ihAs+q8C+gibh5U7OoNZa9YTIv8pwmwRZgyssfjtWwp +5zgAHmrfkVuUJPa/ZJgu90T64DEQEM8VYbIo/w4SreEIKI+BjRDHeU0lzLJXZwCM +H0HYdWl5eTGQs0JAixrBNYiMeFI1qQK6wqWi5/MMEZ/n0JKHkc1Lx9mujYfzLqML +a8cMZssa/ftkAWUBpaYK0WU5fzQPyYu9BKX0sudzP5gVAKe7Ff6xOwrsOUJPoBJw +N4ZHbYB3kSxpdoDvbmBlXr35sJ+LAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFIDAT +BgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFH9L +fDTzrym3/EwMAopkOky+eXMKMA0GCSqGSIb3DQEBCwUAA4ICAQA2xFQkSGW7GcLK +aS7h7Y0/yZFu8iL8ICMWP9MySPFidjz5+u2zyMwCwPq/33pt9xS0myDs9ozyrXN8 +GnNGuU36B34KXkGU1hvM9XCX8CDmSU2UrMygFzFRAERH6qUTn2iPuoL9C/0V7O/J +jcafhzAphsd/m2I15s4JuRIpFkG2bAOUlW9gPvDfWZntstYxt+QNBHhNNsCEXXz4 +F7PviVBR+nUt+PmOEMzkHQt0KEhlmu/nI1EK1NyhSKu5Ob97pbuRNqobqGtgXRVr +w2NiA39oUpHmvG2SYXl6XX2vT7JmDKy0Xvc+EegZkjOcJ4i7dCZdulqNydnnvB0d +u+Fb72SsytfbNEASkeqxF2+gTjhdOC1NwcVQhpdU+NEjEa1e0/txabFeDBZnNWh6 +1uFrAZlTyJ/fD5/y6WoYlZDRr9zZZLFEL/6Zu5fALngzpFmXx7YY+Lkt0r5Uf6+d +A1CVrhe92mpqkyZnf1BW7/1szEPZzYqJs+nKHHuoXWzK0nTaBCWsVa1LFKXJA57O +/U5qNXnleDt++qHhSD0nlfdGHCdqUdtxIMJ+cnJlaEBfzZvw3IrH/IPUFo9/y6Nv +U3lwPCd+YHs7zMZXaAv/1gacYgqnor7b5iyIPPuRKJrCYZdMf8d4L+inZUcLhzjG +gySUXksbbAdbLZK+/PlLiliq+u3vPg== -----END CERTIFICATE----- diff --git a/config/testdata/client.key b/config/testdata/client.key index 9c768235..757acf71 100644 --- a/config/testdata/client.key +++ b/config/testdata/client.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQChObDH+t4qzogB -KGuRjDjSxw44vQEwFbNXq5ujVv9e1DzkozdUNZ+iRk6dlyym+YJXu4HRnY11vSAe -pz4V8EKeGb02rnDMXGfmYpNfbZ/msynX4/xV1NHPUeaBL+Af9Y3yhtufHUBeXrPx -mgNllt51gOiMEJB3AXDe3AUAmWdRnDPNa8cm7slOJPxcjIXnoXCeTDfIstGNGKzH -GSsZkXwEfxH1WI3p1l42TZ3LFF6LUK+SOMAVCf6Y+aWEFqUrsjuqAA19RM3Mbi+m -zl6BB3xhapq/dJTP8dfWx85ZbtVMSMKpk/I1tyXvPRIZQcW9IbTVjYOISmO+ufCo -ai9LcdALHSK7vybqEBl6w7OMn/t8S+dc0njK+o3sJegMhkCgnORPnP88JJQnbFRc -O82qW0+h6JOR40qDJ0YvxBi7Xd9wkI74BqKDwOCy81qW2YaAO0GSwV4bwBt6iJE1 -69Umg0HD+hr2CLRKN2L6pXu4VqoSQeRO0CdvtI9M7Wzi2QZLkBpok+BG7MeSCa0W -k4wwpKmM7h43UwLcA0Eek7stknPgLgMSOJAx+hMKV+V+xNppBNkcmLrIruqONNCu -hUIUcrD39QV8UsEIHL7EE43JfCJ8mPyU/u6u0wji2l6I+a0A8CEHWqNCEYK9fjOx -UOa7Li0Q/dhCP7y30opJNzMXMGdaswIDAQABAoICAHKXAmLgl09tg5TvGaVVOH33 -JNCG5XU7t0A0pGYvy0mnJ7CJoSWlB1TbC71OWVpENLQOfXJyvLxWM6IV1DbbkT21 -pZpb2agmdWJ15bEJxYC/Dpp3XD3VCVqFJ4PidzW/3afm2en5bGqmfNbXVFq8JFj3 -ylDi5QrwZzy+vH90iM6kat0yIVY2mbWE7CkLZ5D+WYDpQyzOi8nxI7xO0ydVFARO -HIF480SkLEoEWIaib6AtNNyEoWFSvTYVGeMMBVFNWMK3Tt8eK/eEyTGRs/GZVHoY -vuwc/Dff+Dybvrop4Ehb3p+Qm7I5/ihQC7EP4m9Oqayu7DHOTZ6docLR1dOVjPt4 -F0qkeMGaGTDnfGmocqaKskGmhNWEnav5+aaYtFRXEqkLW53lIaGcWv2kyaFfvCYg -L810FEn9D5OVmlLjgUrzeEctFmhO2Br33dLl90imtuVI3Kg/qzsM9fiV0KbsONzq -I7aIvZZjXrevCOFtNSTfxNT8PrkyjWYN+2sbLWCR7hRvuzSTHI/qh2TzvyhqKeWc -ZPVlIT2qvBN5OP+j42J54VXwJNIwUmbKfnETvHMp3Cht/UaEtj/vzAkYB0paEQUs -O80vWwN4zk6H/qRV0HewUoNIGYlnTFLg/uOlLwbkctYH9ubEaobtVtwx6hsZ12AM -m7N27FsiAf6KJOGN2CqhAoIBAQDBuQgDxtf3XaoUc8YJKnvGRFMmuq8VWIELF2E1 -/u+IWP8f89BoUon7J5VMHvKiuvsVa6bOJpENrp/fV9+5IA7a925U7il8LmGis+v7 -Sg5pWMJ6gUXq65jssXw0PPDyHEHL0WTwI6KlcI0+Pt8zPujq0TPeHBOadlaPHdg2 -lHEWPvuoAeZknLnYWF7Eq0y3cD2LBiFiZWNRO0wccFf7CA1O5ToUDkFB0zXB5ZOJ -RgVSUQ5Gnva2OSB+dfFc3HwOADqjnBW+nMDi/ofH2rQEysEp4iTV4N+HkWxpNUPU -9Z3KRUN645P1BK9ufwNnqsagJU8gKNR9EJKITiPU3jqKi/IvAoIBAQDVDjDi574a -btsUQcUcip2na+D5jRts+/5lugA5OT6GzIRyYP8WgH7JMbwC91cB3avV08y5SHMB -P1wo04qaBL+p1by19ewZ6f4Kfytoad7ZGb/P9tX8H30N8Q/k9kucn4igpJ6XaQXU -tJIKWoBsNuUTZkPwa0+FMBBbRFRagu+mbOwnKR6zNIXNh18K7/LCJSb9jy73xG7k -DEuRJH10Ow0Ijo4/UACm0CLdavtVtbkGfarETfZSUPuKMHs6dyAME94+IG3WgmWW -B1WbtrWXw6RNhaecYDfjeW3iFOjgo+MpaQpnfiz7nqNrUu5zbteJYM2EdHI1baJ+ -/VXsXsc4hdK9AoIBAEyWkJqdpIiBmVpYozTAfQrXvGAVcl7oDKyL47zrO1wWg1bo -l76G01JeReJAYgEAF4BSfTIHgVV9cmtkXGjeScE8DXy6Y+BanfMrWuKQVr5Dfy/b -p/7GgkEhsk8cwM2XalPgRx3BmO37X3v6c1fZSVB8wRrQ0tdAbdxLGk4JxePbpra3 -eZTReZAU7/KlHsFvOIWcONqj5u4YmXCs4bu3ZTuJ2LpRIG+bxycPUpL1AemXbiNx -eWx1jWkxy+jAqrMGWCiS7u3bH08e/iN/TaiPWGrso0+Dhhwc3FWD33t0V5u+Yn1V -OAuofIsc4AW+OKTb2zqFqex//s6wxe3EpjRcO7UCggEAXVL5APtn3yY92pKwp77k -LejoRAeWQtfi6GZgILC9fchqH7vzIMUqRDD/3QDA4PVbhq9e1q4wihRZ5xw6cxqv -ZdJU9hOB1xwTBkAMIJF3ZvuLdKn3s5eLbKbyQmXMWw/ahht1yHbdcf2iltxrsnsd -PrEmA1LOI1YZZBD7LiZ6mRjPHJw7cV4JWiz46c6PNJGXkau9dBRcSpJEK5CjT11q -aRwgnQULNAaprvlknHecU4aKXbCUvBvzAuYXpFV3+TJewDHuSu8VVnFiA3I1+wNc -ngR0ld/ju0V+Z3CnTXccUxBK2WiAhbtIdAOApZmg2fFINMPZHyQl8KBBmecuNskP -tQKCAQALxoCzLhdq6Kl/mqqdPTlvncIuAoaH2VjEc5ZpMIHShPd1YfPv5/sQkD4B -8X7QNLPITaSGvNTevyg/KtVPuWyyCxEjmIXDXOCXkylmJFY9tgaaSGPLRJ62sIbz -EJGmUUOBYD+/ybV+dQd3GgkGJ0Hytp+FM8NCWukCFRAxb1m56xfs+RTBuLdJpou7 -AV+RafQV1roAQ+Pj3dFsoR6jBJIM4w0S5Q6609W062hrR6hBrlVBGfZpo/Mgmv5K -HEnQ7X+AqPaK7BLdzBQb2Qd6hGF8DMVTSBRlc/THnhK/HlVCuWMNuEliGtmIuGYE -0FRrwC2EvZmAS7m/FHfkpry76CRU +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDPJt9c74gehNeS +ZlJkyMLUppjYff42dKMc+YvbTs/owmXPqxCZv0G5Kw1aN15Som8HMiFvzrvvpO5I +z4WuokSsvxTx9FsdbmHOEK4CAZe0fWDvtndN+AHCip5bVisC4Qjqub2uCAzqbaOf +CGVAU5DYcz217qNynsDcGKkvDCr3PwEbxSS40g24jJ3rIUCwWx3JMQydy40/P2C7 +hgoK93Be7alNkcYimt0LlgKhZk3W/dE7BaQl1k2hzKJIDG1Zgm/ILJsPJ0WF1jik +gDep8fsBzLxHnKKMaI08Veif9sVsNdsJOP2dndydsxRx4LSqaGK3qwqwBoeMWG6i +m5oHmVbq5IsdQl/YwC2vY0y1EyVtM4adg++IIzgUNusR6OiGhzAg3j0eDCFqvvov +O+xFkRA5xuAPjTwo4vRx2dIoQLPqvAvoIm4eVOzqDWWvWEyL/KcJsEWYMrLH47Vs +Kec4AB5q35FblCT2v2SYLvdE+uAxEBDPFWGyKP8OEq3hCCiPgY0Qx3lNJcyyV2cA +jB9B2HVpeXkxkLNCQIsawTWIjHhSNakCusKloufzDBGf59CSh5HNS8fZro2H8y6j +C2vHDGbLGv37ZAFlAaWmCtFlOX80D8mLvQSl9LLncz+YFQCnuxX+sTsK7DlCT6AS +cDeGR22Ad5EsaXaA725gZV69+bCfiwIDAQABAoICAFk5YRPiiDq89S01rV+DqYd2 +incVLZ2+91LPmZHIjHyw3rFn+Sp/2osrJAErwBDPrgrnaMeDwCckXw41dFsXwYS2 +eQsOOQCgPrhHLuvmS7WOG2akrRaEMB3fHv4wSy5eRzzy6+Q9y3Jd7w/cyd+/HrBc +UsQ+GWCRSHiElrqQ/yCnno6bh4mj0A0hZBOWqwpK9LVnzwtYVWpcngmnXkQC9/+r +VjT3COR216bZ4iAqtHRZtvk5IM67U4zRW0S1NZRMPmF19QO94pAXCSaxo0gr1fWc +faxKpyjbD5phVmUwITDOsZ1zUqnFCPVT4QZ7xtVvSLXbkirnZRLqNB0N8HY9cdXL +sUxBfzv4CCKjoe0Wwr0lLZyR5sIeAjh/EKH94/uQ5tUQkz4KBlmptUCgO98TghFL +kyEIF0CO7JFJufCGvjfHlsU6Oy7QSYvolVUjcH4Ahh+neOJ9q/5/cFtHHpWtW+6L +PNnmw1i+/2SUKwQ7D5rCgo9H/QmfuBnuYY4jJxlbjaJnW+vWHmWyEZuMbQFVv52B +JKH7Liwp0m64TIgtSEjraKN8FYO3VVXEeOuUb9IB/V6Q4H2ZEZyrdOQ04l+pLNRW +UYp0wWTsg9tNMVNL0t+tOhFN8L/BxZ+tL92c2z/+9Y55GkW6OOXvENqH9s3sdNxT +9G5CIkGZfvboh4fMC2GBAoIBAQD6TOwmKEPU0Tg0yB5RuQQBr39lrnzKz6BvJ3DZ +uQ1hTzyAT5bnNIwq+F/noPJ/DqTO2Z/uigX4J/nDsgVcVsjJ3GN9aexYfFa/Sxlj +kw79uYB1z/f1ZrPLt2Zf4zzDq4RLxVmMdy8yXeGbJn2X8C17W2iUptzJW3NyXmY0 +vXPcJifDjN7D6gacwzXegxOzWbo5tHUNoIP+VWu4SCC+891aNixu54vTMD8gsn3Z +uKDoeFMhm5qnq8MQLdt/uo1giON4eSrhJPykv/jgLALbHR85gK3nf9p1qx267moV +sUiMOSMo+tvUdGnrsKfxMjPbYc4ZZa77FxKPeIzS41wiwV7xAoIBAQDT3mxutqS0 +w8qw9iBYJugpXOyRzKJkTbGxHiDWQBxYiMvG8bZT73vxbX4FbPVpRqTqWGDKQsNY +qypvVdc2y1pELr+6q2HNfss5MpW7NlZaRRGKC1HATb7i7kpbB78zJcdZ5+TUzvn9 +VehaI+t/oiYrR0lQVa5oANGGjyO4fYgWX+1ulx4DL0mZIIfERw+KDkTqymdD17pg +jJigto1Cbk7hBV21TR5EAlAI/BlWJKeQz/oXBxO8RO6YMAzaY0yl1y4XM6hxDQCY +mbdQeevO5EfXGmkGb71KF1ZWMc/RcwX/HABKwY4PHIXmJBMG+KT+Nn7P7LZce+kG +wJsYUYRE9547AoIBAQCpH3Soy6gZkkyCDX2/Bl5YrTZNhDq55tSmhmXQFyOdTqa4 +pA54pp7XIf/bSHrRsxlU0uMnkIc8B/bRbeYFYHZHPuzSftG9cDZFBv9esqz8b20H +LcCDRiPSUFeSDr6uD6RSdkRtjtKLG7gm1zkhgp2YrkjZuG2SeIJnErXIiQJSDE3t +6a9TfTt+jMBHWxXip4wXFYHJ9V16aklguQu3OpukKtqXDUkDJ6Rf+Xrjs8a1jSfO +m49CH+KrefDIO0rvoU7hxi1c91rmDvigr9w2JVVFy1a2B0ObIkXyWsm/Yox8gtbp +B6elxAsVv8WaSauUXl+d9YDoE8zsuC2fCRTmPvZhAoIBAQCmR5ucbLXptPxgVFrg +NHDi/a4hY5RT2nJKCtZEsH5OsdYUpmGtkHga7A8K3Q/idvI5hfE47Jr5/SRJyvok +ZAbNGk+ZhqY0rH18v4mqK6QsJqb0S5v2rE3TNqeet/7EerLxicEbj/G9dO3tyOEs +A6unLcSJSyWdNH889xxW0Ba9UL48nFeOsk814cUMM6UrebV2/DF9mlMJMW8cOwm0 +iHRZwGdiQkstnw8HbivIYu4sBj5GUmSXzxXe1V9RCrv+MFpZFU7uowDDw2iOvZFn +h9wmIvEofwv1mUlGTsPGo1qidGx6P1xp2b3w+IECaKS9azGtqB8biJhDl2hh9qAz +rI8/AoIBAQDpon6t8rOV8WjqYo+0UxC15muvSKW7TSpIJUqIpg6K+A2N8SxCU6IQ +4CWy4EbqZMI2k3ScGK7JmmS9S1aquhqRwx+TE0wYFfG7V5Vwadi8lzzTKVQ3GGp1 +hZoHFKzCmNsD7tJJhVGihkA8Bh6c2Ak1vU/Iv4D5RnOPyPlajFjzpriOme+GG/bd +l57irdAiCTxp549gXbaOWTikLcAfwXzYoqE5Hfr1cBjqYIOxYT8Ir7ogPJ1dlS39 +mIbqLkzMT0EVTOSCyAh+1VgFqER7+ORGdV8bN5UIQfisSL6HlJuPIh4rvFAiNsbz +vrV3bDMxUzXECSHwgLro9/i5I93N1CDX -----END PRIVATE KEY----- diff --git a/config/testdata/crl_cert_revoked.pem b/config/testdata/crl_cert_revoked.pem new file mode 100644 index 00000000..7122a6a3 --- /dev/null +++ b/config/testdata/crl_cert_revoked.