refresh all test certificates and fix incorrect handling of x509 inte…

…rmediary certs in sectestdatga (#424)
vanadium · Oct 8, 2024 · 382bdd5 · 382bdd5
1 parent c855371
commit 382bdd5
Show file tree

Hide file tree

Showing 53 changed files with 756 additions and 725 deletions.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -10,7 +10,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.19.x, 1.22.x]
+        go-version: [1.22.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -10,7 +10,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.18.x, 1.22.x]
+        go-version: [1.22.x]
         # add macos-12 when runners are available on github.
         os: [macos-11]
     runs-on: ${{ matrix.os }}

diff --git a/v23/security/x509_test.go b/v23/security/x509_test.go
@@ -312,7 +312,7 @@ func TestX509Errors(t *testing.T) {
 
 		names, rejected = security.RemoteBlessingNames(ctx, call)
 		validate("x509: certificate signed by unknown authority",
-			"x509: “(STAGING) Pretend Pear X1” certificate is not trusted")
+			"certificate is not trusted")
 
 		// No custom options.
 		client = newPrincipalWithX509Opts(ctx, t, clientKey, x509.VerifyOptions{})
@@ -325,7 +325,7 @@ func TestX509Errors(t *testing.T) {
 		names, rejected = security.RemoteBlessingNames(ctx, call)
 		validate("x509: certificate has expired or is not yet valid",
 			"x509: certificate signed by unknown authority",
-			`x509: “(STAGING) Pretend Pear X1” certificate is not trusted`,
+			`certificate is not trusted`,
 			`x509: “www.labdrive.io” certificate is not trusted`,
 		)
 

diff --git a/x/ref/cmd/principal/internal/scripting/scripting_test.go b/x/ref/cmd/principal/internal/scripting/scripting_test.go
@@ -159,8 +159,8 @@ func TestExistingKeys(t *testing.T) {
 	}{
 		{
 			sectestdata.X509PrivateKeyBytes(keys.ED25519, sectestdata.X509Private),
-			"95:ba:85:d9:7d:bc:27:36:99:d7:cb:ce:eb:d9:49:34",
-			// generated using: openssl pkey -in ../../test/sectestdata/testdata/ed25519.vanadium.io.key -pubout -outform der | openssl md5 -c
+			"f4:00:25:2d:6f:d8:4d:2a:e5:43:aa:52:cf:7c:5c:42",
+			// generated using: openssl pkey -in ../../../../test/sectestdata/testdata/ed25519.vanadium.io.key -pubout -outform der | openssl md5 -c
 		},
 		{
 			sectestdata.SSHPrivateKeyBytes(keys.ECDSA256, sectestdata.SSHKeyPrivate),

diff --git a/x/ref/lib/security/blessingroots_test.go b/x/ref/lib/security/blessingroots_test.go
@@ -247,7 +247,7 @@ func TestBlessingRootsX509(t *testing.T) {
 			"x509: certificate signed by unknown authority",
 			"x509: certificate has expired or is not yet valid",
 			"x509: “www.labdrive.io” certificate is not trusted",
-			"x509: “(STAGING) Pretend Pear X1” certificate is not trusted") {
+			"certificate is not trusted") {
 			t.Errorf("%v: %v: %v: missing or wrong error: %v", i, tc.certType, tc.pattern, err)
 		}
 	}

diff --git a/x/ref/lib/security/keys/x509keys/x509keys_test.go b/x/ref/lib/security/keys/x509keys/x509keys_test.go
@@ -131,7 +131,7 @@ func TestLetsEncryptKeys(t *testing.T) {
 
 	for _, certname := range []string{
 		"www.labdrive.io.letsencrypt",
-		"letsencrypt-stg-int-e1.pem",
+		sectestdata.LetsEncryptStagingRootECDSA,
 	} {
 		filename := filepath.Join(letsencryptDir, certname)
 		data, err := os.ReadFile(filename)

diff --git a/x/ref/test/sectestdata/letsencrypt.go b/x/ref/test/sectestdata/letsencrypt.go
@@ -13,34 +13,34 @@ import (
 )
 
 const (
-	letsEncryptStagingE1 = "letsencrypt-stg-int-e1.pem"
-	letsEncryptStagingR3 = "letsencrypt-stg-int-r3.pem"
+	LetsEncryptStagingRootRSA   = "letsencrypt-stg-root-x1.pem"
+	LetsEncryptStagingRootECDSA = "letsencrypt-stg-root-x2.pem"
 )
 
