diff --git a/config/crl.go b/config/crl.go new file mode 100644 index 00000000..52966840 --- /dev/null +++ b/config/crl.go @@ -0,0 +1,75 @@ +// Copyright 2016 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// This file is built for It provides functionalities to parse raw CRLs, +// check their validity and verify their signatures against provided +// certificates (CAs). It also allows checking the revocation status of the +// provided certificates. + +// It is built for Go versions after and include Go version 1.19 as there +// are new functionality related to CRL handling. + +//go:build go1.19 +// +build go1.19 + +package config + +import ( + "crypto/x509" + "encoding/pem" + "fmt" + "time" +) + +// Parse all CRLs and return a slice of valid CRLs. +func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*x509.RevocationList, error) { + var crls []*x509.RevocationList + for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { + if p.Type != "X509 CRL" { + return nil, fmt.Errorf("unable to decode raw certificate revocation list") + } + crl, err := x509.ParseRevocationList(p.Bytes) + if err != nil { + return nil, err + } + + // Check CRL exipry status. + if crl.NextUpdate.Before(time.Now()) { + return nil, fmt.Errorf("certificate revocation list is outdated") + } + + // Check each CRL is signed by any CA, if not, ignore the CRL. + // Otherwise, append to the valid slice of CRL. + for _, ca := range cAs { + err = crl.CheckSignatureFrom(ca) + if err == nil { + crls = append(crls, crl) + break + } + } + } + return crls, nil +} + +func validRevocationStatus(cAs []*x509.Certificate, cRLs []*x509.RevocationList) error { + for _, cert := range cAs { + for _, crl := range cRLs { + for _, revokedCertificate := range crl.RevokedCertificates { + if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { + return fmt.Errorf("certificate was revoked") + } + } + } + } + return nil +} diff --git a/config/crl_deprecated.go b/config/crl_deprecated.go new file mode 100644 index 00000000..ffa6e483 --- /dev/null +++ b/config/crl_deprecated.go @@ -0,0 +1,76 @@ +// Copyright 2016 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// This file is built for It provides functionalities to parse raw CRLs, +// check their validity and verify their signatures against provided +// certificates (CAs). It also allows checking the revocation status of the +// provided certificates. + +// It is built for Go versions before 1.19 as there are deprecated +// functionality related to CRL handling. + +//go:build !go1.19 +// +build !go1.19 + +package config + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "time" +) + +// Parse all CRLs and return a slice of valid CRLs. +func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*pkix.CertificateList, error) { + var crls []*pkix.CertificateList + for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) { + if p.Type != "X509 CRL" { + return nil, fmt.Errorf("unable to decode raw certificate revocation list") + } + crl, err := x509.ParseCRL(p.Bytes) + if err != nil { + return nil, err + } + + // Check CRL exipry status. + if crl.TBSCertList.NextUpdate.Before(time.Now()) { + return nil, fmt.Errorf("certificate revocation list is outdated") + } + + // Check each CRL is signed by any CA, if not, ignore the CRL. + // Otherwise, append to the valid slice of CRL. + for _, ca := range cAs { + err = ca.CheckCRLSignature(crl) + if err == nil { + crls = append(crls, crl) + break + } + } + } + return crls, nil +} + +func validRevocationStatus(cAs []*x509.Certificate, cRLs []*pkix.CertificateList) error { + for _, cert := range cAs { + for _, crl := range cRLs { + for _, revokedCertificate := range crl.TBSCertList.RevokedCertificates { + if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 { + return fmt.Errorf("certificate was revoked") + } + } + } + } + return nil +} diff --git a/config/generate.go b/config/generate.go index 0033dd75..4a29457a 100644 --- a/config/generate.go +++ b/config/generate.go @@ -92,7 +92,7 @@ func GenerateCertificateAuthority(commonName string, parentCert *x509.Certificat }, NotBefore: now, NotAfter: now.Add(validityPeriod), - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, BasicConstraintsValid: true, @@ -186,6 +186,51 @@ func writeCertificateAndKey(path string, cert *x509.Certificate, key *rsa.Privat return nil } +func GenerateCRL(cert *x509.Certificate, privateKey *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, isExpired bool) ([]byte, error) { + now := time.Now() + + next := now.AddDate(30, 0, 0) + if isExpired { + next = now + } + + crl := &x509.RevocationList{ + SignatureAlgorithm: x509.SHA256WithRSA, + ThisUpdate: now, + NextUpdate: next, + RevokedCertificates: revokedCerts, + Number: big.NewInt(1), + Issuer: cert.Subject, + } + + crlBytes, err := x509.CreateRevocationList(rand.Reader, crl, cert, privateKey) + if err != nil { + return nil, fmt.Errorf("cannot create revocation list: %v", err) + } + + return crlBytes, nil +} + +func writeCRLs(filename string, crlData [][]byte) error { + crlPemBytes := new(bytes.Buffer) + for _, data := range crlData { + crlPem := &pem.Block{ + Type: "X509 CRL", + Bytes: data, + } + err := pem.Encode(crlPemBytes, crlPem) + if err != nil { + return err + } + } + + if crlPemBytes == nil { + return fmt.Errorf("empty CRL to write") + } + + return os.WriteFile(filename, crlPemBytes.Bytes(), 0644) +} + func main() { log.Println("Generating root CA") rootCert, rootKey, err := GenerateCertificateAuthority("Prometheus Root CA", nil, nil) @@ -199,6 +244,12 @@ func main() { log.Fatal(err) } + log.Println("Generating Irrelevant CA") + irlvtCert, irlvtKey, err := GenerateCertificateAuthority("Prometheus TLS Irrelevant CA", nil, nil) + if err != nil { + log.Fatal(err) + } + log.Println("Generating server certificate") cert, key, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) if err != nil { @@ -209,6 +260,16 @@ func main() { log.Fatal(err) } + log.Println("Generating revoked server certificate") + revokedCert, revokedKey, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) + if err != nil { + log.Fatal(err) + } + + if err := writeCertificateAndKey("testdata/server_revoked", revokedCert, revokedKey); err != nil { + log.Fatal(err) + } + log.Println("Generating client certificate") cert, key, err = GenerateCertificate(caCert, caKey, false, "localhost") if err != nil { @@ -235,6 +296,10 @@ func main() { log.Fatal(err) } + if err := os.WriteFile("testdata/tls-ca-no-root.pem", b.Bytes(), 0644); err != nil { + log.Fatal(err) + } + if err := EncodeCertificate(&b, rootCert); err != nil { log.Fatal(err) } @@ -242,4 +307,97 @@ func main() { if err := os.WriteFile("testdata/tls-ca-chain.pem", b.Bytes(), 0644); err != nil { log.Fatal(err) } + + if err := EncodeCertificate(&b, irlvtCert); err != nil { + log.Fatal(err) + } + + if err := os.WriteFile("testdata/tls-ca-chain-add-irlvt-ca.pem", b.Bytes(), 0644); err != nil { + log.Fatal(err) + } + + log.Println("Generating CRLs") + crlProp_revokedCert := []pkix.RevokedCertificate{ + { + SerialNumber: revokedCert.SerialNumber, + RevocationTime: time.Now(), + }, + } + + crl_RevokedCert, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_cert_revoked.pem", [][]byte{crl_RevokedCert}); err != nil { + log.Fatal(err) + } + + crl_RevokedCert_expired, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, true) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_cert_revoked_expired.pem", [][]byte{crl_RevokedCert_expired}); err != nil { + log.Fatal(err) + } + + crl_irlvtRevokedCert, err := GenerateCRL(irlvtCert, irlvtKey, crlProp_revokedCert, false) + if err != nil { + log.Fatal(err) + } + + crlProp_empty := []pkix.RevokedCertificate{ + { + SerialNumber: big.NewInt(1), + RevocationTime: time.Now(), + }, + } + + crl_InterCA_Empty, err := GenerateCRL(caCert, caKey, crlProp_empty, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_inter_empty.pem", [][]byte{crl_InterCA_Empty}); err != nil { + log.Fatal(err) + } + + crlProp_RevokedInterCA := []pkix.RevokedCertificate{ + { + SerialNumber: caCert.SerialNumber, + RevocationTime: time.Now(), + }, + } + + crl_revokedInterCA, err := GenerateCRL(rootCert, rootKey, crlProp_RevokedInterCA, false) + if err != nil { + log.Fatal(err) + } + + crl_Root_Empty, err := GenerateCRL(rootCert, rootKey, crlProp_empty, false) + if