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDCzCB9AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowJDAiAhEA5LKR/OwUvSRpyHNs0jw+txcNMjMw +ODAzMDkzMTU1WqAvMC0wHwYDVR0jBBgwFoAUf0t8NPOvKbf8TAwCimQ6TL55cwow +CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggIBAGdFRDMWIryk+QqDhCURClX1 +m5pSRH7AinqgzHbIx/MBiITt3+5A/RJ80WpUD1LE6sRi/RRvS3G5cbcVnKR6YlD8 +LKdY4BmYP+TnKg5Nq2S/JW0LR+25zeb4Uw3G6H4tAKJrsD6SezJ6KBEt6wfUs7Ea +gQb8lBwvT/21tF2smEwVIq/sKn2XAnMFRAYt1YnOK3B/ZKOhcz3P6oMLKE6rrJl9 +M1wockmTt+HWnikdJ4+H62jwPAv4RXqHxU56uEE4imzXPaUtQP16FbAgd8OmAASc +neflFCoxW/zQe3uMopbw/iVR05Ly6v2gb6EwWm1K01OCYUjkxr/jQIK9v4U7hD+R +WlpXYySiWe7tQ7JsCDVmKgPQOA0PafycCYt3Y/DrVAcF/vgKvsucMIVKWL5/YhAZ +WPV4P1SXLHl8FM4PbuB9Oo+BrN6IEJp3flHYLP/NTf6GSbcf3+LdRyhEy0USm6km +aeECBbAsL2giGnKGd0hJfWwq7fxQF7Nym0SE2EXbuAUhd/VOEcfHLY8IOSAqdYgk +1Ldf3ADavqB5LowwrcvIu2V2Y7ggTCfqgutBglt0t7U9Zfm6YnbnNVJbtK0FpPCY +SAceB2/Qzzbqy37MEXisrLMpmTbH3Mf4VGW+74igRV0qflFTr9YjKUebtzPsEt88 +tOmrMqUTgBIxFzxljdzE +-----END X509 CRL----- diff --git a/config/testdata/crl_cert_revoked_expired.pem b/config/testdata/crl_cert_revoked_expired.pem new file mode 100644 index 00000000..89e67418 --- /dev/null +++ b/config/testdata/crl_cert_revoked_expired.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDCTCB8gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaFw0yMzA4MDMwOTMxNTVaMCQwIgIRAOSykfzsFL0kachzbNI8PrcXDTIzMDgw +MzA5MzE1NVqgLzAtMB8GA1UdIwQYMBaAFH9LfDTzrym3/EwMAopkOky+eXMKMAoG +A1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQA1vQu0oyITvC1qL2HEsZNjTT0O +mVsyS8xPx4tcGQv5sEUOkEOgC5vVXkkYB0ZBhLbGRR1oJAZFkur1G55hNqZ14WX7 +efyvRd5jn+tYGGw/Gwp8t7kh30UmZjpS89Ko0JjWSVrR1+ljhcgOiJ0lRQKvyf9J +JwI3+mcJp9xBr+PkDLJBH0fDtv411W+ERrH+C5wk6RztJhFvFNPYmVbYm7mW9t23 +scC2wyM/q2zIwNhe79ndgM9UuuXZvkdhmsTnA3mNYvWH7qUdybOOfxosoYUrv4v+ +PS2SBAqf+0NlrWDTy3PTWDWEwrUL3AyFNZSS+Xe2aWBiPohuxQIOFG2PtCaPnOJ0 +orSpuGbKlpw1lDisuFjHoSD0gS6C8Tmtkm8QcZnozoqmYXpMgC0DTO6dEQIwt+6R +qW/lr58PCdR1UaZwRnBlX7NtP3AQOG8Ke+2jJSda+o2Uqwkx8lm9MDbCLX3hjskv +QdfoRuLOMIV35hXQMcXjPo+k3CQaTzP4tcDBujmMJ6w7UgHbOOk/Z8iggittLtNp +Q9k1l7YfGqHY1FgNifn6uct3Ik1ctA44fa3Lid8csORo/eptKI0VUtEZnE03yAbe +BSo6aaosrAg2MJzoZsL6floYr72csr/74+AguWpjT1RsDTLInmjXgnYKVklJIze0 +/6r+Dy3sW8Dl5FpqwA== +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_all_empty.pem b/config/testdata/crl_chain_all_empty.pem new file mode 100644 index 00000000..50ca213c --- /dev/null +++ b/config/testdata/crl_chain_all_empty.pem @@ -0,0 +1,36 @@ +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIC/DCB5QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMBQwEgIBARcNMjMwODAzMDkzMTU1WqAvMC0w +HwYDVR0jBBgwFoAUgvliDT1KWEmaDmYqZXzu86XI0EswCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggIBAJC84PCNIihidIWxw/M1hknbHfdUGGW6dSe1qEdvoU4V +Ik8IchISjL7FO1CF3gotvv+Whcc1ojodC8VVceWaDAL3cb8+VvfCIfi9HFseLeCC +SV/SQQhlowee7FsXa7le747hNp549GV5AYIduZ5E87w1hibb++TylReDrbNrh4NM +Y5X5BRzE8W1exlvD+DzlRtQTrBm3kSWxGjABHOkKielL8IOzh60Yq17DLwzKHXse +JLtkPO0khHERYy5R7UY8ItuzynHA9XOJP4u3ssH5yWUg+FjJhpUXeHyZjR7vQGqe +CTz22JVVzWXBPBigUBe4ILnOZ4q85qCMQ8bAmZJJEzdTRTlnCg9+LCgeV7P6FUy6 +jRBLJ24At8CGXjC0BvpZUlXmSLuUVeAeUitfUzakh0CrVtS0knN+kycNa6Sqo6q4 +UPU5m3qJ/QYJ7/hzWXyYkkN2ZQ9UkQuwBRQKNb19WsOYsyzhsRHdFdrn9qbk1ln1 +Iz+xqaqSaQbOLDZ7D8kmyYx8iIMUNOi2jOI71iXXdfH2+juolJNoEM5LKkVSsk3Y +I0TIEzs1dqMDCkgOhXx2H9lb9vAyFQE1iMn6TesJGKCBtOb6N/hFSC5NvQzcET1C +0IwRRdw/gpq6CQesp+9WYJW1y9FenZ9xn05iRRfDFDdxKKuMeLsCMNFw7WashsLb +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_cert_revoked.pem b/config/testdata/crl_chain_cert_revoked.pem new file mode 100644 index 00000000..2bd815dd --- /dev/null +++ b/config/testdata/crl_chain_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIC/DCB5QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMBQwEgIBARcNMjMwODAzMDkzMTU1WqAvMC0w +HwYDVR0jBBgwFoAUgvliDT1KWEmaDmYqZXzu86XI0EswCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggIBAJC84PCNIihidIWxw/M1hknbHfdUGGW6dSe1qEdvoU4V +Ik8IchISjL7FO1CF3gotvv+Whcc1ojodC8VVceWaDAL3cb8+VvfCIfi9HFseLeCC +SV/SQQhlowee7FsXa7le747hNp549GV5AYIduZ5E87w1hibb++TylReDrbNrh4NM +Y5X5BRzE8W1exlvD+DzlRtQTrBm3kSWxGjABHOkKielL8IOzh60Yq17DLwzKHXse +JLtkPO0khHERYy5R7UY8ItuzynHA9XOJP4u3ssH5yWUg+FjJhpUXeHyZjR7vQGqe +CTz22JVVzWXBPBigUBe4ILnOZ4q85qCMQ8bAmZJJEzdTRTlnCg9+LCgeV7P6FUy6 +jRBLJ24At8CGXjC0BvpZUlXmSLuUVeAeUitfUzakh0CrVtS0knN+kycNa6Sqo6q4 +UPU5m3qJ/QYJ7/hzWXyYkkN2ZQ9UkQuwBRQKNb19WsOYsyzhsRHdFdrn9qbk1ln1 +Iz+xqaqSaQbOLDZ7D8kmyYx8iIMUNOi2jOI71iXXdfH2+juolJNoEM5LKkVSsk3Y +I0TIEzs1dqMDCkgOhXx2H9lb9vAyFQE1iMn6TesJGKCBtOb6N/hFSC5NvQzcET1C +0IwRRdw/gpq6CQesp+9WYJW1y9FenZ9xn05iRRfDFDdxKKuMeLsCMNFw7WashsLb +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIDCzCB9AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowJDAiAhEA5LKR/OwUvSRpyHNs0jw+txcNMjMw +ODAzMDkzMTU1WqAvMC0wHwYDVR0jBBgwFoAUf0t8NPOvKbf8TAwCimQ6TL55cwow +CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggIBAGdFRDMWIryk+QqDhCURClX1 +m5pSRH7AinqgzHbIx/MBiITt3+5A/RJ80WpUD1LE6sRi/RRvS3G5cbcVnKR6YlD8 +LKdY4BmYP+TnKg5Nq2S/JW0LR+25zeb4Uw3G6H4tAKJrsD6SezJ6KBEt6wfUs7Ea +gQb8lBwvT/21tF2smEwVIq/sKn2XAnMFRAYt1YnOK3B/ZKOhcz3P6oMLKE6rrJl9 +M1wockmTt+HWnikdJ4+H62jwPAv4RXqHxU56uEE4imzXPaUtQP16FbAgd8OmAASc +neflFCoxW/zQe3uMopbw/iVR05Ly6v2gb6EwWm1K01OCYUjkxr/jQIK9v4U7hD+R +WlpXYySiWe7tQ7JsCDVmKgPQOA0PafycCYt3Y/DrVAcF/vgKvsucMIVKWL5/YhAZ +WPV4P1SXLHl8FM4PbuB9Oo+BrN6IEJp3flHYLP/NTf6GSbcf3+LdRyhEy0USm6km +aeECBbAsL2giGnKGd0hJfWwq7fxQF7Nym0SE2EXbuAUhd/VOEcfHLY8IOSAqdYgk +1Ldf3ADavqB5LowwrcvIu2V2Y7ggTCfqgutBglt0t7U9Zfm6YnbnNVJbtK0FpPCY +SAceB2/Qzzbqy37MEXisrLMpmTbH3Mf4VGW+74igRV0qflFTr9YjKUebtzPsEt88 +tOmrMqUTgBIxFzxljdzE +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_inter_ca_cert_revoked.pem b/config/testdata/crl_chain_inter_ca_cert_revoked.pem new file mode 100644 index 00000000..4d26fcfe --- /dev/null +++ b/config/testdata/crl_chain_inter_ca_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIDDDCB9QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMCQwIgIRAOSykfzsFL0kachzbNI8PrQXDTIz +MDgwMzA5MzE1NVqgLzAtMB8GA1UdIwQYMBaAFIL5Yg09SlhJmg5mKmV87vOlyNBL +MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQCoVVRs4VL1QTdjPzdzgLp+ +4jsACI2ymRPzyo/c6GzR/59IVLAEL/a4X3TNGfyCBnblYpOc6XkGyuNuXYHvqfGy +CLog78eQxbjgTKQkFm6LxHsP/ap3wrMsi2w0UsVLDNrl0bpdM3GP5daLdGR+8qPt +9TY7mflHmFmVs1nsMFWv31zexlu0LxdU2e0WXidSzUkSg20gBRRnQtPeYSWTS473 +Uns/Qv0ahbmfaHlmW7cssiLeYkBIZf7DdI8uBPvX5j6TorDcCu7iyB/hOSHug4wm +81zhwJJaGgjV/A1HMVVzvVjmmCX0KjRRCijBE1y67ZXusaRFCV0jzM/rCtKq9YZ+ +s9JuX9v936pJqUlddbOiW21boGjuCckIeczYjZ2og1PBGbWBbUZZb01aPgcIkunu +1G9e3f/z2tZvY4o/X9KTYxYf3HYaoDKSZO8GfL6uqwPrqcRmWX2JjJOBRLkI0Igo +mD1+Yakoe3SloaZym7BHajghsG8d+PKgSsFlS9MDY+/2UtI1mPrlKcPjuzcRzmXk +KLNpph3JZ2ByrdXhuw1mCLFD9YHGPevPPHEu7v0/BpIWUu2ZKv3QXAPc7o7JDSSf +Wad0pka9zi+XdiOGNYE/TSDudKjMfTGv6jViwcUlzGQyKXv0RYdF+yB3jakAf1Ra +PATq1Ob9kFIdCSU2jtTjoQ== +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_irlvt_cert_revoked.pem b/config/testdata/crl_chain_irlvt_cert_revoked.pem new file mode 100644 index 00000000..968a56a3 --- /dev/null +++ b/config/testdata/crl_chain_irlvt_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIDFjCB/wIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxJTAjBgNVBAMTHFByb21ldGhldXMgVExTIElycmVsZXZhbnQgQ0EX +DTIzMDgwMzA5MzE1NVoYDzIwNTMwODAzMDkzMTU1WjAkMCICEQDkspH87BS9JGnI +c2zSPD63Fw0yMzA4MDMwOTMxNTVaoC8wLTAfBgNVHSMEGDAWgBTvFWDJkxY3FJ3E +GMTHcRIc74bhdzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAgEAuFIMJe7d +mOIPMri2NtfJ1YBzM1hXI0bt1Cq16jnY4yuhpuH4Gkux5nomvbPzqGBVmWxg/Q1a +AzIoLVXhYzq6xOl92sRSQ9gVFOVO/jRlTbaG+COanRe+naDsJQ2uoKCD9ZNyK15K +Iqx3Kb5qsvN1ryh9aiyna2LWfSrinkqdQj+92EKpaxiVSdxFfC56r5INB+3mPfxa +Zdj9WEy52ecWigAJWvsEzEUbwbHcdMN75CFE0kMgSIaQa3gcSTqf3HTQCAPR9/Mw +JyNox+4bigVVqpF/ppk8sNvbAh3Tgl3NsX0zNZP9B7Woc8rzST0MtyfBLf5lw/I4 +AB39RTZcY/Xt4EquswbmUSESvNtQySNxRdLlmbGWE5FaCdM7FmYVNAPyqQI7LfR7 +3VjMeEB9eNcN3Nr8vIDrBWZ6AUMyRrKV2u9nFy72jkKuICj1OcSw5ACv5AEd35aI +JY9Wq8pptnZI6/XM1kuu2ueax1zYd7n0u9GEP+lxgkDthJCxHAzLxQjuvR7feg+7 +IaB8PEAs5p8WZ8v0DyilC7C9cs02qjh14YJ3LB8h8keeZij+aRp7yewYyMfFu5Uo +WHNEV9KQQBP8+GCDcnd2n7yLR/EmjDRR6/Zm2BWpMTJOzQLrHCWiU5VB2CRz57Wm +xcbXU87c+iOUWrHBWf3MwdCRmKAZudRimaE= +-----END X509 CRL----- diff --git a/config/testdata/crl_inter_empty.pem b/config/testdata/crl_inter_empty.pem new file mode 100644 index 00000000..335241d5 --- /dev/null +++ b/config/testdata/crl_inter_empty.pem @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- diff --git a/config/testdata/crl_root_empty.pem b/config/testdata/crl_root_empty.pem new file mode 100644 index 00000000..9dc7e87b --- /dev/null +++ b/config/testdata/crl_root_empty.pem @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC/DCB5QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMBQwEgIBARcNMjMwODAzMDkzMTU1WqAvMC0w +HwYDVR0jBBgwFoAUgvliDT1KWEmaDmYqZXzu86XI0EswCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggIBAJC84PCNIihidIWxw/M1hknbHfdUGGW6dSe1qEdvoU4V +Ik8IchISjL7FO1CF3gotvv+Whcc1ojodC8VVceWaDAL3cb8+VvfCIfi9HFseLeCC +SV/SQQhlowee7FsXa7le747hNp549GV5AYIduZ5E87w1hibb++TylReDrbNrh4NM +Y5X5BRzE8W1exlvD+DzlRtQTrBm3kSWxGjABHOkKielL8IOzh60Yq17DLwzKHXse +JLtkPO0khHERYy5R7UY8ItuzynHA9XOJP4u3ssH5yWUg+FjJhpUXeHyZjR7vQGqe +CTz22JVVzWXBPBigUBe4ILnOZ4q85qCMQ8bAmZJJEzdTRTlnCg9+LCgeV7P6FUy6 +jRBLJ24At8CGXjC0BvpZUlXmSLuUVeAeUitfUzakh0CrVtS0knN+kycNa6Sqo6q4 +UPU5m3qJ/QYJ7/hzWXyYkkN2ZQ9UkQuwBRQKNb19WsOYsyzhsRHdFdrn9qbk1ln1 +Iz+xqaqSaQbOLDZ7D8kmyYx8iIMUNOi2jOI71iXXdfH2+juolJNoEM5LKkVSsk3Y +I0TIEzs1dqMDCkgOhXx2H9lb9vAyFQE1iMn6TesJGKCBtOb6N/hFSC5NvQzcET1C +0IwRRdw/gpq6CQesp+9WYJW1y9FenZ9xn05iRRfDFDdxKKuMeLsCMNFw7WashsLb +-----END X509 CRL----- diff --git a/config/testdata/self-signed-client.crt b/config/testdata/self-signed-client.crt index a0a5cdc6..45f28c89 100644 --- a/config/testdata/self-signed-client.crt +++ b/config/testdata/self-signed-client.crt @@ -1,30 +1,30 @@ -----BEGIN CERTIFICATE----- -MIIFLjCCAxagAwIBAgIRAMMSh5NoexSCjSvDRf1fpgUwDQYJKoZIhvcNAQELBQAw +MIIFLjCCAxagAwIBAgIRAOSykfzsFL0kachzbNI8PrkwDQYJKoZIhvcNAQELBQAw NjELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxv -Y2FsaG9zdDAgFw0yMjA3MDgwOTE1MDlaGA8yMDcyMDYyNTA5MTUwOVowNjELMAkG +Y2FsaG9zdDAgFw0yMzA4MDMwOTMxNTRaGA8yMDczMDcyMTA5MzE1NFowNjELMAkG A1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2FsaG9z -dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALtrXxnHr7eUM7Xh7awY -LwompmuznbTa/8+OsihSaelUN6RDsAdm7eOMA7KMqZB5NOfeDqEqMIUoaoQ1gzIm -0BJ4dCgi99SnA8b0MjAGqUpRJ3gLLSXsPa5647gxUSP5zQ0hWMMgGaw4rJ9LDOtU -z2S8dtqKTHrXl34mpdsLrZyLXwyz8UJ83Jq2Ngx4cApZrbs+g1XlMRV8Vh89Z2bk -bbKmDYmIOhTeE1wLdrZ/XecEOvkGZcj3bWiO/yTnP8mTER2hTvSxUrpyHn/55LkU -8PR6wCO7hntZ9LLWxg85XTRdWL7cIyjgJgfL9+hVQQyNEjWC2+LTq1QExqa+IxoH -iL4xX/1y+6o1W5XKLf/uplgaWuSK+mjQeqc387DwYbj61QWOjCoaJA1wl6RHuGGV -6ygpdAO1l8o+2U8nuULHW5lx+1BtMG5ytAXy9dWPercs5L8gh1IRNCVXWKsQCCWg -iG67nErFV5iRFLuAIX7ixLKJ5MGp/fVKUI9V1EViM2GUU46PVAPhhlZ1qcygjbZ5 -CelBnQ/XvGof5b4zm4eEgCc0ZkqsQDeS5jPjTtES8/y5WEKqbyijmvx2P40nuO/d -aTxNretMwaptWzu+WXHih0WG2Sq85m41070xsIMEwlqSfdiOOPdax6393NJgkdM7 -5NKC3+pzcHK1S1+x/Guawv0NAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFIDATBgNV +dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOuj5H8NBXbdfP62rBfK +WlaZYq7uHkh04KKSkiOgUd4hXFPNdkGIT6+E5MsvtH2QmMv9qnwTlR5XLLoF2sCV +22EoZQMLRqbWRJ2zt8sgYMBVZ0SSZJnfotrZDOEymlfLK+TT+dM6OeGHHHGsWmXV +u6PuVd56XDFuVF0p/caHGL981lCaGUgtVtZNuPyEYA8pAb6VZunugIYsHfEjL7si +eoZx0BGtWKsFN6E8Cw3qXSDN4TyzVU9pFuPv40AOYu4d2hg+iOZRx/B2V76s5sAC +4N5ZMYPkT4LzvIeSTKGwq7538PO+BOny4JH4aW51u+Q8GkuLCkjo1uBIvDW5PblJ +ouVeHwYbBNJyr/WyTpmTfewgNzNV8GMh/6AlG0WlMYu7NNegSJqWGp7wN/MrAi4F +xcbX31NQv56yFmyQlZrIw1gjphJ2oDqEyBLmii4IY2A4kyeaOyAiYRASJ7MIVU+s +J6/bM6F06CW/SDtcWnt+JHqCZeoD5NdN/5FaAvEmaMALPuOiMlWUxNkacvJ8ZwOR +csr96zgLpYO3yTR1VtWWRmK+Ll2nW2Cz4Gd7fY9oHwL71guYGSfliQTIKZAPEc1B +O0NPuCmU4Fh7m/AaBc3A7QY1QXHTUDhGJJ7bcO+pwNQe84zoufhFXKL8gTr4yxHd +mcpBGi7dZLdBkczMl1HiNMl1AgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFIDATBgNV HSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IC -AQBTLnU8jFCmYpPUBOqj/xzBqokiQK92axG/h/3JgB7fFSLzUCV3NtvwBVCU28rA -wHwBYPjmGhi1vyHha/hb6V2WMPt0jhMRpNxCf16dAMoyIoWNas88vU2Mef90Chfj -8e6wLtzqAquX/ruwIfsOMnbcSGuh+y54DspCXgsTZ9cnCI2lnQroXZi4WUqi3Enj -mFPpVc+mMlffGW6LISo3ehRLA7k3/01yJhqzpTQw44k9ZfJ7VXZTRJKJsaqeljzV -VfzDbDfW8ftbZ8IWQGAOQfTa23aHIYcvJfvyxpfQRyrwRxjGytLHoOH/G+1TZuOt -KBJ2Xdi9qrr+Wep4eNJm2cTBd1Fpr0hWZ9K27BwwYdZZF8Eu8eP8hSeRmA4PqzAj -HauCl8PgWJIWzMloXVZaGxiYX7sGVs79m/Yl9A6+p8RTpK7DVB9+sDIiD2bhiZqL -i9YWM8aD2cR20t2ZkuBBPlVTOouF/WotOWrLhT4J+SngkdmLkAjP/5jPFvpTfeGi -THyAmp4gigwaM0nIZskPcPCbkk+zFYPToyS49ZJwQMzqK2hkjyQ9LyzUdo9vlDjL -8lFjlUZzqaR0DF3pbf8fs5/16gPurR65SU/ebOs+uxZLYJrP2zKmeISE+q4AMudc -rQ0Z6KmGUiXnIvpB105UJ7jlXCxbsruc8gRTbjkgW7yoXg== +AQA5qKiFgmYjOsaCMueLV4H+wMlJPzaP7A7GH18SGf+yAnI3ZFSA+D5KiheqFZB9 +Q9hMpCwk9R2AspPad4fENzFJSzQBcZP0+rLJ2DinYmCxNL8xZmIAGQL9DNb4XQX1 +4DVI2SqM7UWeWOIBA6Y2TWFbkc5TIQEXc5M6LLZWWFzLAkAFH3/ezudwEd79/w8d +V97nMrq8n4QlP0JeR6OCbRghGhssElH3osxjHmOys5y++9S9rhV4RlOzXk861tDU +HKInBKdpmo4j4jJu/gsHb0UzyENK/lMcN7pxz0ef8iZIWkqaT6KrL0Y0HH+BCkQ7 +4V0q7/OmUy0wC5g+IKRjFvWLVm0Wp7WkxjP0IxE00+eV41BmsMNJHel9cHNXGzOa +eVGbfChNYq8ixo4YXuiBtDwGqqnfyWEQ4lnDtGlAZgqZKIHXPWVBUq7wSwHzRUcn +LQfuD0rnwMFDCXLazyMuSydVZNzP74Xd1BR7ZrTgNiSq0ZFxPQnImYq1WW054Rmq +OXy3uBy8aYScZ9RcyvASIQu8gcfJq4eJLL0yXPN0Pwsma90M7nZibiJZoI3mxqTN +rV1TxrYsEMcjju1ExYC1mypNKRQw83dxvKrfH69DA3qw0bUnyacgIjPHacdqfMYT +RrWXNpb0GBtNMpMp1B5iv6ew0Mopmnsm4Xd6JmLk6aYR3A== -----END CERTIFICATE----- diff --git a/config/testdata/self-signed-client.key b/config/testdata/self-signed-client.key index 4e4b2c2e..8221fb28 100644 --- a/config/testdata/self-signed-client.key +++ b/config/testdata/self-signed-client.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC7a18Zx6+3lDO1 -4e2sGC8KJqZrs5202v/PjrIoUmnpVDekQ7AHZu3jjAOyjKmQeTTn3g6hKjCFKGqE -NYMyJtASeHQoIvfUpwPG9DIwBqlKUSd4Cy0l7D2ueuO4MVEj+c0NIVjDIBmsOKyf -SwzrVM9kvHbaikx615d+JqXbC62ci18Ms/FCfNyatjYMeHAKWa27PoNV5TEVfFYf -PWdm5G2ypg2JiDoU3hNcC3a2f13nBDr5BmXI921ojv8k5z/JkxEdoU70sVK6ch5/ -+eS5FPD0esAju4Z7WfSy1sYPOV00XVi+3CMo4CYHy/foVUEMjRI1gtvi06tUBMam -viMaB4i+MV/9cvuqNVuVyi3/7qZYGlrkivpo0HqnN/Ow8GG4+tUFjowqGiQNcJek -R7hhlesoKXQDtZfKPtlPJ7lCx1uZcftQbTBucrQF8vXVj3q3LOS/IIdSETQlV1ir -EAgloIhuu5xKxVeYkRS7gCF+4sSyieTBqf31SlCPVdRFYjNhlFOOj1QD4YZWdanM -oI22eQnpQZ0P17xqH+W+M5uHhIAnNGZKrEA3kuYz407REvP8uVhCqm8oo5r8dj+N -J7jv3Wk8Ta3rTMGqbVs7vllx4odFhtkqvOZuNdO9MbCDBMJakn3Yjjj3Wset/dzS -YJHTO+TSgt/qc3BytUtfsfxrmsL9DQIDAQABAoICAAyGlIiIi/nc8cfKHbROuXYY -Ny8jhfq8WDRq+QUw3Ns3QbC8xVr5ShTXGrgoJnz9XMfSU2/5/dwoY1YKrYYAig9x -9XFpRN71eo8lauVCzLWmzth7Br1uGIE8vVNmGGIrI8Uo4WHJF24nK4JJ5cckl+fH -oLniXFIpbnqD4rnNAgFgXy3eKNWkuqmsW9hhhDts2uuUtfpbovgooyjbVbnOsnYq -GuWCMT+LyAdyzLBNutzhr39NKihQQQOn6u1wdxbluVMdoMVBxKGpVth+vwaPm7r7 -KTQ6KDa+QFhjekEyOERzqKa417C3qlMDEsJ4UCyikQD6ie+S7fRjjVM/ieEHd+AA -66CbJ8u3yfXxaicn+SPCeHVKd4GKmJgsg1KDSSg0+w5JWwmAiCJjEydX2HOdx2ys -SV2C4o+gxhA48U8ZgGTVoom0OgouQ7rnMd6n3juBDq2/Xp1FeDcE39yEffN7t4XN -vHfD7Hjp5capxVyEnpzu0tTVf8KP00NJKtS6I7d8IavUBCgFiJZFXJWdsbhgSsg9 -UdypUMd6rW81VaaKvi3JSjWwFpmUVAhr3hFNyQB9+2rxvDCWhUqFKWqjWdPfMgxx -qO6eam1S22vrZcyJVkfTzArFQd0J/41Ak0yErLJKLTDEYaBRxFPV0ujWskrmU96c -f+m4/k7p3sD8KooXfrERAoIBAQDWSmsFzSOugShur9phJV162XrtbOnV7n1Ko0Vu -U/ftohC5FNq0kHxAkY4kGMz2QHdJnqpQoJaCK8pJ+8nA1Osutt31tS3YrOotlNwk -KsFSiy+i9xf4NcOr9xKoSEstFPJeM650xPfVP1p4sq87BB2Z3uWfLtWnRxTJnpA2 -nwwtdrK5fO3pZnVlWQ4akqbndCjUWURXVOVxDHCyDdwoiz3BpGmVV6jCYanC3e3S -E7/OlRLJfRAXoCEbzFsQpsOYncaEG7cAz9pBBXA6VVyEPlVyMG0GHs30W7aG5Bfp -IcbhacGyjdV5Wwx8WGun1pOHoclLX7pJ6jOXLobpUVH4FUNTAoIBAQDf5gX9aBqK -QxBYcqhZ0aby9K9ZAXSRr03drf4s+TXSU7rUdBqV4BRj1cjQLB6pxpo2ryLoHhkf -tLVRnEWpRgSlfu7qSYxU8rNUacAKAPnebjQxU6NMVzFx7zDQz4TJT2StsxoSIw+l -O4MwWDvIxHcpjIrl1eZh79BSzrq5dsf3vrPCM+Xxivdkx82WJqiVX/LrY3l9R+kC -ud1b3O5vFdhpo8e0sygCdF0+sC0jwE82SCjMMGHMZWd74rmkuHFpJ1xSQf9/jRCf -yKhITI/su21FS4rn1rApWpzAvhfhV7HqnwWzFTtmLeGsI+yW4fb1j6oK7t/rVZ+p -lnwISXpOPBIfAoIBADnMttNIwsAV7F72pdOgLXeuY37Y6rWeb0MLiPW6RlxdY19Y -pakgc7NCz3EjE120g7hiyJOYzR/tSdHszT1q8MiX4ISeyu/vq/aBeWNz+NMX4dB2 -D4wOjGm86dZkMYrGZJ1OGVc7rZFiVjfKEoO7l3Rib9Mg4dYN0SiU0Vc6TSGSK6Dm -dpGG5lFg1PIL7mLtrPmh3lIj/wMgFOGh5Wk2LYEmpKf4jfdoOk7qZ3RLiWfiQ7// -MLD+qw+BbmquYIGwxNPrWdApQDhbjCrfzWWKHqf/Mdj9xBWOC0yVB3IFf0xbpzhP -E255RYPgoaESupZR6CahenDnb+TuUstp+M8OhSsCggEBANw/9gJ65yi9ohWv7MY2 -g+maI+gFk3tAnPOGFnR9TqGxdidKc2CeBtDS2/FUhXFzif5jOI5oFUToSjmW5bwH -wchfXn0gjqh9+0T9pkjw/tv9QuCHKyuM1noC1t2CVliF/j8U4X+X9+sN6RakpWLx -SVuZAoXnbfNHqoHbFToei8W9Vi2jSf7bOlRsbGPZcZtHwLonp7pDBAeHeSbF5dNn -BPWehHTQjHolqBhjzHPP2NxIDcIXkg00b6Ehvoc4XXAYpSvR+pmp1gGorUo57pbt -JSe2kVVRDwgPOAYuuWUWFFH9zuiE6WKxnb7ts+4VKRAVHCwXIjTpjN+Rxj+MsIDH -fPcCggEBAIRgZPwB6eI+rvYOPUGSeU681O+8/ZgjyAi8HSOk3dCc3J2fX31m/GsR -xM+FExbGYJ3BfdgB9YbLSI8eY7weJRodm0FoCuHePu81z4xj9yEi5hBodXhhDjQM -/xbgsSWeotQ+5lTmc5hgve1hl+3t09qNttHaELWASD+0ixBC6A6J4GB68ZKRIunW -+ZGiEvrNey6Uunf7T/Wgc+VDcA3HsniaY2yTZY/jWsmDxt/BAwUaQrNwAbHvm/1P -J04mvCreWfOITe7CURcLq4FMGzsCEXtdQ77/uJllew1Uv2Yn2WFUiqVxH+UicR1P -vOJ7/LvbOa8BlIMsprB2rz3PDSUSaIw= +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDro+R/DQV23Xz+ +tqwXylpWmWKu7h5IdOCikpIjoFHeIVxTzXZBiE+vhOTLL7R9kJjL/ap8E5UeVyy6 +BdrAldthKGUDC0am1kSds7fLIGDAVWdEkmSZ36La2QzhMppXyyvk0/nTOjnhhxxx +rFpl1buj7lXeelwxblRdKf3Ghxi/fNZQmhlILVbWTbj8hGAPKQG+lWbp7oCGLB3x +Iy+7InqGcdARrVirBTehPAsN6l0gzeE8s1VPaRbj7+NADmLuHdoYPojmUcfwdle+ +rObAAuDeWTGD5E+C87yHkkyhsKu+d/DzvgTp8uCR+GludbvkPBpLiwpI6NbgSLw1 +uT25SaLlXh8GGwTScq/1sk6Zk33sIDczVfBjIf+gJRtFpTGLuzTXoEialhqe8Dfz +KwIuBcXG199TUL+eshZskJWayMNYI6YSdqA6hMgS5oouCGNgOJMnmjsgImEQEiez +CFVPrCev2zOhdOglv0g7XFp7fiR6gmXqA+TXTf+RWgLxJmjACz7jojJVlMTZGnLy +fGcDkXLK/es4C6WDt8k0dVbVlkZivi5dp1tgs+Bne32PaB8C+9YLmBkn5YkEyCmQ +DxHNQTtDT7gplOBYe5vwGgXNwO0GNUFx01A4RiSe23DvqcDUHvOM6Ln4RVyi/IE6 ++MsR3ZnKQRou3WS3QZHMzJdR4jTJdQIDAQABAoICAGD6hqOzXDhbV4IM9C6mXR+e +6PpNjbEMSRcfc32uEYN1/2WN/clirEj0TKVC8OlshTYPJAcEmC5wejvlBO6Vvj/y +PABQt7caIAs3V8EFhkwh2epixXx+iavAAIj+Jn9TYrE+fGbuY7vpu08dO+cFW8BP +6o8xlJfTbG0bRxJZr1m/qwRpJ1aJMl/ohOWIJXCX09v36O8F9WdC6N/BN3ew7PRA +Cv37da6M6yQ0behAOCu0D6rHs6iG+6C7ra9DPHv7VTL9KaKAreTND7etuRn1FU7t +Lm+1mvOuFD1HfLpe15AAFO57mdIe30W0EtAfLED2a2wDwSvYh/aueKczoa+MGrm5 +H0yedLhqW/IQSl9rlKNYmJTVVfTUja7Qxg9QszxXVUbtFwF4YE+jfP3PNwkJUS6y +LuKWc+ylCCZDH0oRgg2vrGvcvPv7KZNKYJ2eLp6fy+jiUKpYhKIZDndCQLETatkS +Xh+iWwNS0dxRyFdhOlgglPkGm76XaUKlSfU+uSk4iFIjAcKz1uy+vnCjZgEJC4ij +1FG0LcDF5QKUImsh6QI9mF/KFLnGtqYzvsk62LEcDu+aaORH0X4Dsxo+h2nO20l1 +faGkNvYbaenNLg4LKQxhFJP4yMy89DcEOwe3E40jWqngOBz1+cxDMHH6WbEdiSH0 +CbXGSlELyQ9ng1dCN6rRAoIBAQD5ESYF1ximzBCm0t6W/VG3zxjVYq/91gy1MXRf +1evB6jnEWkIdAPSID+gRrfi1cyoPVTllGbiIyEKSCGWUE0cl5LRW81HEsnkeqMAr +RWph79pw50S/eIOCpU3nihZSNXq6/fQOtBVDmlv/8z8h3PRgMZwXOmEzJC3+wjzF +mp/PtTjVTXHboyuju/w2tpIER6/SBAtefbcolcdGMrywSbD5VQsehd2ayMyV2+Md +4DKrWHV/is1cXMjYQBa+l/iA2loCt7O+Z1dHPICCo5cfrHW3jSBG7Z9Ciz8LiEu1 +vU4BbEK1oLKgTnZSbyFnbAPd/KqjJKxl3F4wIGL0zfVf1XRfAoIBAQDyMxCV8bad +uJKBjR8LWKLJVS7ox50/2mydAgAhwp1n3nhTsXaCbD1yx91suw3J3dTADuWEBFPL +yg0vgxkHKozRUOGCuAa0HEwarwybqaCB6cvoDO54v4WPFh1xW08HS+B9WJ/XUJkt +w1543veg3ccaOJ3/TKz5CAQKE8SBxjEStd8VwB93IeZbnX4/GJ3Ah7AAYrysjZzq +kQGn0r6dIV4RlwWX8HgEeRdcy5PTKv8K5lX1swCqTLcMHBAsR3xieuBo1shbWHJH +2UsAW+skslnNATnryNydFXH0kFVrw2YB0NEjjVIdkao+gh/X87Gi4ZRs1cqZ2jUY +VSzKDhcYCrKrAoIBAQC8/ng9wkRgfUS9chGZvUt/ENUlRqeJFB28eHR4LFmjYdrH +1j2IyKrFfFx63ep1tZfa3q6YuvW+RUfOjDSYMjCw3mTB/gy0F0G1NBPuQdRB0MGP +Hs6aBBa20jzVT4E0jIQ+1GmXpqrkC4N4KtpjFckSHVL2hUQwjGmigT2gLH7MHBWu +NgAJzD1XF1SBJ/SQ7tzJnmwKHZcYYt89s05e7uwtpoyzcpz/0RL9PEeQ6glI3+z5 +BRhj17xH7AnWQnc9P3NB0KfB+aTO12gkuYH5dOI2kA5IBBPvaL5EP/5DQAyrI71T +GUeyQRej4dQVKG+eyRWqii+Pc7K9DjZI0Og6+jw9AoIBADO/63ROYDmU/WDG+XIg +LzAbjllYhWXmUry9d6+++IkABO/FBFBbtkl3IP2hfhG630FmLW4myozJkEWtmkRo +uAvlXznh/jSvsyckbeo4tT3s6Y+ca7vLGEt5azMUUm95q+68Z/LGmuQnUWE8Kubp +XChjHoc1J+RR7SMGFD+yTDv2NkNceJyo1qKOpTHwHYzMsTNz5WJtI7EO6K6mHepO +/d1+Skirrcku4moGaYB+OF5o1scXxzWcDKR+vonngFE+dgKQmeDCpjBp4leiTDzc +Csn90BVsJo89zMp3qHjNGFec+YLCKGB/BkQy44Dt5e+qiV8z0wVKlXusf1Rw7EhL +yN8CggEAd2LCoDA+jqI+t9i+2iIJZi4/HD4KBJhv/xxOfX68IPeA2/7cviC/+iBw +vYi3DgJ6G136e3ZDb86pXItu6cRwkx0pK8NzZ7pJ0bdsGY8LQ112Or6bgEq5q35A +CF5luP633LmOW9n0l/dNWKCt6ePRAdxYTE926/mNFHYjv0sHU8FpHEAts1pp8cZ0 +Bo6vICibJWGI0VQx/AYDiT5a2Q8u8JqxVYBklFECmqW15+JYlbKhoj5o+xpSfdgF +Hc/vx5UyA/dwxhiiVGVY//bHfk6WCROYtqBMBjOgerclAhyJv40M7RzzDNRCOBbl +3Y+cBLZchfsopoZIrUO9ItpzMk1DMw== -----END PRIVATE KEY----- diff --git a/config/testdata/server.crt b/config/testdata/server.crt index 1b86f58f..a90f5e04 100644 --- a/config/testdata/server.crt +++ b/config/testdata/server.crt @@ -1,33 +1,33 @@ -----BEGIN CERTIFICATE----- -MIIFsDCCA5igAwIBAgIRAMMSh5NoexSCjSvDRf1fpgMwDQYJKoZIhvcNAQELBQAw +MIIFsDCCA5igAwIBAgIRAOSykfzsFL0kachzbNI8PrYwDQYJKoZIhvcNAQELBQAw aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo -ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDdaGA8yMDcyMDYyNTA5MTUwN1owNjEL +ZXVzIFRMUyBDQTAgFw0yMzA4MDMwOTMxNDhaGA8yMDczMDcyMTA5MzE0OFowNjEL MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs -aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANPl1Iv/z+M8jHHU -SggOhvCS/0IfNi82+OprwalmhSL1FyRrGeHDpKArIrHhal7oukizJq96wKTddUVu -hjPR7srSYX7J2oPznjb2FmLHnD8y+zxO83XNA5WCDB0yA/KhWHhDmd2pihTTZOo9 -jvGi3+LyIqXUeiwIpxuNnH2ghoUy+DTzNCknLkIKAVnDPoM1AI0Wu24rs14A8ZVW -ivzY/P8xGwlMmDndrrHwJzMSEMeH7IJi9hx4zJalpoYTVq6Z0Rv0+7SpS+iswi/e -MILDhmSvLw0R4x31xkzsPOtUsocVjgBCGGGHo70ISsAxsL6E9QFe2uwZSvbBKfou -JaM0txRIZahMeHy5egh2+J08vuZKo9PDBWwKwqQZ4Kb7WtgekiycLmFa/OYHLUX+ -Ow8QXu5HU9v9XlP9GV2FQDka2IuMTtS5JCEt5e9ddSb4KVbkRAhfL2snA+w0nmrf -CBlrlThFz5Evy5QNAo1ORwiE+8gNUc12EAu9K3TK9WSUYNrLCbkN3oBL+DVp8Y6q -quUpKEbElhsJ9V49Err3LPaXpz5aW7Th6oFq7UOB7chqKQ2SNl3/hTlNUw8wFb9Q -i8AXs+4SzHo41IEe9QZBvpeucVmdewbJKvNS8Uxs2wmtTq2G2Ae3qGzWl682J7aU -w1X6Y46OanQDNtDVQvGN1CW5kvCXAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANLceYfZ+R+KrdrO +kmxzGlc7vfXQVr3RTIYNNfKUSLLshUdIqjnbhpYyf/f9xuiA5B3Tx6kseBgc94g7 +426cLbjH12oOXH2uINZPnEj4k7vaRPoUnWh+eHNqD6mYiHWDuHzrCAltfXjOPJVS +L/IeDGYh47XYtWhm0+x2Im2tPL1sN9WqaNuWMfZqD5u042CjIv1hHoF3I3EXiAu5 +p+OmXL7u5BKs9AusLsFL1neDvVeDXn83vkd91reCYuxg1ySJW81g8cGXKeBL71v0 +CMaeaJ6epdbhpveemmNXEIHo6898jh3oDuawfVY7CTBfcOFjBPpfiLP1Pv9eAHlo +SMC2NGgQRbtkhTIP3Uut9JkHuwOTsvcbhl580a+Pn42MysBCxSgS91q9OFukzYpE +yS8oHOu4nxIXvuKJExRsAK4kMmlH433G3Wvedd1quRuYl+A4NCy5ytmJwZTJuIAU +e7cIk4yH7HCnRSfvxjT3a9InNCZCPwyt+oDIHgOS7y9zMcSSr8Q7tKmXCT3Ga6rp +Jcg6kQKsZ/av3oT1ahTHrZI0FiKpFUdEeykjiOmslvJXWMGBtAmNt3wetLg/kYhO +B67Ds+mMXxlER4vuGoPsqaA9nLsxTbP79GAjo6W2F7jgXQiQhXvBGcOQZJH1lhz4 +Q5Y0vCFnmfmmmB3IWFlB6qdxo7VtAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G -A1UdIwQYMBaAFMaaHh5g0+YopeLd1IkizXyK9K/zMCAGA1UdEQQZMBeCCWxvY2Fs -aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAUXL/lzbgbs6whVrE -3wkp0oDGVZ0Jti1hpeQk7Slt3PHsgu9OQOSGcv9QHs0ybhkDWZQjoCH6Nurx5QaY -GnpNQjylfy3zAziO0c7C1uXf7Z9AEMQwbOHFLefnvq86MtnwJ7sadQo+ViwtMgOW -He4YhkTyu2CqK8GFXRQUNm/SunffXp5zErPCNQURh4hrDUGlXPzyxgx1DyqFvF4S -X8IpsoED3d7cbEL7E9dgXNl7wuy3qoPi9P9KydFTIELBGt1oco980S1attSM9159 -t9iUIUMT4EdzmZxpIyJMCD+Lz9Y3zWVyz7DTqFWOtAtmhM4lu44K4S4d/JfAGEal -3h3SMCbBPKwpsloO4r9TeGi2f+T7hfiFMdCezEyG8sXrObCDyVudyUnXnxDkZ5TQ -NOzqJaUJHeKzb+Z9WSovce3Pb8ok3GoDugmwqyjuN/rz/0jsDTJm18I6HHtONbUp -AIV/H/4+Kewc+Ztv97J7MeQB/2VKcY3vpZpMSEkg2ummRhXUfi0haxfoSCKvRwiD -BElUVtwHTsn3OBnKMGcBt32iLVsvbb/0AtNpohznPdQT7dqDVguejmwHn/fc4u4Q -vfAay/ACARti9XKGplQi7xn+OoYcAVPLYitYBRNEc6t+4f3EKehrDIMRCnxOFBVX -9Dnm1DebturSQQEOuX5rP15lG1I= +A1UdIwQYMBaAFH9LfDTzrym3/EwMAopkOky+eXMKMCAGA1UdEQQZMBeCCWxvY2Fs +aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAJKNu1UBKtIPJKkld +TXMQQukRMDkckqkyUcMWJkSPxfyPGYjSdcUScUnoMjqdxvcUoTWNKguHfrmaz0mF +L2219vsKfmPKv5efxNy1z/YiYG6qAw6mlKmEvnCXsrDWM9097p0gvDFkzzJQTNi2 +8dDTSPdZHNAfzhLeYEuGNdYi/vzp1OBqlWEy1lmLixzPsGwpP0bhcJlyFzuL+nFk +/aD/IiJ0TBtLMx1YH9VI9R/hbJl1qyqP0id8SiN47MWaC0UxktETN0kjwKgL5c9N +v571ZbNQgPDo23slA8Geh8q93tmVtwIlNDWxgXY9Qfj9DpOLl3HokCyTT9P2KGfc +9OwuKmjw30p1XT5Mnbthq90tsRDwe8w8s4kTucPQXEIPYikdIFFoSzwRVxW+aZL4 +4lSiqZrxqDjfa1njkofWD/hrVWTkV/D2do8Yv1ixrasvL0nwxx7NjK7ZS2vtTO96 +n+ocTBsE1NcuHpf9Wy/bsojqV3iyS0on9d/PhmthyMlS3pfs8ZwhVoVkxyTUP2/I +zVzjEM80HLKkycvb1b1Mk+/JL7aL+CBudp1LIp+fqi1dfSx3ygrGqTvYp/MZa9Gi +EbnmK3l8iZf3872LKd/Ku13t2Fe6kIHuXSN0ktuM+ZP17HCPBhsKAAn6bsAEY+xo +4fJX0u1uURY6ZU1hDvEiSw1IlhM= -----END CERTIFICATE----- diff --git a/config/testdata/server.key b/config/testdata/server.key index 678da7b1..b4c2b779 100644 --- a/config/testdata/server.key +++ b/config/testdata/server.