-//go:embed testdata/letsencrypt-stg-int-e1.pem testdata/www.labdrive.io.letsencrypt testdata/www.labdrive.io.letsencrypt.key testdata/www.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-int-e1.pem.fingerprint
+//go:embed testdata/letsencrypt-stg-root-x1.pem testdata/letsencrypt-stg-root-x2.pem testdata/www.labdrive.io.letsencrypt testdata/www.labdrive.io.letsencrypt.key testdata/www.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-root-x1.pem.fingerprint testdata/letsencrypt-stg-root-x2.pem.fingerprint
 var letsEncryptSingleHostFS embed.FS
 
-//go:embed testdata/letsencrypt-stg-int-e1.pem testdata/abc.labdrive.io.letsencrypt testdata/abc.labdrive.io.letsencrypt.key testdata/abc.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-int-e1.pem.fingerprint
+//go:embed testdata/letsencrypt-stg-root-x1.pem testdata/letsencrypt-stg-root-x2.pem testdata/abc.labdrive.io.letsencrypt testdata/abc.labdrive.io.letsencrypt.key testdata/abc.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-root-x1.pem.fingerprint testdata/letsencrypt-stg-root-x2.pem.fingerprint
 var letsEncryptMultiHostFS embed.FS
 
-//go:embed testdata/letsencrypt-stg-int-r3.pem testdata/star.labdrive.io.letsencrypt testdata/star.labdrive.io.letsencrypt.key testdata/star.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-int-r3.pem.fingerprint
+//go:embed testdata/letsencrypt-stg-root-x1.pem testdata/letsencrypt-stg-root-x2.pem testdata/star.labdrive.io.letsencrypt testdata/star.labdrive.io.letsencrypt.key testdata/star.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-root-x1.pem.fingerprint testdata/letsencrypt-stg-root-x2.pem.fingerprint
 var letsEncryptWildcardFS embed.FS
 
-//go:embed testdata/letsencrypt-stg-int-r3.pem testdata/ab-star.labdrive.io.letsencrypt testdata/ab-star.labdrive.io.letsencrypt.key testdata/ab-star.labdrive.io.letsencrypt.fingerprint  testdata/letsencrypt-stg-int-r3.pem.fingerprint
+//go:embed testdata/letsencrypt-stg-root-x1.pem testdata/letsencrypt-stg-root-x2.pem testdata/ab-star.labdrive.io.letsencrypt testdata/ab-star.labdrive.io.letsencrypt.key testdata/ab-star.labdrive.io.letsencrypt.fingerprint testdata/letsencrypt-stg-root-x1.pem.fingerprint testdata/letsencrypt-stg-root-x2.pem.fingerprint
 var letsEncryptMultipleWildcardFS embed.FS
 
 // CertType specifies the type of cert to be used.
 type CertType int
 
 // Supported cert types are below.
 const (
-	// SingleHostCert refers to a cert and key for www.labdrive.io
+	// SingleHostCert refers to a cert and key for www.labdrive.io (ECDSA)
 	SingleHostCert CertType = iota
-	// MultipleHostsCert refers to a cert and key for {a,b,c}.labdrive.io
+	// MultipleHostsCert refers to a cert and key for {a,b,c}.labdrive.io (ECDSA)
 	MultipleHostsCert
-	// WildcardCert refers to a cert and key for *.labdrive.io
+	// WildcardCert refers to a cert and key for *.labdrive.io (RSA)
 	WildcardCert
-	// Cert with multiple wildcard domains for *.labdrive.io and *.labdr.io
+	// Cert with multiple wildcard domains for *.labdrive.io and *.labdr.io (RSA)
 	MultipleWildcardCert
 )
 