err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_root_empty.pem", [][]byte{crl_Root_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_all_empty.pem", [][]byte{crl_InterCA_Empty, crl_Root_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_cert_revoked.pem", [][]byte{crl_Root_Empty, crl_RevokedCert}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_inter_ca_cert_revoked.pem", [][]byte{crl_revokedInterCA, crl_InterCA_Empty}); err != nil { + log.Fatal(err) + } + + if err := writeCRLs("testdata/crl_chain_irlvt_cert_revoked.pem", [][]byte{crl_InterCA_Empty, crl_irlvtRevokedCert}); err != nil { + log.Fatal(err) + } + } diff --git a/config/http_config.go b/config/http_config.go index 37aa9667..65977710 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -20,6 +20,7 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" + "encoding/pem" "fmt" "net" "net/http" @@ -861,6 +862,13 @@ func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) { tlsConfig.GetClientCertificate = cfg.getClientCertificate } + // If Certificate Revocation List(s) are provided + // then let's read it in so we can validate the + // scrape target's certificate properly. + if len(cfg.CRLFile) > 0 || len(cfg.CRL) > 0 { + tlsConfig.VerifyPeerCertificate = cfg.verifyPeerCertificate + } + return tlsConfig, nil } @@ -872,12 +880,16 @@ type TLSConfig struct { Cert string `yaml:"cert,omitempty" json:"cert,omitempty"` // Text of the client key file for the targets. Key Secret `yaml:"key,omitempty" json:"key,omitempty"` + // Text of the CRL to use for certificate revocation verification. + CRL string `yaml:"crl,omitempty" json:"crl,omitempty"` // The CA cert to use for the targets. CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"` // The client cert file for the targets. CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"` // The client key file for the targets. KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"` + // The CRL to use for for certificate revocation verification. + CRLFile string `yaml:"crl_file,omitempty" json:"crl_file,omitempty"` // Used to verify the hostname for the targets. ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"` // Disable target certificate validation. @@ -896,6 +908,7 @@ func (c *TLSConfig) SetDirectory(dir string) { c.CAFile = JoinDir(dir, c.CAFile) c.CertFile = JoinDir(dir, c.CertFile) c.KeyFile = JoinDir(dir, c.KeyFile) + c.CRLFile = JoinDir(dir, c.CRLFile) } // UnmarshalYAML implements the yaml.Unmarshaler interface. @@ -920,6 +933,9 @@ func (c *TLSConfig) Validate() error { if len(c.Key) > 0 && len(c.KeyFile) > 0 { return fmt.Errorf("at most one of key and key_file must be configured") } + if len(c.CRL) > 0 && len(c.CRLFile) > 0 { + return fmt.Errorf("at most one of crl and crl_file must be configured") + } if c.usingClientCert() && !c.usingClientKey() { return fmt.Errorf("exactly one of key or key_file must be configured when a client certificate is configured") @@ -946,6 +962,8 @@ func (c *TLSConfig) roundTripperSettings() TLSRoundTripperSettings { CertFile: c.CertFile, Key: string(c.Key), KeyFile: c.KeyFile, + CRL: c.CRL, + CRLFile: c.CRLFile, } } @@ -1014,6 +1032,7 @@ type tlsRoundTripper struct { hashCAData []byte hashCertData []byte hashKeyData []byte + hashCRLData []byte tlsConfig *tls.Config } @@ -1021,6 +1040,7 @@ type TLSRoundTripperSettings struct { CA, CAFile string Cert, CertFile string Key, KeyFile string + CRL, CRLFile string } func NewTLSRoundTripper( @@ -1039,7 +1059,7 @@ func NewTLSRoundTripper( return nil, err } t.rt = rt - _, t.hashCAData, t.hashCertData, t.hashKeyData, err = t.getTLSDataWithHash() + _, t.hashCAData, t.hashCertData, t.hashKeyData, t.hashCRLData, err = t.getTLSDataWithHash() if err != nil { return nil, err } @@ -1047,9 +1067,9 @@ func NewTLSRoundTripper( return t, nil } -func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, error) { +func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, []byte, error) { var ( - caBytes, certBytes, keyBytes []byte + caBytes, certBytes, keyBytes, crlBytes []byte err error ) @@ -1057,7 +1077,7 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.CAFile != "" { caBytes, err = os.ReadFile(t.settings.CAFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.CA != "" { caBytes = []byte(t.settings.CA) @@ -1066,7 +1086,7 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.CertFile != "" { certBytes, err = os.ReadFile(t.settings.CertFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.Cert != "" { certBytes = []byte(t.settings.Cert) @@ -1075,13 +1095,22 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if t.settings.KeyFile != "" { keyBytes, err = os.ReadFile(t.settings.KeyFile) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, nil, nil, err } } else if t.settings.Key != "" { keyBytes = []byte(t.settings.Key) } - var caHash, certHash, keyHash [32]byte + if t.settings.CRLFile != "" { + crlBytes, err = os.ReadFile(t.settings.CRLFile) + if err != nil { + return nil, nil, nil, nil, nil, err + } + } else if t.settings.CRL != "" { + crlBytes = []byte(t.settings.CRL) + } + + var caHash, certHash, keyHash, crlHash [32]byte if len(caBytes) > 0 { caHash = sha256.Sum256(caBytes) @@ -1092,13 +1121,16 @@ func (t *tlsRoundTripper) getTLSDataWithHash() ([]byte, []byte, []byte, []byte, if len(keyBytes) > 0 { keyHash = sha256.Sum256(keyBytes) } + if len(crlBytes) > 0 { + crlHash = sha256.Sum256(crlBytes) + } - return caBytes, caHash[:], certHash[:], keyHash[:], nil + return caBytes, caHash[:], certHash[:], keyHash[:], crlHash[:], nil } // RoundTrip implements the http.RoundTrip interface. func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { - caData, caHash, certHash, keyHash, err := t.getTLSDataWithHash() + caData, caHash, certHash, keyHash, crlHash, err := t.getTLSDataWithHash() if err != nil { return nil, err } @@ -1106,7 +1138,8 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { t.mtx.RLock() equal := bytes.Equal(caHash[:], t.hashCAData) && bytes.Equal(certHash[:], t.hashCertData) && - bytes.Equal(keyHash[:], t.hashKeyData) + bytes.Equal(keyHash[:], t.hashKeyData) && + bytes.Equal(crlHash[:], t.hashCRLData) rt := t.rt t.mtx.RUnlock() if equal { @@ -1132,6 +1165,7 @@ func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { t.hashCAData = caHash[:] t.hashCertData = certHash[:] t.hashKeyData = keyHash[:] + t.hashCRLData = crlHash[:] t.mtx.Unlock() return rt.RoundTrip(req) @@ -1249,3 +1283,144 @@ func (c *ProxyConfig) Proxy() (fn func(*http.Request) (*url.URL, error)) { func (c *ProxyConfig) GetProxyConnectHeader() http.Header { return c.ProxyConnectHeader.HTTPHeader() } + +// The function is invoked at the end of TLS handshake. +// It is verifying peer provided certificate chain status +// with provided Certificate Revocation List. If the +// verifiedChains is nil, skip the verifyPeerCeritificate. +func (c *TLSConfig) verifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + // Skip the CRL verification while verifiedChains is nil. + if verifiedChains == nil { + return nil + } + + // Ensure the peer provide certificates. + if rawCerts == nil { + return fmt.Errorf("unable to get peer certificates") + } + + // Parse CA certificates to a slice of certificates if provided. + var rawCAs []byte + var err error + + if len(c.CA) > 0 { + rawCAs = []byte(c.CA) + } else if len(c.CAFile) > 0 { + rawCAs, err = readCAFile(c.CAFile) + if err != nil { + return err + } + } + + var cAs []*x509.Certificate + if rawCAs != nil { + cAs, err = parseCerts(rawCAs) + if err != nil { + return err + } + } + + // Append the peer's verified CA chain to parsed CA, + // in case there is any missing CA. + cAs = append(cAs, verifiedChains[0][1:]...) + + // Remove any irrelevant CA certificate from CA chain. + cAs, err = CreateCAChain(verifiedChains[0][0], cAs) + if err != nil { + return err + } + + // Parse CRLs raw data. + var rawCRL []byte + if len(c.CRL) > 0 { + rawCRL = []byte(c.CRL) + } else if len(c.CRLFile) > 0 { + rawCRL, err = os.ReadFile(c.CRLFile) + if err != nil { + return err + } + } + if len(rawCRL) == 0 { + return fmt.Errorf("CRL is empty") + } + + // Verify CRLs that are signed by trusted CA and not expired, + // return a slice of valid CRLs. + crlsList, err := parseCRLs(rawCRL, cAs) + if err != nil { + return err + } + + // Append the end-entity certificate that sent from peer, + // and verify the peer's certificates chain revocation status + // against valid CRLs. + cAs = append(cAs, verifiedChains[0][0]) + + err = validRevocationStatus(cAs, crlsList) + if err != nil { + return err + } + + return nil +} + +// Parse raw certificates with padding