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx -1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF -boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq -PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV -Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv -3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6 -LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F -/jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q -3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO -qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/ -UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2 -lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy -yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW -7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ -fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck -E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE -HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep -TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus -wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5 -mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa -mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8 -zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7 -tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq -SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG -pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr -sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ -wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF -JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB -5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X -Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e -X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv -05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U -m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7 -xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU -q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z -RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT -BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y -iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD -qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM -URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak -I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI -kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c -pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n -xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3 -aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV -psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0 -Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk -NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe -SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP -Rri7hsjysanKPyaPM1oofbRyWApMyRo= +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDS3HmH2fkfiq3a +zpJscxpXO7310Fa90UyGDTXylEiy7IVHSKo524aWMn/3/cbogOQd08epLHgYHPeI +O+NunC24x9dqDlx9riDWT5xI+JO72kT6FJ1ofnhzag+pmIh1g7h86wgJbX14zjyV +Ui/yHgxmIeO12LVoZtPsdiJtrTy9bDfVqmjbljH2ag+btONgoyL9YR6BdyNxF4gL +uafjply+7uQSrPQLrC7BS9Z3g71Xg15/N75Hfda3gmLsYNckiVvNYPHBlyngS+9b +9AjGnmienqXW4ab3nppjVxCB6OvPfI4d6A7msH1WOwkwX3DhYwT6X4iz9T7/XgB5 +aEjAtjRoEEW7ZIUyD91LrfSZB7sDk7L3G4ZefNGvj5+NjMrAQsUoEvdavThbpM2K +RMkvKBzruJ8SF77iiRMUbACuJDJpR+N9xt1r3nXdarkbmJfgODQsucrZicGUybiA +FHu3CJOMh+xwp0Un78Y092vSJzQmQj8MrfqAyB4Dku8vczHEkq/EO7Splwk9xmuq +6SXIOpECrGf2r96E9WoUx62SNBYiqRVHRHspI4jprJbyV1jBgbQJjbd8HrS4P5GI +Tgeuw7PpjF8ZREeL7hqD7KmgPZy7MU2z+/RgI6Olthe44F0IkIV7wRnDkGSR9ZYc ++EOWNLwhZ5n5ppgdyFhZQeqncaO1bQIDAQABAoICAGXDrA+JfjbfygoYuggHAQZq +ucIBu2s+sMzdYVTihbd8eNIvWqAzt1+TnbkEzFN3qSBQDkMyR/9zM2+XX6sJSvOr +1uXDapXpTMXBhC6fcUUvES0Ud+dvahhhbo+uIuV8HbSEBcvvAKgl+I0kLimOoPNF +lc00elCZl9u+I92ExxSwPr4q0RJxCUngZAoEodwIv6FDluJqqjsxXSIzhrhSmN45 +Eu+Ecv+TKLl3LVleximPKDMDpxx/ufm0vqNQFWT3ucuD5wlEOByc6TcaroWU++7Z +qDXtj5RgAijBYyEfVXc8qKX8Ufy53rOYKFYlKahNDqD7LFGVocLDDj2Ju9rt1Jon +hT1D1X/uX8XCXl3/wCaAX1dpSf1owR/J7sgtm5qysOnBkT4JWwJo6OaZkHmL73vR +APjxlawJVosR6bmHeqE+8kyysYywbZ3u+bstQhugcAF9dxHdWfwwOmwcLmBDOvFN +hakShySQevv3rBcUTBCmC+zLmsVVLpGUwyjYAtVwS9KAEyYT+C4Wjb/dRZXffan0 +u7VNjSS8BTFy+1Kf2HkFtoNV1otMDbO7KENW3bG3BXKsYACX429hBhKYA3/Vi8iI +vqNbmJMdPc4NWrmJnSP5RrMAlDOqgMEYPOqw4oMrqPKh6LzEVR8gtIdm/f3aq4dW +x/hMkS4ZB2dGyCkWaRINAoIBAQDWFe9exGgvjaGmi/Qt0ceXeT34ZlUyjOxI7Mgd +B59ZUPcyJJFQEzh9xilfEth2W5Anvu6xVYqcaVFSUBfQx2YMUuzIoi714WUlkMWN +EHTRLAgDCw7vqEx1aBPkF6V1GSyjGnKoImiT6iI2Tfuz3TUUfiw/xYLW/xap0r9m +a4JU5Zbh8GNAmerO1lRWXOmWic4kJnbPQY95CB1BS0jRnnBICorVJGGWcJ+H0K61 +cfTCiDzeUl4hmXjOjr139RwYTD+gbyxWO0juntzOb5X1c2kuy2pcOo4tc0iHJjP6 +E0+2/rUBTJlCHpizxOc052TTjIwPJ6t/2w3NpNwlsDW7u5HXAoIBAQD8JO29paCn +ww6T2h3YVOFcxzSJ8i3V+ukEa95KIr8m9DlGllQ9Khe3bbBHJTDifPFGEN8oCQ/u +AIRDoju2tC7i3CQ0MOYki3NJotwBmHU/jZQ6GXwSdqP9hu6PR3QOl3vasffYAiUP +mmmUafAe/hizNURxF4fo6hlPimuCBCxIH5v4T8dmqTHPDw7ajI+zbzk9WaCAZeb/ +H38aeHuvvRgse/wS7K0gxmoCnldjcO7AU8LknVZSnAjo2DjKUc2f7EGg1UWMIyU0 +v8zwdTcP9dzx++UvbBW//Tr6l6dhg9ftvF8Tj8KKzMn7fh4oQ0gDQwp4CtdSQ2ga +cv6aIevAwFJbAoIBAD4HuwS9aealZfoowQZpqygzhAYuOG9eL7RtjwoCRGSPtiA8 +QjJub0baHPCkOD4LB7jMdMLDI1dwmJR+Cnh+3g2iFWOIwoyR00nQKb1W0FIvLN8c +3CYKoKTAFEtZoqJMOgfESQZ4ec6p32HWtKCH7rJSYKXVp7R90uY/3x9g9TF+GHq8 +uTVlo4hsx6ECaNgqc6U70973gwexlzBtDNtXyfbFvzZExVXeqgqjJ4wBScb3zJMq +UIXxvvQynaldRteveBwXOkR+BwLE2vuhj1TALPDXFalFeh6nMZOfOR4zbDx8jpui +wyFKVjp4SfmlNiypo4dcmi+Am/5Cz1rINLmBfp8CggEAVQq/hK9QOET5rbRrTIOU +Xw5xEfW0r+8omG0pVCfUAPduOfiKAPcpeJxuUBCjJECvv8oA+ifUT5mtAoK9USoE +hk9phpDXjovaHoPnYEJjiUPfMplV14RcWy4fWAPpiOJey6wqw5g1l8WkxoHUkx9w +hUD6DIq7NDuAvesZx4hQxyKiIGYIAwAd5JBXmi6+aO6ih6arE6NK/dFJtUvdq7BD +bv2CT3+0BNHm/2sYXlnArO2TVjga3VHzT1VeEh71E3NDz1MfWdygt+HY5WEjaSar +lpI3An+Z9l8afVqZAbLOKUjXaGmcW+QmW8R1t2654x/BcCt35C8H9aPDa4j1UtWK +8QKCAQEApgvfp5JiER/CzjBt6YwCdo9kTDJM/mh8FDvavnIin4alNuPQbr+YesYl +0M5Tq3jUKpJZ7OBwOZO2E5/UY0gnRvfj5lizPog/sqA/UfWZVgsu+kpTluF+qrMh +qEDhKseogolm4KDb4gxdoxz9AH6lIcVdX1zOtMorGnmT3L/6G/PKxxUdoMgD6RW5 +efITBF4bm0FCjyrNiHc/f/B6lSyz9t54O5AXTPCw8cHMmTGTLbl5MFJZuPfp0DIm +J6tNt0zClxQ5/FV1Y7UWh1l6i4j60cHrzhOOsxkNLPVAu70phEnBg9nevilSADWL +BikBgOlpgA+bZNjb2zDsmwDkNKl0pQ== -----END PRIVATE KEY----- diff --git a/config/testdata/server_revoked.crt b/config/testdata/server_revoked.crt new file mode 100644 index 00000000..e708bab4 --- /dev/null +++ b/config/testdata/server_revoked.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIRAOSykfzsFL0kachzbNI8PrcwDQYJKoZIhvcNAQELBQAw +aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo +ZXVzIFRMUyBDQTAgFw0yMzA4MDMwOTMxNTBaGA8yMDczMDcyMTA5MzE1MFowNjEL +MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMU3dOu3uEJVu5Ie +2WpKjTaGGQ67TYhsHyqP2zlgus6kDj1rcag2gK0RlmmPJGk4ehyUhjhc6Myq5Ihb +p5zQtCwRSe9raROyiwjZuxwIf9FIigMxqHz3RIwyorkBLodVC7MhkM7nlg9TZldE +j9+pwdJ76vBznpxxigeTSsFLQ31fw5oDrNfrqvJEe5zHtEPdDDdAgumPpdt7TWTf +veB+M5Um1fjdhRDwCU9E203bRN9PgK0w6iXTbIV7eHzG68oyKVaKmY5iiHcLLk2z +yY60h1AugA050m3j2ojytgtpTo7R76/XA0A4ZSfFD7mSOkDhDGBz5Fb7TApFTy7+ +BMg8DEgn8BiSq7VdZ1etwgaehXtPkSuGavF+MctiS0TF2UzVucZ0zlHoPAss+6Ao +jKdFUdZVhX2wJ9/EdYvfrZgEkFYRhSEoyombZ0GlNQG5z0CcCIqNd4PALfN4xuEk +kSbApG6pyi5zU/2bv0kZy9G9RmbwhWsGHwu+b+X54JEKWZE/xIyXQKj1AMO1bep6 +lIqfDmtBeE5oReDXhdKcVwTHrs7RCM0hwM5rGWwhiokgmIHnl6R/MqCXaPfRxap4 +EdK1qy+4W9xAPShMgDTuoN03D5YiHfRvAutP38ne1zTox4lzSY+EayA/wkoB4wGN +apc6ouVL5PP9RnTk8ATH3eUAQX8jAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg +MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G +A1UdIwQYMBaAFH9LfDTzrym3/EwMAopkOky+eXMKMCAGA1UdEQQZMBeCCWxvY2Fs +aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEANyJvkB250c7GPE2f +SqP2XOp8Ql+ecmHDUDWGDprRLlXRukK9kJZLBoXysH1aZq+JdjbfaHc5Ym2TYGX2 +Tz6G156fMWgso1iAnnDyo+U2uJJV1bBRCXxjJgvJoQv2jAwq7mwgkmDpMyDJX2+T +tBe2etktR/UBKqmQF3uOq7FtLh6eBbAGwTiFwU/5iaZuYzSngCLSTMLsLFaTFtyL +RYXZ7pKCU6Lq2gsyAmIL2LboDdXQDftO4sH6BJnwKlwblkIVJrju6SmDYHRii/ft +SNw7wJtvSCHp7FcLt9lxyBuSP61ylfY+SlqR75Oypeo5naX93wCIZFDG8Xc9waz3 +LmQ6HmIr3U8Qyejaqex+8J+AJk8cKF0/4Y2yGlWs4JIvcT6WpBJ9z9oqQY0boDdk +qXTja83NKNdRaDF4Kn2h4m2oMjEV1/+KYgR1GUL4icJ0ahWcCHehwagjMrtzD1nt +8iLrMwaW68c90iJXjoyu0+n/NoTJ8iUdbgi3ZWe5Em2L7uZMqxzOR333uD+rV0Ff +e2aQ+lc0OY3lF4VB4IklUjNzqALeCc86lyqNnV1hq2g2H5adF6pqvIptEzP5hPl6 +DmaEv6HnAAqB2akG5Aliwn3+ZRfdvtb23y3RQzVMJ8OC3uvyvGHUgwK5EGuatueA +IShL3EHWNTQl/gYsoutsQ94ado0= +-----END CERTIFICATE----- diff --git a/config/testdata/server_revoked.key b/config/testdata/server_revoked.key new file mode 100644 index 00000000..d1030861 --- /dev/null +++ b/config/testdata/server_revoked.