@@ -64,39 +64,43 @@ func (c CertType) String() string {
 func LetsEncryptData(certType CertType) (crypto.PrivateKey, []*x509.Certificate, x509.VerifyOptions) {
 	switch certType {
 	case SingleHostCert:
-		return letsEncryptData(letsEncryptSingleHostFS, "www.labdrive.io.letsencrypt.key", "www.labdrive.io.letsencrypt", letsEncryptStagingE1)
+		return letsEncryptData(letsEncryptSingleHostFS, "www.labdrive.io.letsencrypt.key", "www.labdrive.io.letsencrypt")
 	case MultipleHostsCert:
-		return letsEncryptData(letsEncryptMultiHostFS, "abc.labdrive.io.letsencrypt.key", "abc.labdrive.io.letsencrypt", letsEncryptStagingE1)
+		return letsEncryptData(letsEncryptMultiHostFS, "abc.labdrive.io.letsencrypt.key", "abc.labdrive.io.letsencrypt")
 	case WildcardCert:
-		return letsEncryptData(letsEncryptWildcardFS, "star.labdrive.io.letsencrypt.key", "star.labdrive.io.letsencrypt", letsEncryptStagingR3)
+		return letsEncryptData(letsEncryptWildcardFS, "star.labdrive.io.letsencrypt.key", "star.labdrive.io.letsencrypt")
 	case MultipleWildcardCert:
-		return letsEncryptData(letsEncryptMultipleWildcardFS, "ab-star.labdrive.io.letsencrypt.key", "ab-star.labdrive.io.letsencrypt", letsEncryptStagingR3)
+		return letsEncryptData(letsEncryptMultipleWildcardFS, "ab-star.labdrive.io.letsencrypt.key", "ab-star.labdrive.io.letsencrypt")
 	default:
 		panic(fmt.Sprintf("unsupported cert type: %v", certType))
 	}
 }
 
-func loadCertSet(keyBytes, certByes, caBytes []byte) (crypto.PrivateKey, []*x509.Certificate, x509.VerifyOptions) {
+func loadCertSet(keyBytes, certByes []byte, roots [][]byte) (crypto.PrivateKey, []*x509.Certificate, x509.VerifyOptions) {
 	key, err := loadPrivateKey(keyBytes)
 	if err != nil {
 		panic(err)
 	}
-	certs, err := loadCerts(certByes)
+	certs, pemBytes, err := loadCerts(certByes)
 	if err != nil {
 		panic(err)
 	}
-	opts, err := loadCA(certs[0], caBytes)
+	opts, err := loadCA(certs[0], pemBytes, roots)
 	if err != nil {
 		panic(err)
 	}
 	return key, certs, opts
 }
 
-func letsEncryptData(fs embed.FS, key, cert, ca string) (crypto.PrivateKey, []*x509.Certificate, x509.VerifyOptions) {
+func letsEncryptData(fs embed.FS, key, cert string) (crypto.PrivateKey, []*x509.Certificate, x509.VerifyOptions) {
+	roots := [][]byte{
+		mustBytesFromFS(fs, "testdata", LetsEncryptStagingRootRSA),
+		mustBytesFromFS(fs, "testdata", LetsEncryptStagingRootECDSA),
+	}
 	return loadCertSet(
 		mustBytesFromFS(fs, "testdata", key),
 		mustBytesFromFS(fs, "testdata", cert),
-		mustBytesFromFS(fs, "testdata", ca),
+		roots,
 	)
 }
 