structure. +func parseCerts(rawCerts []byte) ([]*x509.Certificate, error) { + var certList []*x509.Certificate + for p, r := pem.Decode(rawCerts); p != nil; p, r = pem.Decode(r) { + if p.Type != "CERTIFICATE" { + return nil, fmt.Errorf("unable to decode raw certificates") + } + cert, err := x509.ParseCertificate(p.Bytes) + if err != nil { + return nil, err + } + certList = append(certList, cert) + } + return certList, nil +} + +// Construct the certificate chain with the provided certificate as base. +func CreateCAChain(cert *x509.Certificate, cAs []*x509.Certificate) ([]*x509.Certificate, error) { + chain := make([]*x509.Certificate, 0) + chain = append(chain, cert) + + for { + // Reach the root certificate, stop constructing the CA Chain. + if isRoot(cert) { + break + } + + // Find the issuer by current certificate, + // stop constructing the CA Chain if none of issuers found. + issuer, err := findIssuer(cert, cAs) + if err != nil { + break + } + + // Append relevant issuer + chain = append(chain, issuer) + + // Assign the found issuer as the next certificate that to find its issuer. + cert = issuer + } + + return chain, nil +} + +// Find the issuer certificate from the set of possible issuers. +func findIssuer(cert *x509.Certificate, possibleIssuers []*x509.Certificate) (*x509.Certificate, error) { + for _, issuer := range possibleIssuers { + err := cert.CheckSignatureFrom(issuer) + if err == nil { + // Found iusser certificate. + return issuer, nil + } + } + return nil, fmt.Errorf("no issuer found") +} + +// Check if the certificate is at a root. +func isRoot(cert *x509.Certificate) bool { + return bytes.Equal(cert.RawIssuer, cert.RawSubject) && cert.IsCA +} diff --git a/config/http_config_test.go b/config/http_config_test.go index ca2ed71a..efcfe6ba 100644 --- a/config/http_config_test.go +++ b/config/http_config_test.go @@ -39,18 +39,23 @@ import ( ) const ( - TLSCAChainPath = "testdata/tls-ca-chain.pem" - ServerCertificatePath = "testdata/server.crt" - ServerKeyPath = "testdata/server.key" - ClientCertificatePath = "testdata/client.crt" - ClientKeyNoPassPath = "testdata/client.key" - InvalidCA = "testdata/client.key" - WrongClientCertPath = "testdata/self-signed-client.crt" - WrongClientKeyPath = "testdata/self-signed-client.key" - EmptyFile = "testdata/empty" - MissingCA = "missing/ca.crt" - MissingCert = "missing/cert.crt" - MissingKey = "missing/secret.key" + TLSCAChainPath = "testdata/tls-ca-chain.pem" + TLSCACHainNoRootPath = "testdata/tls-ca-no-root.pem" + ServerCertificatePath = "testdata/server.crt" + ServerKeyPath = "testdata/server.key" + ServerCertificatePath_CRL = "testdata/server_revoked.crt" + ServerKeyPath_CRL = "testdata/server_revoked.key" + ClientCertificatePath = "testdata/client.crt" + ClientKeyNoPassPath = "testdata/client.key" + InvalidCA = "testdata/client.key" + WrongClientCertPath = "testdata/self-signed-client.crt" + WrongClientKeyPath = "testdata/self-signed-client.key" + EmptyFile = "testdata/empty" + MissingCA = "missing/ca.crt" + MissingCert = "missing/cert.crt" + MissingKey = "missing/secret.key" + FullCRLChainPath = "testdata/crl_chain_all_empty.pem" + FullCRLChainCertReovkedPath = "testdata/crl_chain_cert_revoked.pem" ExpectedMessage = "I'm here to serve you!!!" ExpectedError = "expected error" @@ -160,6 +165,33 @@ func newTestServer(handler func(w http.ResponseWriter, r *http.Request)) (*httpt return testServer, nil } +func newTestCRLServer(handler func(w http.ResponseWriter, r *http.Request), serverCertPath, serverKeyPath string) (*httptest.Server, error) { + testServer := httptest.NewUnstartedServer(http.HandlerFunc(handler)) + + tlsCAChain, err := os.ReadFile(TLSCAChainPath) + if err != nil { + return nil, fmt.Errorf("Can't read %s", TLSCAChainPath) + } + serverCertificate, err := tls.LoadX509KeyPair(serverCertPath, serverKeyPath) + if err != nil { + return nil, fmt.Errorf("Can't load X509 key pair %s - %s", serverCertPath, serverKeyPath) + } + + rootCAs := x509.NewCertPool() + rootCAs.AppendCertsFromPEM(tlsCAChain) + + testServer.TLS = &tls.Config{ + Certificates: make([]tls.Certificate, 1), + RootCAs: rootCAs, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: rootCAs} + testServer.TLS.Certificates[0] = serverCertificate + + testServer.StartTLS() + + return testServer, nil +} + func TestNewClientFromConfig(t *testing.T) { var newClientValidConfig = []struct { clientConfig HTTPClientConfig @@ -1980,6 +2012,225 @@ no_proxy: promcon.io,cncf.io`, proxyServer.URL), } } +// Test with empty CRL and irrelevant CRL. +func TestNewClientFromEmptyCRLConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { // Full chain of CA and empty CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and single empty intermediate CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_inter_empty.