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDFN3Trt7hCVbuS +HtlqSo02hhkOu02IbB8qj9s5YLrOpA49a3GoNoCtEZZpjyRpOHoclIY4XOjMquSI +W6ec0LQsEUnva2kTsosI2bscCH/RSIoDMah890SMMqK5AS6HVQuzIZDO55YPU2ZX +RI/fqcHSe+rwc56ccYoHk0rBS0N9X8OaA6zX66ryRHucx7RD3Qw3QILpj6Xbe01k +373gfjOVJtX43YUQ8AlPRNtN20TfT4CtMOol02yFe3h8xuvKMilWipmOYoh3Cy5N +s8mOtIdQLoANOdJt49qI8rYLaU6O0e+v1wNAOGUnxQ+5kjpA4Qxgc+RW+0wKRU8u +/gTIPAxIJ/AYkqu1XWdXrcIGnoV7T5ErhmrxfjHLYktExdlM1bnGdM5R6DwLLPug +KIynRVHWVYV9sCffxHWL362YBJBWEYUhKMqJm2dBpTUBuc9AnAiKjXeDwC3zeMbh +JJEmwKRuqcouc1P9m79JGcvRvUZm8IVrBh8Lvm/l+eCRClmRP8SMl0Co9QDDtW3q +epSKnw5rQXhOaEXg14XSnFcEx67O0QjNIcDOaxlsIYqJIJiB55ekfzKgl2j30cWq +eBHStasvuFvcQD0oTIA07qDdNw+WIh30bwLrT9/J3tc06MeJc0mPhGsgP8JKAeMB +jWqXOqLlS+Tz/UZ05PAEx93lAEF/IwIDAQABAoICACLfxKAuM7ofOPUE2YNvPXtn +ySSOwI4gOH6pQ6Xo0f/aiN4ZktahFK4GDygJdPHaV9WX+ggbfds7WQA33PLhAQtN +31okD0e5adad0fWKFzgl8KnR7S5z9z4nchju+ZBa3J/HjrjXwPRi1hUWfa6acTjM +SuZMO78EYNkoFa8KpRuVhJxGjBj+hpMiww0dT2Y0v4VBtiShDz45lp0A5628A1kb +rfi9C1vMZokK7xDcdlha0bFOlgksUuNjyxGdh3KQ3jh8d9zy1ZjfdEevRDQk/kyS +fHhaQjjGcw2GheSMsaSVwSHCDsQbdN/MfBRfpEd2xF6F/9nVxEOIsBDqQGQ8IhuM +wV92kIUgggWGUKXSGTBEqzXH5u/vi/sRVEQTJnDPsKiOnbewdum3EjVangszB6Mg +BqiOZurCSSerOXtkzMxepIdIg0WLZdA4lxEjePVyo4/eKhPFPPg0wMjUyCepDzOw +lLfdLfI3x5Dq28gvGsdfdn482W5BZ+cyWePY8JBY9MV5ddCML8wJTeBg+ot+84pq +06WZYgEZg0WrpNIw9n6voLu6c+0K3xVw8kQs+skQcOt7d/HTz+zCNYcjew2+6Y7O +uvPf0ikk2qXcvJ1wA0ocmUSwUA4TeXgdEeujYEs2ibZ3oe3XBWk8rJFwMC6KWfMN +jtjJXNeS/30z+CT9jnD5AoIBAQDT0LH9ZBRGXIwpD5w2ceHOaj+aSm6it8fvC9jl +mKVZRSf96rs3iQzS7DlCKeulaWrGSncoAaLEMREFZf5r021L8iKBJzXDfMFeofvq +ZxZ1R0FqgoFqQB+lSyLvskGC3XVhs5k4CaKZbqii1rsFnUy8/B5FbH3ToRKIPsSB +DtrKTLx1vVn/fJnPVqow9B7kv4VJPIt3g2v/+RwSyN6TcWrPUXlq5NYUod6oefNN +8PbVry14v8YkCWgaxTnFBryL+fN9No/dcuz0VEU9FhsZjOMp1bO9qGpKHmhraBud +Exx+fuByMFLfZacbogBncoRuihVL1Gpm797We46/6CfyuwNFAoIBAQDuWyvTSVvt +Bhx4bufnqu31F2eOoGpTq2/nodKyAcmGGTSafeySYOdKT86HDxUb9+yBeSx1eRJo +PyKYVoTkZEI55uTUsGzx4scs5kNzgr2Wnj1psK+8CMoXMGzyg00JflNY0sd3YRPG +bxhynMAPquc2Y44FVpHUq5nwLueqnc8C6DgUt2saAE3WO3D/wnkUyaTRgicSyW0Z +XpArQ8EJew0lfhWMljilXo/hSpzdNtyTpHlQX8h/OA1QrMcuY54xe71cv+++7RzQ +2nmXpGDzMTqPabwS/yGrtHHwrttTs+02xqQsWnJYUMpZokOOVIaUr0IKDSwTdrTP +JNKOPKA7aytHAoIBAEwd4Ah98WdDlL6gtHNAQ3QI7GhGvTFON9Pofv4q96h32KI/ +ux1+65PUfdMP+3WKx2sQkXdX9yTnuQUmnOIkrU8waUPeUky4xUh7j2qxtvlYLOLY +mScUegrNUHWwqigb6zW786CWnc7jXEiAP98Jouz68OnjzefCJ0W8wKLcMrWmE8d/ +zxqnrSI8M5a582wigwRJdJjzKllnLLZ3Zry3cjmkPqyyJVhuvvPuNwfYQuuRMxcE +W3DRzI5qN5NdE1596QkjFVnwFcTLj8Ie8ogg//UlrZzHK8MM4FtQozO0DXZLo96F +DRLolb+xXNHP7lVG29ZPNBlfs8WBy0+dXtW0bL0CggEBAIGi3Ich0vlq5Xkq+L4r +XRh8DjqoTKwNBeP5Q1rFVhG1C8Mq0cwbIDBuj2ktbtGzWdJhUSjjHHvOOsaX59dA +IDTVu4diHR7BtIpbAjyE0xBkKAqfqjSeoytRjy+m8fND3Zjlqs7m4ZZ/PdC4KE1d +KjuOkeOdXdtJKYRUPnOxOLHgEwBRcdLGb48g7ShtYOVJdnbsTswM+WVe5RJi206I +unG1zYqU+WIXuDFUH1TBTd6PCdwI/EcU+Ujzb7FvRM6s+iTDz2UMGSwOZytun7wk +/jCZ1UyProRws7evomI37cBo8UmeN6qI5kUx14RFvJyJZWWKHHrJiTVQVaQ+nPc0 +JmkCggEBAKjZxaBFDlqmUehO+y349VAXILdi9AT731PhS0ajnWXJ/HvsCdxJ36X0 +39gvhItT83b07OJLiTAL3jQTOpMuwqczYpNfZrzM2VAthprqAv9GIqFc4s4UC6gi +FmRHWX9qjvc0NXozuJ/kvAwTTo9d5c5pGoWqHGW2zhGE74PFiQufEXlMef0+iIP5 +w6lpMkoXRgHu2HadGr6BXmqlD2gyZazBhEaGIBModq2EyaCiACl/XcNY02Rk7wKe +cGzdEM+0DBMlmgGkxrNqEsYTFe+KHuGdDp4QlGlL1zECh1vVDxyGrKp4aejzEbjE +SnVnrKSxwacqlVEmrtBcR1zboYd1SFw= +-----END PRIVATE KEY----- diff --git a/config/testdata/tls-ca-chain-add-irlvt-ca.pem b/config/testdata/tls-ca-chain-add-irlvt-ca.pem new file mode 100644 index 00000000..98a89606 --- /dev/null +++ b/config/testdata/tls-ca-chain-add-irlvt-ca.pem @@ -0,0 +1,100 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIRAOSykfzsFL0kachzbNI8PrQwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQ0WhgPMjA3MzA3MjEwOTMxNDRaMGkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChEDFJ3zUp +9XB6Ln+TYjNjcRmKn8+h4pM+RLTlP1CtwAMn7LYeZNwhu/aRW/QEr7DIDVkZiWzY +S0J0JjjdfGZG+e89o7k+HHWHiBtf210q55FiKKGUwoDfTVHHgImZ7AOOZxG2brwa +KRV7qSocs/Qea05OjuqGeOrKA7jJpuH5u4ZRo82YtiwWUXSqXiVihZfQYTSVUDK4 +1w5iAsAFBi17XbIPvmGHKDNminixyWO0XTKeU9zQAcv+/0kmRpTJoM2oVKLhFX6u +LZdspxHCmCbMmbsbV6phKQpdK67CsbivuqLLBCBr/RPI3riWehaEF5WMj8Ji0DoO +PAVkE7+zHmIsDMpiYh5BEEO1ZwiqqnfOSpP6omLI70jIyoAuWpq6luQKX+CWm5sK +JAbne4iu9xoILGrB0bP2wF/6qCIbmQU92k5whVAUJmWA8P8hLv+huL5BzBZjbuTU +cRVf5fxr3J9po2XqBii3VekHR+PEGHkD1pp+Wog7QeIdiQOv745f0rTP0+iy1eWY +Qj8gceld68tLLw6vBzPDhNlBbdXIIktzW1W9pDhO+VBxUJqUHwtgytjseokHud/e +pNmd6+8l51vf0RGs52yuxLAr9CHJeVLWeZ26pg6XvpolyuFwtqrPU5W7CLO/Rvs2 +sCxyT/iXlCd4BEZFzeOT+rn0IY5ANYWPLQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/ +S3w0868pt/xMDAKKZDpMvnlzCjAfBgNVHSMEGDAWgBSC+WINPUpYSZoOZiplfO7z +pcjQSzANBgkqhkiG9w0BAQsFAAOCAgEAbqPq2gWPeV+dVYuKyqMyG2Y2jbCpPaib +gWNmrQQUxh8G8sqDkI94dq4w691CtycVwpKr0KAqi/dA/6TS5rNOmkpDBsJ9pCOc +7KUZAXJ/5W8Mr8VxaxH8YCDhIuQa1lvydRcGoMwEf08gLxEAZ96MSO0FVEiTLu6N +vAb69ZEmItY+7xW3wxAS6qbMlN2NtEO9knQtRdnjFy02aiyXotxXPuCrL2jFS2bb +lkHJ8J3ib3FmOOilBcXZX9PKk39JU7+56D5gZU2vtEqBJC6wXJHR3m02RMCS2kLm +Xjv2ArllddNL8J6f06tqwHBnX9f8+eXOxSy8zglIf31j2hB7DXxRjejPEvTrnCnz +f74lQKZiQDm6x+16q9UEgJhxHmPinwbGAqMjQ+JeLN3ono7m5UsqwSvuoTfkEdM/ +XORhnZ4oA9jRsCsq2R9/Izh+cMb9VfdRNNyZFLzYkfiol0Q/FpGOeeDdY8PddgUE +b0Bd/gMmllMKqGUTbVLbg2Bbcc6pxnD/70GIzhsO2nF7QD+B4ToU6tlbQE5y3lkv +Ai++jLF55nMnJrHAuwkL8dFBJf6nI+UqYhHY7727rTOVNuf3DYZJpvtjcyQubvBg +yzjMipCOeyoeV7WVbdAIrVkUe7uywTd1SQylQ+MRnoRoEPTuwYhAeh9WBV44elex +TODbpyk7l+8= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFtDCCA5ygAwIBAgIRAOSykfzsFL0kachzbNI8PrMwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQyWhgPMjA3MzA3MjEwOTMxNDJaMGox +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMSUHJvbWV0aGV1 +cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvSVaPYcW +cJ1n0ugR6Ns2ITqbSiUTl2xkLAvyVOwVGaoEjYM+2NtJjg0Dr1hlT8I9rHeWcB4G +pC1Jj5wMbEP1hoUyxCxz6dbEplrdXu0GEd/leyGsAe+4qnIvvG+Ic4N5ndkNxEQo +xYBqD9kVtQi1iKlQDvCwvApu9LFp7PmFAzDjP/Kcz9U9PTtTCuuNy/GxiU6Ez9Z2 +JaaTi0ogoGumkTikgu3udFdny1n8XH9GSOysy8ndueE9AvGirpKP5UscSNsA+x7N +s2QZizVH6/w8K/wkPG3xxAMCp9nUZm9H6/dnQ6dpx7JENB/BQCJhr2J+3TEUaeZm +gtu9gSDzcvQtnjgtEUbkQBPGgnE/tJ+urFFBq5GhJo50+YkOt2e3B1kiD2+wCfqo +cN21UuxJuA3If5UrTB8R0Salnh6V/A3qWAqSYvm8eAKihmtOTg15X2DaeprnsK1P +lHzxegBf24B7u0390Am82h8EJTq6HQ/hSPK9kLfF3DRlaaoVWM2xW0/01zyTLNIw +u6oU8WEDpVDCMpv1gpR7j8gmKdHK5mceuNkjmVo/XL/PIMYQN0RbBcJtvdfsKD3d +EVIqV9T5PP7NpnCCNzTesfzjSOfmr6eIL/8pDb0CUQL3YU2jLjgcwiIAK5P9bEYW +Kn6WdM2Lih8iWU7UAKtIk447ddo6+h4mBpUCAwEAAaNTMFEwDgYDVR0PAQH/BAQD +AgGmMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +gvliDT1KWEmaDmYqZXzu86XI0EswDQYJKoZIhvcNAQELBQADggIBACiHJUxeNiUJ +t2L9cfLLbWK3wqOpZ+totPhEilM0kqG3sP+Oh8mM9o83OrBFt7DLzxXXrvuGwsH7 +DIVXhctCL8gqO0AL67fJIJHL6Kl5NubMf3A//KlwPI4Qij5loQbYWyiXtnUvLScC +jWliTjhJZBZ9ztJ/FnJ/DMF+YlrET3ak3lQKHEQba5t9mXkT507ru8Wuyp1hb9GA +BU2ZbCkzXlkv8Jern+yffBOPcXUMSU4Qoi3eJDcYqSflB83vr3M3AM35+HzZPdBD +2HnTvCCZQwQqAKMpXeB16gVlOGi4HKx7fVPBmRmM4SAB+PgTa4LiAA/BRJq1yEAq +jTbzLYXBfAhciJyzH7UX7LoSmrHr2pDodI51HopFANfhvHu+YrxUhXgI6Kr59xaJ +uBDlCSlCjeNd4NiswbdlRZM6eO6ke1iwX7VHfNIJGGwRuALyaksFpxclrdAsi3/k +RCM2l7OL1FnXrgdD5laYgDCo5IxYh+0jDroJO2W0ppR99+rdWSqXeGzTZA6YDUJC +unypdNY7q3za05LAgvy0RDkB1MBRNCjpJuvBRhMW0snZU64Byv15wFkhtDzhaoaZ +aZRAOXZK6VgcVNkZ7HEPuVDGFVytKZpjiR9G45JXgSTWfLspT/LfWl7X4hbrpMpd +0KwX3b1IVRfk+mGGgiYNIIAJIqWTyC04 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFyDCCA7CgAwIBAgIRAOSykfzsFL0kachzbNI8PrUwDQYJKoZIhvcNAQELBQAw +dDELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYDVQQDExxQcm9tZXRo +ZXVzIFRMUyBJcnJlbGV2YW50IENBMCAXDTIzMDgwMzA5MzE0NloYDzIwNzMwNzIx +MDkzMTQ2WjB0MQswCQYDVQQGEwJVUzETMBEGA1UEChMKUHJvbWV0aGV1czEpMCcG +A1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgNVBAMT +HFByb21ldGhldXMgVExTIElycmVsZXZhbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQDDc+J7JkJEXRQ/2tJBS+1/2+iQZ3FOePQA1cZZ/sSURyNT ++gA3Xfrh7zyXL9lsrXNwu0VJUqPl4Y8nLmFxY5AiqGAONAiUTbQfwchS9nn4zWxm +Up1cTss7g+6RO5kppeDyXMDQt2UwzeD5C0Lf4Wp8L6U+M7mrIsU6WUwUHOI7z+TH +Uy8mQUrdM5fe+TBwP+3MQN8Hdvy7ZcmR7pBZAlbJmp7EJpcuE7i3tZ2U6yrmsJ4X +fAtg6RQykHKEETGMKErh69w/n5bBliIGFbUVPFrYefu9FKqbP+TYggd0bKJMQLfe +ZLSxP+rwI2qFl8hBnhfdA51X551FkvnSSoAjWFOnA9xU49ZBv0m9CKVj6xEyM21J +ckLfGc61tSsi1vIsCbra7dJ+eDC2kk00aOtweptGeMnT7wp66x0po+TmFZf0wN8R +ujZpo7adwzIUDVrf0OSq+c79dQayKLoHyRk/ywqVL/EKDvhbzKE1pTDc/bXyF2Zs +gbb4hcSnKKIGjWqU5EURxnMTOJiWofYV0JYzrKFjZY2yAddRduWJdl3gnlAyYWem +hsTAqUta7HT8GyoP2etwXuFzbv1MC3X5flIlpJ5lvYUmS9ootMGgDotpeYrGLBav +m8QEaRP+vNQTz1iTogm6OhOsqISNWShuXT2Au09Rr54VKQaBBfLbcH8sv/tMyQID +AQABo1MwUTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBTvFWDJkxY3FJ3EGMTHcRIc74bhdzANBgkqhkiG +9w0BAQsFAAOCAgEAR7H4YRVGUaT9gVSFN6GPs99GKxMyxjtqt5abIv5PZMNyukhn +fc3naoAY7XAiCL3kYKQSDBPp/ABHSA8qjOuj0IcoL13PoEGDJFL3xY3+URL8gYbK +2MpFm3rXjqzKyp2VGbLk8IfivfanwFlSuQS0yqm7H3aqK71xP8oUhWMLjW/cbUxp +vDFu/ejuk6RVu9rWi6wuBGKxWEXueQZJyz/sszJpbqXkf2uJk/UAGKq130wH98WK +/QM9kKoPcxUJhY0iXIAJur4oIOrAyFAlr397vd1cy71BwP0abZtRmCiJiMdNbcN/ +KRsg+o68MXQrKFM7seZMKDMIwvqONlHk6TVjHTaA0FRNCru6/eH3pHqS4ik3LTQD +FJ7v4HbsUoISoJjbQThBEgS5iGnKr1pL0R98OKeU02sCzAY9YbxON0kMgpV9ypJP +CFNmxQMn5QOHOzSwwnfl5Jgg23Mo5QieQS+Jb83sNwBM4JKvaIVNWxkqgB2rR8AK +Cn7S03hRGENmuRezPlRLzPtyTmHVwPPeJlqmxG0/vnTXB9Te+KtSbFG1PORi9Z2t +bzmLhOMHrWkOb0hDQtiuCmfrG+PEq6APbnIGT4EPnp9fGlQYMMl5U7kLOUbJNz57 +MuvcexVkn1bpAamBUq3CqxV5ZpSLAklpcDReeL3RXMKEfknDnJ5UOP6u1Lk= +-----END CERTIFICATE----- diff --git a/config/testdata/tls-ca-chain.pem b/config/testdata/tls-ca-chain.pem index b67023a7..2827ff0b 100644 --- a/config/testdata/tls-ca-chain.pem +++ b/config/testdata/tls-ca-chain.pem @@ -1,67 +1,67 @@ -----BEGIN CERTIFICATE----- -MIIF1DCCA7ygAwIBAgIRAMMSh5NoexSCjSvDRf1fpgIwDQYJKoZIhvcNAQELBQAw +MIIF1DCCA7ygAwIBAgIRAOSykfzsFL0kachzbNI8PrQwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo -ZXVzIFJvb3QgQ0EwIBcNMjIwNzA4MDkxNTA2WhgPMjA3MjA2MjUwOTE1MDZaMGkx +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQ0WhgPMjA3MzA3MjEwOTMxNDRaMGkx CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 -cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXtUbZhHR2 -xElyGJ+BwcZh4hm4dh1OhlJ6g98H2rEOK6bBxeO5YZnthfCnHI6WYN270ylusUc6 -JVkuU/1PO7NLYsl1D4ZIrRKQBWfg88BYrDO38HUkrm4aohlpT0+f7SiA7eRl1Mb5 -x6fi5BAVE5wnQJTE8VPBU+lXJB+SfZEixu+o1PlxVAdMYPAu1Yijakr1lDuZex+/ -j/700mihSAcwOvJ/+p4u2WNj0CMvQWiV5+VBZYrfpRN4/201FoyWILIv3HLq5OKp -Bpl/TvJ4J8oG1Cbzjm52qLgUOvHkAJ0I04DxWWywHF0VRumwLSqae0xo+KPPijj7 -bdnCx+vy37PbFOghzKzSIbPuccfKivVpChgy9n0kkgQhm9cgFE5SBuO6jfRwto0g -drSOMIzyXELDG0h0nB2gsPUHjD/OD1DT0VsW/9xXOPBfVgtPFn5LoZ8ninAFmk2r -ZiRJhCXhh+Rlw2F/s2STP66RnUGVdfP2syV+UlgJlE7EPE8cDbyfQqg7FTflq+t+ -HgXFCAkJ4S34+/qCbGv3DlbnC1lq+FiVwexm1TcfL/lYfhPr/J6VoeFZw4bjTPNa -jUILpsXv6IQzgPfCBxeZC6dDkK1D0cEXAqRRYKEFxdLnMjBcUZlWUV9uTuk01fDc -58bmlHt5sEqhcdUqHrR5PdoWJVOSbFwYBwIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC -AqQwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTG -mh4eYNPmKKXi3dSJIs18ivSv8zAfBgNVHSMEGDAWgBRJPrEOm2ZrMgr9AFTz9LZy -0fDNNjANBgkqhkiG9w0BAQsFAAOCAgEAoc0OImcyyKSbVK63QA8VmD2o9Xr7abxX -o+f+QXWDqKAlNDAuXLYBjHMCc9YFsxXa9XkuKZeIxzop4h9iGG+fxMVPTx3T0gTm -MAuHcPka10z4Gy6ZxLzDmxJPkJ46b1n0K2fsv9XshzsHERz3VavwHXbC5mBo1CwI -6xLLtTWMuJdoyt0261D7Dat1JAFIWm2j+kxGvyIP0gNtRsUKOFA22Tlt42sEYnXa -7wmY7b15rndG69Xg9ZiVI5Mb/10gDJQcym23PXRn+JEgssE+WcYhll8f/LRmD49v -ZlBBD1dVoc9JyrgT+An+2Z8lE6wCSPqWSwhzvBW4dyB/u7Jn23dlV1SwJR8x/IaW -j/DhCELNqD6cSlRK3yjE/a2/iK0F6pNrVgKDY+/9uwFxwkjIRwqfcFtT6YpZ33mg -kSdTTbYpeg3XkLYZayE3ntzEhooyQdrJR6YyFVwsgcBCkeLrEbC7y/AG1MQEdKsZ -i3q730vztGQBR1ymPwgbB6qzGOXhmnhJHnQjeP2CJWnzDeOh2Vs4CxLAQZJ/dhYd -qrbYPAT8FJkp2PvoJP8zpmD7a8QC+6Gr17kl9OupPQrIIfxCXYZKDdGOlkDSUC16 -6y0E1WZnI+LVbQB1M584lB2/8jU4xqMqUPfoIcbjkjih9nvVA6t547527MeeTvXT -0ig2QvMFWMw= +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChEDFJ3zUp +9XB6Ln+TYjNjcRmKn8+h4pM+RLTlP1CtwAMn7LYeZNwhu/aRW/QEr7DIDVkZiWzY +S0J0JjjdfGZG+e89o7k+HHWHiBtf210q55FiKKGUwoDfTVHHgImZ7AOOZxG2brwa +KRV7qSocs/Qea05OjuqGeOrKA7jJpuH5u4ZRo82YtiwWUXSqXiVihZfQYTSVUDK4 +1w5iAsAFBi17XbIPvmGHKDNminixyWO0XTKeU9zQAcv+/0kmRpTJoM2oVKLhFX6u +LZdspxHCmCbMmbsbV6phKQpdK67CsbivuqLLBCBr/RPI3riWehaEF5WMj8Ji0DoO +PAVkE7+zHmIsDMpiYh5BEEO1ZwiqqnfOSpP6omLI70jIyoAuWpq6luQKX+CWm5sK +JAbne4iu9xoILGrB0bP2wF/6qCIbmQU92k5whVAUJmWA8P8hLv+huL5BzBZjbuTU +cRVf5fxr3J9po2XqBii3VekHR+PEGHkD1pp+Wog7QeIdiQOv745f0rTP0+iy1eWY +Qj8gceld68tLLw6vBzPDhNlBbdXIIktzW1W9pDhO+VBxUJqUHwtgytjseokHud/e +pNmd6+8l51vf0RGs52yuxLAr9CHJeVLWeZ26pg6XvpolyuFwtqrPU5W7CLO/Rvs2 +sCxyT/iXlCd4BEZFzeOT+rn0IY5ANYWPLQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/ +S3w0868pt/xMDAKKZDpMvnlzCjAfBgNVHSMEGDAWgBSC+WINPUpYSZoOZiplfO7z +pcjQSzANBgkqhkiG9w0BAQsFAAOCAgEAbqPq2gWPeV+dVYuKyqMyG2Y2jbCpPaib +gWNmrQQUxh8G8sqDkI94dq4w691CtycVwpKr0KAqi/dA/6TS5rNOmkpDBsJ9pCOc +7KUZAXJ/5W8Mr8VxaxH8YCDhIuQa1lvydRcGoMwEf08gLxEAZ96MSO0FVEiTLu6N +vAb69ZEmItY+7xW3wxAS6qbMlN2NtEO9knQtRdnjFy02aiyXotxXPuCrL2jFS2bb +lkHJ8J3ib3FmOOilBcXZX9PKk39JU7+56D5gZU2vtEqBJC6wXJHR3m02RMCS2kLm +Xjv2ArllddNL8J6f06tqwHBnX9f8+eXOxSy8zglIf31j2hB7DXxRjejPEvTrnCnz +f74lQKZiQDm6x+16q9UEgJhxHmPinwbGAqMjQ+JeLN3ono7m5UsqwSvuoTfkEdM/ +XORhnZ4oA9jRsCsq2R9/Izh+cMb9VfdRNNyZFLzYkfiol0Q/FpGOeeDdY8PddgUE +b0Bd/gMmllMKqGUTbVLbg2Bbcc6pxnD/70GIzhsO2nF7QD+B4ToU6tlbQE5y3lkv +Ai++jLF55nMnJrHAuwkL8dFBJf6nI+UqYhHY7727rTOVNuf3DYZJpvtjcyQubvBg +yzjMipCOeyoeV7WVbdAIrVkUe7uywTd1SQylQ+MRnoRoEPTuwYhAeh9WBV44elex +TODbpyk7l+8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIFtDCCA5ygAwIBAgIRAMMSh5NoexSCjSvDRf1fpgEwDQYJKoZIhvcNAQELBQAw +MIIFtDCCA5ygAwIBAgIRAOSykfzsFL0kachzbNI8PrMwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo -ZXVzIFJvb3QgQ0EwIBcNMjIwNzA4MDkxNTA0WhgPMjA3MjA2MjUwOTE1MDRaMGox +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQyWhgPMjA3MzA3MjEwOTMxNDJaMGox CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMSUHJvbWV0aGV1 -cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArkzRPi21 -E299vXw4FBbMfCXI258SxvvjRVRuKdAHLOBpEEqkYH6r6ScbZaisBFtIePv4ddKl -rmv+nDwN84/KS54OOtw1cWD4AnDB0kL3B0pWXjTS1F/u57hRLxM6Ta0UubKbta/h -WqSOR/fAA5sgcl+JbbR61QWVeYYXg9bM8YGTwQMeJod26tIUeX/Reo9BHuiW4jPb -pvVf7rsOs8E2cGwfYjZu6Zj2qcCxQ/ivCpopKFLNlaKko/KlGDGz9KxK5X3ik+sE -fPK9LzLC0k2RLGc3EmcMkdyqE3VNih9nV9SalAXN5yBdYaWWjJXykty7ilU32MBF -yO4myL48vif2K68pD/CFhG8YmIOud3woMm1IYS9xlsYKf7+f5CNlxqz+eSoOGhcG -dSDNft3h5nuq9J/qb2rIgWMSc2puFNRsx+fis0kS5GvjVadR0lxtArbrNm4S+F22 -EjGxeBF5VIWiu31uppbdASIw6DTKcrSVVoWxq+Fk3OOB+7q+rornosop9a/omXGH -0cTmgarjJtMqa0TEQiUPQPPnmpC1joeC7/kh7aks93wfHtY73uAVnTjLGTOwlr50 -CgRShcRoLLN049V93l46AFHU/4HWns8dqgdcdGnvIdUCFik916pKDSvEc/DfMLGh -H6w9Xlg4+2LgCyG2/FBEMTj+bLoraydzyaECAwEAAaNTMFEwDgYDVR0PAQH/BAQD -AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -ST6xDptmazIK/QBU8/S2ctHwzTYwDQYJKoZIhvcNAQELBQADggIBAHM79R/uQwQX -vsBDfKyBXWFlrhHAgX8XAwMKHjstpQYCcJoiGLRJaMMjxj31T1tylqPdcxz88THN -uj9kVFYMo1GU5K9E9lq0LoWQBmX2R7/RgxWqB7FNS+S0xfGyeUb3YPVPI1yhtsKa -6mCtTuCVgsgs/hTa+umjtffxj7l+IQxD8Fq0RFBae+S0v5mjVC2sUVd6usqVt7F6 -LUVuYShyAI705guIV9nkz8ZyLzUBJnQAJ8g6DU+nLmdizigUG+JoD/hBbK2hvcjX -SL7JLAhYRI4kzWcYR0GUfDf2knFEWNhU8gCPnw70FHMD9QC3NKkQsPvyQRyJh99+ -ipwUFbGJJRYWjFBbUxlqZNqBg6+ylZNFGEnG42u2KvPXjgPdivlQWkrX6nG0ayyl -rYrvi0FawP3OBpCrhYhqsqkA2m+5L2Pl+J2SsDv4qmPB6fh7K0YDVB37AZSG+nfL -oXXpUtwfc9tR71S7GmgkcqYOkHfSzl7ecxXtE2xyl3zhkUPR9YcG+rQhXRRp0lxF -kR0EtGOGuvXMCQ/vBVPNEDS3jdceqIrIRI1yPUdhFkF7lrLsfFULllOt6qQWnhn2 -A2ObxHToohwuyri/v8QhqNI2Bg0jJHcAJi8I8taToAstCWrtn+WXyfj/QknAik47 -aOK9l5wSyyqPfkHybKvT6z9pqWUchJsz +cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvSVaPYcW +cJ1n0ugR6Ns2ITqbSiUTl2xkLAvyVOwVGaoEjYM+2NtJjg0Dr1hlT8I9rHeWcB4G +pC1Jj5wMbEP1hoUyxCxz6dbEplrdXu0GEd/leyGsAe+4qnIvvG+Ic4N5ndkNxEQo +xYBqD9kVtQi1iKlQDvCwvApu9LFp7PmFAzDjP/Kcz9U9PTtTCuuNy/GxiU6Ez9Z2 +JaaTi0ogoGumkTikgu3udFdny1n8XH9GSOysy8ndueE9AvGirpKP5UscSNsA+x7N +s2QZizVH6/w8K/wkPG3xxAMCp9nUZm9H6/dnQ6dpx7JENB/BQCJhr2J+3TEUaeZm +gtu9gSDzcvQtnjgtEUbkQBPGgnE/tJ+urFFBq5GhJo50+YkOt2e3B1kiD2+wCfqo +cN21UuxJuA3If5UrTB8R0Salnh6V/A3qWAqSYvm8eAKihmtOTg15X2DaeprnsK1P +lHzxegBf24B7u0390Am82h8EJTq6HQ/hSPK9kLfF3DRlaaoVWM2xW0/01zyTLNIw +u6oU8WEDpVDCMpv1gpR7j8gmKdHK5mceuNkjmVo/XL/PIMYQN0RbBcJtvdfsKD3d +EVIqV9T5PP7NpnCCNzTesfzjSOfmr6eIL/8pDb0CUQL3YU2jLjgcwiIAK5P9bEYW +Kn6WdM2Lih8iWU7UAKtIk447ddo6+h4mBpUCAwEAAaNTMFEwDgYDVR0PAQH/BAQD +AgGmMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +gvliDT1KWEmaDmYqZXzu86XI0EswDQYJKoZIhvcNAQELBQADggIBACiHJUxeNiUJ +t2L9cfLLbWK3wqOpZ+totPhEilM0kqG3sP+Oh8mM9o83OrBFt7DLzxXXrvuGwsH7 +DIVXhctCL8gqO0AL67fJIJHL6Kl5NubMf3A//KlwPI4Qij5loQbYWyiXtnUvLScC +jWliTjhJZBZ9ztJ/FnJ/DMF+YlrET3ak3lQKHEQba5t9mXkT507ru8Wuyp1hb9GA +BU2ZbCkzXlkv8Jern+yffBOPcXUMSU4Qoi3eJDcYqSflB83vr3M3AM35+HzZPdBD +2HnTvCCZQwQqAKMpXeB16gVlOGi4HKx7fVPBmRmM4SAB+PgTa4LiAA/BRJq1yEAq +jTbzLYXBfAhciJyzH7UX7LoSmrHr2pDodI51HopFANfhvHu+YrxUhXgI6Kr59xaJ +uBDlCSlCjeNd4NiswbdlRZM6eO6ke1iwX7VHfNIJGGwRuALyaksFpxclrdAsi3/k +RCM2l7OL1FnXrgdD5laYgDCo5IxYh+0jDroJO2W0ppR99+rdWSqXeGzTZA6YDUJC +unypdNY7q3za05LAgvy0RDkB1MBRNCjpJuvBRhMW0snZU64Byv15wFkhtDzhaoaZ +aZRAOXZK6VgcVNkZ7HEPuVDGFVytKZpjiR9G45JXgSTWfLspT/LfWl7X4hbrpMpd +0KwX3b1IVRfk+mGGgiYNIIAJIqWTyC04 -----END CERTIFICATE----- diff --git a/config/testdata/tls-ca-no-root.pem b/config/testdata/tls-ca-no-root.pem new file mode 100644 index 00000000..f6dcdb02 --- /dev/null +++ b/config/testdata/tls-ca-no-root.