diff --git a/x/ref/test/sectestdata/ssl.go b/x/ref/test/sectestdata/ssl.go
@@ -36,25 +36,27 @@ const (
 func VanadiumSSLData() (map[string]crypto.PrivateKey, map[string]*x509.Certificate, x509.VerifyOptions) {
 	keys := map[string]crypto.PrivateKey{}
 	certs := map[string]*x509.Certificate{}
+	var intermediates [][]byte
 	for _, typ := range SupportedKeyAlgos {
 		host := typ.String()
 		k, err := loadPrivateKey(fileContents(vanadiumSSLKeys, host+".vanadium.io.key"))
 		if err != nil {
 			panic(err)
 		}
-		c, err := loadCerts(fileContents(vanadiumSSLCerts, host+".vanadium.io.crt"))
+		c, intermediate, err := loadCerts(fileContents(vanadiumSSLCerts, host+".vanadium.io.crt"))
 		if err != nil {
 			panic(err)
 		}
 		keys[host] = k
 		certs[host] = c[0]
+		intermediates = append(intermediates, intermediate...)
 	}
 	var cert *x509.Certificate
 	for _, c := range certs {
 		cert = c
 		break
 	}
-	opts, err := loadCA(cert, vanadiumSSLCA)
+	opts, err := loadCA(cert, intermediates, [][]byte{vanadiumSSLCA})
 	if err != nil {
 		panic(err)
 	}
@@ -63,27 +65,27 @@ func VanadiumSSLData() (map[string]crypto.PrivateKey, map[string]*x509.Certifica
 
 func X509VerifyOptions(typ keys.CryptoAlgo) x509.VerifyOptions {
 	host := typ.String()
-	cert, err := loadCerts(fileContents(vanadiumSSLCerts, host+".vanadium.io.crt"))
+	cert, intermediates, err := loadCerts(fileContents(vanadiumSSLCerts, host+".vanadium.io.crt"))
 	if err != nil {
 		panic(err)
 	}
-	opts, err := loadCA(cert[0], vanadiumSSLCA)
+	opts, err := loadCA(cert[0], intermediates, [][]byte{vanadiumSSLCA})
 	if err != nil {
 		panic(err)
 	}
 	return opts
 }
 
 func X509Certificate(typ keys.CryptoAlgo) *x509.Certificate {
-	cert, err := loadCerts(fileContents(vanadiumSSLCerts, typ.String()+".vanadium.io.crt"))
+	cert, _, err := loadCerts(fileContents(vanadiumSSLCerts, typ.String()+".vanadium.io.crt"))
 	if err != nil {
 		panic(err)
 	}
 	return cert[0]
 }
 
 func X509PublicKey(typ keys.CryptoAlgo) crypto.PublicKey {
-	cert, err := loadCerts(fileContents(vanadiumSSLCerts, typ.String()+".vanadium.io.crt"))
+	cert, _, err := loadCerts(fileContents(vanadiumSSLCerts, typ.String()+".vanadium.io.crt"))
 	if err != nil {
 		panic(err)
 	}