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and single empty root CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_root_empty.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Missing root in the chain of CA and full chain of CRL. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCACHainNoRootPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // TLS Config contain a pair of irrelevant CA and CRL + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: "testdata/tls-ca-chain-add-irlvt-ca.pem", + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_chain_irlvt_cert_revoked.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and CRL, the Intermediate CA revoke the peer certificate, + // set true to InsecureSkipVerify should skip the verifyPeerCertificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: true}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err != nil { + t.Errorf("Got Error %q", err) + } + } +} + +// Test with revoked certificate. +func TestNewClientFromRevokedCertConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { // Full chain of CA and CRL, the Intermediate CA revoke the peer certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Full chain of CA and CRL, the single root CA revoke the intermediate CA certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_chain_inter_ca_cert_revoked.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, { // Missing root in the CA Chain and the full chain of CRLs, + // the Intermediate CA revoke the peer certificate. + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCACHainNoRootPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: FullCRLChainCertReovkedPath, + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err == nil || !strings.Contains(err.Error(), "certificate was revoked") { + t.Errorf("Expected error %q but got %q", "certificate was revoked", err) + } + } +} + +// Test with expired CRL. +func TestNewClientFromExpiredCRLConfig(t *testing.T) { + var newClientValidConfig = []struct { + clientConfig HTTPClientConfig + handler func(w http.ResponseWriter, r *http.Request) + }{ + { + clientConfig: HTTPClientConfig{ + TLSConfig: TLSConfig{ + CAFile: TLSCAChainPath, + CertFile: ClientCertificatePath, + KeyFile: ClientKeyNoPassPath, + ServerName: "", + CRLFile: "testdata/crl_cert_revoked_expired.pem", + InsecureSkipVerify: false}, + }, + handler: func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, ExpectedMessage) + }, + }, + } + + for _, validConfig := range newClientValidConfig { + testServer, err := newTestCRLServer((validConfig.handler), ServerCertificatePath_CRL, ServerKeyPath_CRL) + if err != nil { + t.Fatal(err.Error()) + } + defer testServer.Close() + + client, err := NewClientFromConfig(validConfig.clientConfig, "test") + if err != nil { + t.Errorf("Can't create a client from this config: %+v", validConfig.clientConfig) + continue + } + + _, err = client.Get(testServer.URL) + if err == nil || !strings.Contains(err.Error(), "certificate revocation list is outdated") { + t.Errorf("Expected error %q but got %q", "certificate revocation list is outdated", err) + } + } +} + func readFile(t *testing.T, filename string) string { t.Helper() diff --git a/config/testdata/client.crt b/config/testdata/client.crt index 5e68bd44..f92eb39b 100644 --- a/config/testdata/client.crt +++ b/config/testdata/client.crt @@ -1,32 +1,32 @@ -----BEGIN CERTIFICATE----- -MIIFgjCCA2qgAwIBAgIRAMMSh5NoexSCjSvDRf1fpgQwDQYJKoZIhvcNAQELBQAw +MIIFgjCCA2qgAwIBAgIRAOSykfzsFL0kachzbNI8PrgwDQYJKoZIhvcNAQELBQAw aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo -ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDhaGA8yMDcyMDYyNTA5MTUwOFowNjEL +ZXVzIFRMUyBDQTAgFw0yMzA4MDMwOTMxNTJaGA8yMDczMDcyMTA5MzE1MlowNjEL MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs -aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKE5sMf63irOiAEo -a5GMONLHDji9ATAVs1erm6NW/17UPOSjN1Q1n6JGTp2XLKb5gle7gdGdjXW9IB6n -PhXwQp4ZvTaucMxcZ+Zik19tn+azKdfj/FXU0c9R5oEv4B/1jfKG258dQF5es/Ga -A2WW3nWA6IwQkHcBcN7cBQCZZ1GcM81rxybuyU4k/FyMheehcJ5MN8iy0Y0YrMcZ -KxmRfAR/EfVYjenWXjZNncsUXotQr5I4wBUJ/pj5pYQWpSuyO6oADX1EzcxuL6bO -XoEHfGFqmr90lM/x19bHzllu1UxIwqmT8jW3Je89EhlBxb0htNWNg4hKY7658Khq -L0tx0AsdIru/JuoQGXrDs4yf+3xL51zSeMr6jewl6AyGQKCc5E+c/zwklCdsVFw7 -zapbT6Hok5HjSoMnRi/EGLtd33CQjvgGooPA4LLzWpbZhoA7QZLBXhvAG3qIkTXr -1SaDQcP6GvYItEo3Yvqle7hWqhJB5E7QJ2+0j0ztbOLZBkuQGmiT4Ebsx5IJrRaT -jDCkqYzuHjdTAtwDQR6Tuy2Sc+AuAxI4kDH6EwpX5X7E2mkE2RyYusiu6o400K6F -QhRysPf1BXxSwQgcvsQTjcl8InyY/JT+7q7TCOLaXoj5rQDwIQdao0IRgr1+M7FQ -5rsuLRD92EI/vLfSikk3MxcwZ1qzAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFIDAT -BgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMaa -Hh5g0+YopeLd1IkizXyK9K/zMA0GCSqGSIb3DQEBCwUAA4ICAQA1qIgzzSid9YZS -v3kfqaDmZ3ickDuoJg4DjOz4AoZF+o2SnS/kXrIs/pTABUcfhgxt6xNJUFPIi2Pa -IQXkS24Ya85RJxNUrJmqwhavONoxNoC9RBdNqwQy30DxrBcB+881Y/Ln3VQu6mfj -aLFk09LFddz3Uc26spc257GkWfvdKjki5xDiFYze8KO0s+J/OWluNOiBG1Pehj+c -CkwPzy9lwX0JCbAhsDkJGSY4rh+MO/bg9RemuqCPrmOIH8laBnJFvMTZyZRUTQlB -pAcS8Oa6Bth5DUV7XSwWD6ZOe8Jo5BzJmw5hd5/EA+0+LwZqxmB9d7lGMKgEOMJw -rIQZCN5PlYYkp31y190rw5XklHMeUJUNzcZKa/tNhjwmU5Pj01gdS5/AnFqO3zRW -w3jUI6GR7rqj8g4P/kigIUyuX1Our6K27HUWVmt/SC+DHrhF+J7xet0q3R+UwUx1 -4wTzXnA1++s19G9wzo/HenCOTvU2bprl/WQ66/lICU+xxwHfs6kltY3SItvczqOf -+iZrmDn/0jmoarkhaND0EpiG6FbsNWsCprPP1uj0ICqvcBD7VfqT4NWY8QWcoqqr -JxiOAuuh0iNj8dmax3suNmd+XKIhVHZ3lRBRxrsqqi67axk3mgQby2j9sLxNmrqD -Lc+UGxJB/WZg4NvzZSaj2MZmt4zOHQ== +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM8m31zviB6E15Jm +UmTIwtSmmNh9/jZ0oxz5i9tOz+jCZc+rEJm/QbkrDVo3XlKibwcyIW/Ou++k7kjP +ha6iRKy/FPH0Wx1uYc4QrgIBl7R9YO+2d034AcKKnltWKwLhCOq5va4IDOpto58I +ZUBTkNhzPbXuo3KewNwYqS8MKvc/ARvFJLjSDbiMneshQLBbHckxDJ3LjT8/YLuG +Cgr3cF7tqU2RxiKa3QuWAqFmTdb90TsFpCXWTaHMokgMbVmCb8gsmw8nRYXWOKSA +N6nx+wHMvEecooxojTxV6J/2xWw12wk4/Z2d3J2zFHHgtKpoYrerCrAGh4xYbqKb +mgeZVurkix1CX9jALa9jTLUTJW0zhp2D74gjOBQ26xHo6IaHMCDePR4MIWq++i87 +7EWREDnG4A+NPCji9HHZ0ihAs+q8C+gibh5U7OoNZa9YTIv8pwmwRZgyssfjtWwp +5zgAHmrfkVuUJPa/ZJgu90T64DEQEM8VYbIo/w4SreEIKI+BjRDHeU0lzLJXZwCM +H0HYdWl5eTGQs0JAixrBNYiMeFI1qQK6wqWi5/MMEZ/n0JKHkc1Lx9mujYfzLqML +a8cMZssa/ftkAWUBpaYK0WU5fzQPyYu9BKX0sudzP5gVAKe7Ff6xOwrsOUJPoBJw +N4ZHbYB3kSxpdoDvbmBlXr35sJ+LAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFIDAT +BgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFH9L +fDTzrym3/EwMAopkOky+eXMKMA0GCSqGSIb3DQEBCwUAA4ICAQA2xFQkSGW7GcLK +aS7h7Y0/yZFu8iL8ICMWP9MySPFidjz5+u2zyMwCwPq/33pt9xS0myDs9ozyrXN8 +GnNGuU36B34KXkGU1hvM9XCX8CDmSU2UrMygFzFRAERH6qUTn2iPuoL9C/0V7O/J +jcafhzAphsd/m2I15s4JuRIpFkG2bAOUlW9gPvDfWZntstYxt+QNBHhNNsCEXXz4 +F7PviVBR+nUt+PmOEMzkHQt0KEhlmu/nI1EK1NyhSKu5Ob97pbuRNqobqGtgXRVr +w2NiA39oUpHmvG2SYXl6XX2vT7JmDKy0Xvc+EegZkjOcJ4i7dCZdulqNydnnvB0d +u+Fb72SsytfbNEASkeqxF2+gTjhdOC1NwcVQhpdU+NEjEa1e0/txabFeDBZnNWh6 +1uFrAZlTyJ/fD5/y6WoYlZDRr9zZZLFEL/6Zu5fALngzpFmXx7YY+Lkt0r5Uf6+d +A1CVrhe92mpqkyZnf1BW7/1szEPZzYqJs+nKHHuoXWzK0nTaBCWsVa1LFKXJA57O +/U5qNXnleDt++qHhSD0nlfdGHCdqUdtxIMJ+cnJlaEBfzZvw3IrH/IPUFo9/y6Nv +U3lwPCd+YHs7zMZXaAv/1gacYgqnor7b5iyIPPuRKJrCYZdMf8d4L+inZUcLhzjG +gySUXksbbAdbLZK+/PlLiliq+u3vPg== -----END CERTIFICATE----- diff --git a/config/testdata/client.key b/config/testdata/client.key index 9c768235..757acf71 100644 --- a/config/testdata/client.key +++ b/config/testdata/client.