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIRAOSykfzsFL0kachzbNI8PrQwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQ0WhgPMjA3MzA3MjEwOTMxNDRaMGkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChEDFJ3zUp +9XB6Ln+TYjNjcRmKn8+h4pM+RLTlP1CtwAMn7LYeZNwhu/aRW/QEr7DIDVkZiWzY +S0J0JjjdfGZG+e89o7k+HHWHiBtf210q55FiKKGUwoDfTVHHgImZ7AOOZxG2brwa +KRV7qSocs/Qea05OjuqGeOrKA7jJpuH5u4ZRo82YtiwWUXSqXiVihZfQYTSVUDK4 +1w5iAsAFBi17XbIPvmGHKDNminixyWO0XTKeU9zQAcv+/0kmRpTJoM2oVKLhFX6u +LZdspxHCmCbMmbsbV6phKQpdK67CsbivuqLLBCBr/RPI3riWehaEF5WMj8Ji0DoO +PAVkE7+zHmIsDMpiYh5BEEO1ZwiqqnfOSpP6omLI70jIyoAuWpq6luQKX+CWm5sK +JAbne4iu9xoILGrB0bP2wF/6qCIbmQU92k5whVAUJmWA8P8hLv+huL5BzBZjbuTU +cRVf5fxr3J9po2XqBii3VekHR+PEGHkD1pp+Wog7QeIdiQOv745f0rTP0+iy1eWY +Qj8gceld68tLLw6vBzPDhNlBbdXIIktzW1W9pDhO+VBxUJqUHwtgytjseokHud/e +pNmd6+8l51vf0RGs52yuxLAr9CHJeVLWeZ26pg6XvpolyuFwtqrPU5W7CLO/Rvs2 +sCxyT/iXlCd4BEZFzeOT+rn0IY5ANYWPLQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/ +S3w0868pt/xMDAKKZDpMvnlzCjAfBgNVHSMEGDAWgBSC+WINPUpYSZoOZiplfO7z +pcjQSzANBgkqhkiG9w0BAQsFAAOCAgEAbqPq2gWPeV+dVYuKyqMyG2Y2jbCpPaib +gWNmrQQUxh8G8sqDkI94dq4w691CtycVwpKr0KAqi/dA/6TS5rNOmkpDBsJ9pCOc +7KUZAXJ/5W8Mr8VxaxH8YCDhIuQa1lvydRcGoMwEf08gLxEAZ96MSO0FVEiTLu6N +vAb69ZEmItY+7xW3wxAS6qbMlN2NtEO9knQtRdnjFy02aiyXotxXPuCrL2jFS2bb +lkHJ8J3ib3FmOOilBcXZX9PKk39JU7+56D5gZU2vtEqBJC6wXJHR3m02RMCS2kLm +Xjv2ArllddNL8J6f06tqwHBnX9f8+eXOxSy8zglIf31j2hB7DXxRjejPEvTrnCnz +f74lQKZiQDm6x+16q9UEgJhxHmPinwbGAqMjQ+JeLN3ono7m5UsqwSvuoTfkEdM/ +XORhnZ4oA9jRsCsq2R9/Izh+cMb9VfdRNNyZFLzYkfiol0Q/FpGOeeDdY8PddgUE +b0Bd/gMmllMKqGUTbVLbg2Bbcc6pxnD/70GIzhsO2nF7QD+B4ToU6tlbQE5y3lkv +Ai++jLF55nMnJrHAuwkL8dFBJf6nI+UqYhHY7727rTOVNuf3DYZJpvtjcyQubvBg +yzjMipCOeyoeV7WVbdAIrVkUe7uywTd1SQylQ+MRnoRoEPTuwYhAeh9WBV44elex +TODbpyk7l+8= +-----END CERTIFICATE----- From 679b65a7e4ecd142676041b797542afc9f5e3e00 Mon Sep 17 00:00:00 2001 From: Ziqi Zhang Date: Thu, 3 Aug 2023 19:40:12 +1000 Subject: [PATCH 2/2] Add support to deprecated CRL functions for go1.18 Move and separate version-sensitive functionalities related to CRL into two go files within the config package so that it can build with the corresponding go version. Signed-off-by: Ziqi Zhang --- config/crl.go | 75 +++++++++++++++++++++++++++++++++++++ config/crl_deprecated.go | 76 ++++++++++++++++++++++++++++++++++++++ config/http_config.go | 41 ++------------------ config/http_config_test.go | 5 ++- 4 files changed, 157 insertions(+), 40 deletions(-) create mode 100644 config/crl.go create mode 100644 config/crl_deprecated.go diff --git a/config/crl.go b/config/crl.go new file mode 100644 index 00000000..52966840 --- /dev/null +++ b/config/crl.go @@ -0,0 +1,75 @@ +// Copyright 2016 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// This file is built for It provides functionalities to parse raw CRLs, +// check their validity and verify their signatures against provided +// certificates (CAs). It also allows checking the revocation status of the +// provided certificates. + +// It is built for Go versions after and include Go version 1.19 as there +// are new functionality related to CRL handling. + +//go:build go1.19 +// +build go1.19 + +package config + +import ( + "crypto/x509" + "encoding/pem" + "fmt" + "time" +) + +// Parse all CRLs and return a slice of valid CRLs. +func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*x509.RevocationList, error) { + var crls []*x509.RevocationList + for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { + if p.Type != "X509 CRL" { + return nil, fmt.Errorf("unable to decode raw certificate revocation list") + } + crl, err := x509.ParseRevocationList(p.Bytes) + if err != nil { + return nil, err + } + + // Check CRL exipry status. + if crl.NextUpdate.Before(time.Now()) { + return nil, fmt.Errorf("certificate revocation list is outdated") + } + + // Check each CRL is signed by any CA, if not, ignore the CRL. + // Otherwise, append to the valid slice of CRL. + for _, ca := range cAs { + err = crl.CheckSignatureFrom(ca) + if err == nil { + crls = append(crls, crl) + break + } + } + } + return crls, nil +} + +func validRevocationStatus(cAs []*x509.Certificate, cRLs []*x509.RevocationList) error { + for _, cert := range cAs { + for _, crl := range cRLs { + for _, revokedCertificate := range crl.RevokedCertificates { + if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { + return fmt.Errorf("certificate was revoked") + } + } + } + } + return nil +} diff --git a/config/crl_deprecated.go b/config/crl_deprecated.go new file mode 100644 index 00000000..ffa6e483 --- /dev/null +++ b/config/crl_deprecated.go @@ -0,0 +1,76 @@ +// Copyright 2016 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// This file is built for It provides functionalities to parse raw CRLs, +// check their validity and verify their signatures against provided +// certificates (CAs). It also allows checking the revocation status of the +// provided certificates. + +// It is built for Go versions before 1.19 as there are deprecated +// functionality related to CRL handling. + +//go:build !go1.19 +// +build !go1.19 + +package config + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "time" +) + +// Parse all CRLs and return a slice of valid CRLs. +func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*pkix.CertificateList, error) { + var crls []*pkix.CertificateList + for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { + if p.Type != "X509 CRL" { + return nil, fmt.Errorf("unable to decode raw certificate revocation list") + } + crl, err := x509.ParseCRL(p.Bytes) + if err != nil { + return nil, err + } + + // Check CRL exipry status. + if crl.TBSCertList.NextUpdate.Before(time.Now()) { + return nil, fmt.Errorf("certificate revocation list is outdated") + } + + // Check each CRL is signed by any CA, if not, ignore the CRL. + // Otherwise, append to the valid slice of CRL. + for _, ca := range cAs { + err = ca.CheckCRLSignature(crl) + if err == nil { + crls = append(crls, crl) + break + } + } + } + return crls, nil +} + +func validRevocationStatus(cAs []*x509.Certificate, cRLs []*pkix.CertificateList) error { + for _, cert := range cAs { + for _, crl := range cRLs { + for _, revokedCertificate := range crl.TBSCertList.RevokedCertificates { + if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { + return fmt.Errorf("certificate was revoked") + } + } + } + } + return nil +} diff --git a/config/http_config.go b/config/http_config.go index c632f9e3..65977710 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -1356,49 +1356,14 @@ func (c *TLSConfig) verifyPeerCertificate(rawCerts [][]byte, verifiedChains [][] // against valid CRLs. cAs = append(cAs, verifiedChains[0][0]) - for _, cert := range cAs { - for _, crl := range crlsList { - for _, revokedCertificate := range crl.RevokedCertificates { - if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { - return fmt.Errorf("certificate was revoked") - } - } - } + err = validRevocationStatus(cAs, crlsList) + if err != nil { + return err } return nil } -// Parse all CRLs and return a slice of valid CRLs. -func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*x509.RevocationList, error) { - var crls []*x509.RevocationList - for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { - if p.Type != "X509 CRL" { - return nil, fmt.Errorf("unable to decode raw certificate revocation list") - } - crl, err := x509.ParseRevocationList(p.Bytes) - if err != nil { - return nil, err - } - - // Check CRL exipry status. - if crl.NextUpdate.Before(time.Now()) { - return nil, fmt.Errorf("certificate revocation list is outdated") - } - - // Check each CRL is signed by any CA, if not, ignore the CRL. - // Otherwise, append to the valid slice of CRL. - for _, ca := range cAs { - err = crl.CheckSignatureFrom(ca) - if err == nil { - crls = append(crls, crl) - break - } - } - } - return crls, nil -} - // Parse raw certificates with padding structure. func parseCerts(rawCerts []byte) ([]*x509.Certificate, error) { var certList []*x509.Certificate diff --git a/config/http_config_test.go b/config/http_config_test.go index 5ee94f3d..efcfe6ba 100644 --- a/config/http_config_test.go +++ b/config/http_config_test.go @@ -2139,7 +2139,7 @@ func TestNewClientFromRevokedCertConfig(t *testing.T) { handler: func(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, ExpectedMessage) }, - }, { // Full chain of CA and the single root CA revoke the intermediate CA certificate. + }, { // Full chain of CA and CRL, the single root CA revoke the intermediate CA certificate. clientConfig: HTTPClientConfig{ TLSConfig: TLSConfig{ CAFile: TLSCAChainPath, @@ -2152,7 +2152,8 @@ func TestNewClientFromRevokedCertConfig(t *testing.T) { handler: func(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, ExpectedMessage) }, - }, { // Missing root in the CA Chain and the full chain of CRLs, the Intermediate CA revoke the peer certificate. + }, { // Missing root in the CA Chain and the full chain of CRLs, + // the Intermediate CA revoke the peer certificate. clientConfig: HTTPClientConfig{ TLSConfig: TLSConfig{ CAFile: TLSCACHainNoRootPath,