diff --git a/x/ref/test/sectestdata/testdata/ab-star.labdrive.io.letsencrypt b/x/ref/test/sectestdata/testdata/ab-star.labdrive.io.letsencrypt
@@ -1,61 +1,61 @@
 -----BEGIN CERTIFICATE-----
-MIIFJzCCBA+gAwIBAgISK4tDCLyGrmZDyx7pFsm1m0ctMA0GCSqGSIb3DQEBCwUA
-MFkxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlw
-dDEoMCYGA1UEAxMfKFNUQUdJTkcpIEFydGlmaWNpYWwgQXByaWNvdCBSMzAeFw0y
-NDAzMjEwMDM0MzhaFw0yNDA2MTkwMDM0MzdaMBUxEzARBgNVBAMMCioubGFiZHIu
-aW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJscS18UNeVsZGP/OE
-kNN0q/6LVVFs3EiG2SHPm6UTJmvHwR/KW1T6KTrMOd8VilMZ5mwJEx81MuBIrjyE
-ecfIOW3FU6t02embguXdZkBqokfXtH5OukKmCNXFIZr/alrEy9HSAr2A6KJnJARy
-jkFMtqzD+DVTiGUVDalo2UjQNeCxiNxHxw2B9f2kr/q2W8yyrE1mBRLJHW59SEeJ
-58XESX+hhE/pK/b/LCoesCOyfGlLt38jj/endta3pkx2RhKvFD9TQsL+f1f2D2NM
-JumsNlmU1nrti2JklTYrlpZrjDXWuQLQO1v7T7w8rJQkl9EOs5UURea+P5ghjbAy
-BEp7AgMBAAGjggIrMIICJzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
-BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ+MxSFfnYlB
-ekZ6mUzIRvCGHqe6MB8GA1UdIwQYMBaAFN5yekjfMcOmUN+fhSPfVzdLXS5lMF0G
-CCsGAQUFBwEBBFEwTzAlBggrBgEFBQcwAYYZaHR0cDovL3N0Zy1yMy5vLmxlbmNy
-Lm9yZzAmBggrBgEFBQcwAoYaaHR0cDovL3N0Zy1yMy5pLmxlbmNyLm9yZy8wJAYD
-VR0RBB0wG4IKKi5sYWJkci5pb4INKi5sYWJkcml2ZS5pbzATBgNVHSAEDDAKMAgG
-BmeBDAECATCCAQwGCisGAQQB1nkCBAIEgf0EgfoA+AB3AIUbro7uM8G5hz/EnHp8
-J2VmO2uAYwMECuymwRGlq+nXAAABjl6lWcIAAAQDAEgwRgIhANEyOdY8DnWEh59w
-MNSK4H1bsd/SwLjWi2zjykXVo7qzAiEAlxztvbFBbrh6MpsW6+pda6G+2+Iv3iFK
-QqNB2r1ikcAAfQDtMMiT+i92YhDL3PIHGM9+RFadSi3Z64i16N7awTUDmQAAAY5e
-pVyFAAgAAAUAEQnkKAQDAEYwRAIgafbzyVxjmCAj4lZStYT713aZHi/GzdKlepJO
-kEY9gDYCICoaQht0wvk3BBMujqHoDlh2L1I3TA0FICUTsQCbKLgDMA0GCSqGSIb3
-DQEBCwUAA4IBAQCcCjoOigX9As4Y0+pQcNYSCibB07422HmWWKwsN2qH73QLOSYU
-A1ZIgfQow9L2YIaTQoVS754VQHNERLCO6gIaGw0RxlwqwjTFZTlhJeIWf3/3yQNg
-Hbev5afoyocaXkEvv4Dfe8jepHkgbWNceNgVeWyAeJq5pztqtnWoiNz/K52q96cg
-LclIdLeijy+/r6F00LdlJuJN/3tGIIJVGQxbNyCPu1+IpYJskYQ9qkDx9ol4Icno
-pxG+NYXUwavYIV4Iop9vji2vitREPlLsI913T8i1M1uNdMIx7V0Rhmmkp7kqK6br
-9zQkCOS0aa1P93xzY/Ib1p1X4o+SQL+YA4q8
+MIIFKTCCBBGgAwIBAgISK42EMd4uHQzLN+397r4qFhsfMA0GCSqGSIb3DQEBCwUA
+MFoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlw
+dDEpMCcGA1UEAxMgKFNUQUdJTkcpIFdhbm5hYmUgV2F0ZXJjcmVzcyBSMTEwHhcN
+MjQxMDA3MjAyMzM2WhcNMjUwMTA1MjAyMzM1WjAVMRMwEQYDVQQDDAoqLmxhYmRy
+LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA12pq5BaOL3sORhDc
+1AbC64f6v1uhRw7j1qH0NvLc2iYgXzgolj2Kg+6oXQzLGlNt2xxidwGC59dbi7uX
+jcknrUwIH5HvWdFiEiwUbi7Y7R1SECez1OlN7Lw3m/aD9CCFeMQUq78BHVvRZtsD
+4UCbHUgXZw7Ru1yva7K/clpSk4IzESDnxLUv75EcdFvuRRlRu4RDv8DhfFPSR8Gy
+Uf2lnsoGEm/DtI2vyBCeJMJMu5t2TUaJcEqfkMeM9xkVJp302lWy/+vmcjs/hERe
+CpGUzV+Yaj4AHCl3+Rci93Br5S6ClwwW3PQrEEbDh/y68g4DE8qGL7qHHua+iQPP
+4lq+9wIDAQABo4ICLDCCAigwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
+AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQcxFXxmHK2
+L8uqgOE+FzqKoOXpejAfBgNVHSMEGDAWgBQTy9f2rp38aUJk1lx8I8yF+UfHtjBf
+BggrBgEFBQcBAQRTMFEwJgYIKwYBBQUHMAGGGmh0dHA6Ly9zdGctcjExLm8ubGVu
+Y3Iub3JnMCcGCCsGAQUFBzAChhtodHRwOi8vc3RnLXIxMS5pLmxlbmNyLm9yZy8w
+JAYDVR0RBB0wG4IKKi5sYWJkci5pb4INKi5sYWJkcml2ZS5pbzATBgNVHSAEDDAK
+MAgGBmeBDAECATCCAQsGCisGAQQB1nkCBAIEgfwEgfkA9wB1ALDMg+Wl+X1rr3wJ
+zChJBIcqx+iLEyxjULfG/SbhbGx3AAABkmjcYskAAAQDAEYwRAIgHsJpiVvA8qvT
+26dxetby1OgahuZwJ+lQ8OB+UYnO3nQCIBc4X4D5PT+HwZv0XY7vgqpwl4R5TWGE
+M5U1Yn61w6upAH4ACcqE9Qr4S0I/k8n/aw7Zb50vFLK8N6VTDklIYnKaIrUAAAGS
+aNxsywAIAAAFAAL5B5kEAwBHMEUCIQDaZx+liOWYqse1jQDzo3Wnn0ebT2C4gtbF
+Rug8xhZ9kAIgZgPaWBpnbzhgTK0jbJcH4fpriA5NpPQHHvQcufApezMwDQYJKoZI
+hvcNAQELBQADggEBAHOelhuoGzbzSs3HP5liyPxzRp6LGF7ylDaLRr1oGi2SYgFo
+S/GwR9LE3ArYyaz2/6YEcoG7Hq4gECdHwrNwyTmnyCdIwRBJfrdMG7cZS+BfxHLt
+HlJwJ3c3z/sFRAe7qux4HaLs8lfpl7FKyReyjFxNfkB5E7YBW7bPExkUs1Rp88jl
+anTby7QGaOo+F6gE18KBtFTru3GQIQSwznKjVk7osuDryGuj5DmM9PrtRi9K3HvO
+tZPqvXAHeX83RjlrVAO0mLc1tUugHFhB4fbAcIHGLfZGQe88KoYi256GEhTymRxy
+iqIaoA1nsKcvyte7Otp6Mv3+j9ioUtIbBSMy5Tw=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBm
-MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
-aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
-ZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UE
-BhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQD
-Ex8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+
-gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvO
-L/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTS
-nmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lS
-nukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdL
-biWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQww
-DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS
-BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10u
-ZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQq
-MCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1Ud
-HwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQb
-MBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCN
-DLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1
-vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczn
-y2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZ
-Uq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XB
-yphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtA
-xkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215
-Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgy
-zUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIY
-qKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGW
-xx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuG
-hSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ==
+MIIFTTCCAzWgAwIBAgIRAOOuDiVgQFyATegPOxfOa5IwDQYJKoZIhvcNAQELBQAw
+ZjELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1
+cml0eSBSZXNlYXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQg
+UGVhciBYMTAeFw0yNDAzMTMwMDAwMDBaFw0yNzAzMTIyMzU5NTlaMFoxCzAJBgNV
+BAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlwdDEpMCcGA1UE
+AxMgKFNUQUdJTkcpIFdhbm5hYmUgV2F0ZXJjcmVzcyBSMTEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCVYHwe2gxMv9Jh/d1BgocW3am5E/iBOrLkyENg
+RqLmVl6vNRXgoKpPjtP40Mv17Z2LlYhRsneaK9gdSNmNTxJlY8viqs9dk4XwKJxD
+Pfl/vJBW4M/nJzFwS30qu7VF8jSfyF82Q7KkLl5NxJ39Y5yvQFzHjL3YCO8coMG5
+v72DDgWzc+9wk2ncoXiB3/3mVg4RtD1w1xPpdjtSh5keB7jqgnD2/I75OLBzamy6
+NL9nguaEc8cX8CdnpoCCQI8/Fz9qhPtJjP+O/RHCugWVkSptuCRra8tcnJTGHRiN
+r/GyYsHZZ4jZ76hbJjxapwf24E8RAVzuMRsw/nS6/hUJ8lqPAgMBAAGjggEAMIH9
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUE8vX9q6d/GlCZNZcfCPMhflH
+x7YwHwYDVR0jBBgwFoAUtfNl8v6wCpIf+zx980SgrGMlwxQwNgYIKwYBBQUHAQEE
+KjAoMCYGCCsGAQUFBzAChhpodHRwOi8vc3RnLXgxLmkubGVuY3Iub3JnLzATBgNV
+HSAEDDAKMAgGBmeBDAECATArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3RnLXgx
+LmMubGVuY3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAeD9pt5sWtXEQyF94RMzo
+lF+uip+ODYaNxPEJG/93xtxPc6QC0bsC9QIgv6dBk+s1LUf5ulIlJZQ1UlkLgTH4
+HzHi37O4ivcbSHpILcgD0hKnftv0E8o9SNAaIcO7DKNmbeWQ6cPlfOlRtpcIXYoc
+95wY9AipN0/ken5KxDxdxTSKuWS7Ae+ZWh7hmLdfDc5C85o2omLvM/6Ovmp0xUSP
+U/xFR1fk0kRmM975smehEOXSHOJ24zFaY6BnMUWa67yLawbxUj0AqzGmohdqz7Lu
+DhtKd9oXJgRzacFzuMSQluN0ivwKIzirpLR/AJoz4nHXIaDQRyfaA3jr1VYpK+bA
+poIXAjgxR/vEFtbEHw7fNO3FKRCddvyJ0vh+OKIrY0nrbGUoyRlPlKF/9XrQ3UJo
+Zc708mBBjzqijXdUQ0TB1/irAAQ7O/6i+ThQxElt77gYWzv2/8sSoagzqRKXOqLJ
+ckNJQIA39t4HMIFgqxDLRuRNtooFUeoOvocDWTQr80bUp6357cBtAl7ypcOzrPK6
+m5cuuyZfQ7zdh5ufcfMdFbgjwfeN8d442EzBnLxoMA9T2Igfn7KOhFl3znZ+WJhS
+h+oyBS8PrKUKB2Xo9pnXma6123xyFPDapnuK3iiNpGJfI0sULCqjEodYG+aGyfCz
+ZFLWftbU683YxZCOddgYxHI=
 -----END CERTIFICATE-----
diff --git a/x/ref/test/sectestdata/testdata/ab-star.labdrive.io.letsencrypt.fingerprint b/x/ref/test/sectestdata/testdata/ab-star.labdrive.io.letsencrypt.fingerprint
@@ -1 +1 @@
-d6:95:f8:44:4f:80:ce:80:a1:30:1f:05:6b:b0:96:24
+c2:dc:f8:ee:dd:8b:08:75:41:c5:82:26:06:ab:ac:95