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQChObDH+t4qzogB -KGuRjDjSxw44vQEwFbNXq5ujVv9e1DzkozdUNZ+iRk6dlyym+YJXu4HRnY11vSAe -pz4V8EKeGb02rnDMXGfmYpNfbZ/msynX4/xV1NHPUeaBL+Af9Y3yhtufHUBeXrPx -mgNllt51gOiMEJB3AXDe3AUAmWdRnDPNa8cm7slOJPxcjIXnoXCeTDfIstGNGKzH -GSsZkXwEfxH1WI3p1l42TZ3LFF6LUK+SOMAVCf6Y+aWEFqUrsjuqAA19RM3Mbi+m -zl6BB3xhapq/dJTP8dfWx85ZbtVMSMKpk/I1tyXvPRIZQcW9IbTVjYOISmO+ufCo -ai9LcdALHSK7vybqEBl6w7OMn/t8S+dc0njK+o3sJegMhkCgnORPnP88JJQnbFRc -O82qW0+h6JOR40qDJ0YvxBi7Xd9wkI74BqKDwOCy81qW2YaAO0GSwV4bwBt6iJE1 -69Umg0HD+hr2CLRKN2L6pXu4VqoSQeRO0CdvtI9M7Wzi2QZLkBpok+BG7MeSCa0W -k4wwpKmM7h43UwLcA0Eek7stknPgLgMSOJAx+hMKV+V+xNppBNkcmLrIruqONNCu -hUIUcrD39QV8UsEIHL7EE43JfCJ8mPyU/u6u0wji2l6I+a0A8CEHWqNCEYK9fjOx -UOa7Li0Q/dhCP7y30opJNzMXMGdaswIDAQABAoICAHKXAmLgl09tg5TvGaVVOH33 -JNCG5XU7t0A0pGYvy0mnJ7CJoSWlB1TbC71OWVpENLQOfXJyvLxWM6IV1DbbkT21 -pZpb2agmdWJ15bEJxYC/Dpp3XD3VCVqFJ4PidzW/3afm2en5bGqmfNbXVFq8JFj3 -ylDi5QrwZzy+vH90iM6kat0yIVY2mbWE7CkLZ5D+WYDpQyzOi8nxI7xO0ydVFARO -HIF480SkLEoEWIaib6AtNNyEoWFSvTYVGeMMBVFNWMK3Tt8eK/eEyTGRs/GZVHoY -vuwc/Dff+Dybvrop4Ehb3p+Qm7I5/ihQC7EP4m9Oqayu7DHOTZ6docLR1dOVjPt4 -F0qkeMGaGTDnfGmocqaKskGmhNWEnav5+aaYtFRXEqkLW53lIaGcWv2kyaFfvCYg -L810FEn9D5OVmlLjgUrzeEctFmhO2Br33dLl90imtuVI3Kg/qzsM9fiV0KbsONzq -I7aIvZZjXrevCOFtNSTfxNT8PrkyjWYN+2sbLWCR7hRvuzSTHI/qh2TzvyhqKeWc -ZPVlIT2qvBN5OP+j42J54VXwJNIwUmbKfnETvHMp3Cht/UaEtj/vzAkYB0paEQUs -O80vWwN4zk6H/qRV0HewUoNIGYlnTFLg/uOlLwbkctYH9ubEaobtVtwx6hsZ12AM -m7N27FsiAf6KJOGN2CqhAoIBAQDBuQgDxtf3XaoUc8YJKnvGRFMmuq8VWIELF2E1 -/u+IWP8f89BoUon7J5VMHvKiuvsVa6bOJpENrp/fV9+5IA7a925U7il8LmGis+v7 -Sg5pWMJ6gUXq65jssXw0PPDyHEHL0WTwI6KlcI0+Pt8zPujq0TPeHBOadlaPHdg2 -lHEWPvuoAeZknLnYWF7Eq0y3cD2LBiFiZWNRO0wccFf7CA1O5ToUDkFB0zXB5ZOJ -RgVSUQ5Gnva2OSB+dfFc3HwOADqjnBW+nMDi/ofH2rQEysEp4iTV4N+HkWxpNUPU -9Z3KRUN645P1BK9ufwNnqsagJU8gKNR9EJKITiPU3jqKi/IvAoIBAQDVDjDi574a -btsUQcUcip2na+D5jRts+/5lugA5OT6GzIRyYP8WgH7JMbwC91cB3avV08y5SHMB -P1wo04qaBL+p1by19ewZ6f4Kfytoad7ZGb/P9tX8H30N8Q/k9kucn4igpJ6XaQXU -tJIKWoBsNuUTZkPwa0+FMBBbRFRagu+mbOwnKR6zNIXNh18K7/LCJSb9jy73xG7k -DEuRJH10Ow0Ijo4/UACm0CLdavtVtbkGfarETfZSUPuKMHs6dyAME94+IG3WgmWW -B1WbtrWXw6RNhaecYDfjeW3iFOjgo+MpaQpnfiz7nqNrUu5zbteJYM2EdHI1baJ+ -/VXsXsc4hdK9AoIBAEyWkJqdpIiBmVpYozTAfQrXvGAVcl7oDKyL47zrO1wWg1bo -l76G01JeReJAYgEAF4BSfTIHgVV9cmtkXGjeScE8DXy6Y+BanfMrWuKQVr5Dfy/b -p/7GgkEhsk8cwM2XalPgRx3BmO37X3v6c1fZSVB8wRrQ0tdAbdxLGk4JxePbpra3 -eZTReZAU7/KlHsFvOIWcONqj5u4YmXCs4bu3ZTuJ2LpRIG+bxycPUpL1AemXbiNx -eWx1jWkxy+jAqrMGWCiS7u3bH08e/iN/TaiPWGrso0+Dhhwc3FWD33t0V5u+Yn1V -OAuofIsc4AW+OKTb2zqFqex//s6wxe3EpjRcO7UCggEAXVL5APtn3yY92pKwp77k -LejoRAeWQtfi6GZgILC9fchqH7vzIMUqRDD/3QDA4PVbhq9e1q4wihRZ5xw6cxqv -ZdJU9hOB1xwTBkAMIJF3ZvuLdKn3s5eLbKbyQmXMWw/ahht1yHbdcf2iltxrsnsd -PrEmA1LOI1YZZBD7LiZ6mRjPHJw7cV4JWiz46c6PNJGXkau9dBRcSpJEK5CjT11q -aRwgnQULNAaprvlknHecU4aKXbCUvBvzAuYXpFV3+TJewDHuSu8VVnFiA3I1+wNc -ngR0ld/ju0V+Z3CnTXccUxBK2WiAhbtIdAOApZmg2fFINMPZHyQl8KBBmecuNskP -tQKCAQALxoCzLhdq6Kl/mqqdPTlvncIuAoaH2VjEc5ZpMIHShPd1YfPv5/sQkD4B -8X7QNLPITaSGvNTevyg/KtVPuWyyCxEjmIXDXOCXkylmJFY9tgaaSGPLRJ62sIbz -EJGmUUOBYD+/ybV+dQd3GgkGJ0Hytp+FM8NCWukCFRAxb1m56xfs+RTBuLdJpou7 -AV+RafQV1roAQ+Pj3dFsoR6jBJIM4w0S5Q6609W062hrR6hBrlVBGfZpo/Mgmv5K -HEnQ7X+AqPaK7BLdzBQb2Qd6hGF8DMVTSBRlc/THnhK/HlVCuWMNuEliGtmIuGYE -0FRrwC2EvZmAS7m/FHfkpry76CRU +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDPJt9c74gehNeS +ZlJkyMLUppjYff42dKMc+YvbTs/owmXPqxCZv0G5Kw1aN15Som8HMiFvzrvvpO5I +z4WuokSsvxTx9FsdbmHOEK4CAZe0fWDvtndN+AHCip5bVisC4Qjqub2uCAzqbaOf +CGVAU5DYcz217qNynsDcGKkvDCr3PwEbxSS40g24jJ3rIUCwWx3JMQydy40/P2C7 +hgoK93Be7alNkcYimt0LlgKhZk3W/dE7BaQl1k2hzKJIDG1Zgm/ILJsPJ0WF1jik +gDep8fsBzLxHnKKMaI08Veif9sVsNdsJOP2dndydsxRx4LSqaGK3qwqwBoeMWG6i +m5oHmVbq5IsdQl/YwC2vY0y1EyVtM4adg++IIzgUNusR6OiGhzAg3j0eDCFqvvov +O+xFkRA5xuAPjTwo4vRx2dIoQLPqvAvoIm4eVOzqDWWvWEyL/KcJsEWYMrLH47Vs +Kec4AB5q35FblCT2v2SYLvdE+uAxEBDPFWGyKP8OEq3hCCiPgY0Qx3lNJcyyV2cA +jB9B2HVpeXkxkLNCQIsawTWIjHhSNakCusKloufzDBGf59CSh5HNS8fZro2H8y6j +C2vHDGbLGv37ZAFlAaWmCtFlOX80D8mLvQSl9LLncz+YFQCnuxX+sTsK7DlCT6AS +cDeGR22Ad5EsaXaA725gZV69+bCfiwIDAQABAoICAFk5YRPiiDq89S01rV+DqYd2 +incVLZ2+91LPmZHIjHyw3rFn+Sp/2osrJAErwBDPrgrnaMeDwCckXw41dFsXwYS2 +eQsOOQCgPrhHLuvmS7WOG2akrRaEMB3fHv4wSy5eRzzy6+Q9y3Jd7w/cyd+/HrBc +UsQ+GWCRSHiElrqQ/yCnno6bh4mj0A0hZBOWqwpK9LVnzwtYVWpcngmnXkQC9/+r +VjT3COR216bZ4iAqtHRZtvk5IM67U4zRW0S1NZRMPmF19QO94pAXCSaxo0gr1fWc +faxKpyjbD5phVmUwITDOsZ1zUqnFCPVT4QZ7xtVvSLXbkirnZRLqNB0N8HY9cdXL +sUxBfzv4CCKjoe0Wwr0lLZyR5sIeAjh/EKH94/uQ5tUQkz4KBlmptUCgO98TghFL +kyEIF0CO7JFJufCGvjfHlsU6Oy7QSYvolVUjcH4Ahh+neOJ9q/5/cFtHHpWtW+6L +PNnmw1i+/2SUKwQ7D5rCgo9H/QmfuBnuYY4jJxlbjaJnW+vWHmWyEZuMbQFVv52B +JKH7Liwp0m64TIgtSEjraKN8FYO3VVXEeOuUb9IB/V6Q4H2ZEZyrdOQ04l+pLNRW +UYp0wWTsg9tNMVNL0t+tOhFN8L/BxZ+tL92c2z/+9Y55GkW6OOXvENqH9s3sdNxT +9G5CIkGZfvboh4fMC2GBAoIBAQD6TOwmKEPU0Tg0yB5RuQQBr39lrnzKz6BvJ3DZ +uQ1hTzyAT5bnNIwq+F/noPJ/DqTO2Z/uigX4J/nDsgVcVsjJ3GN9aexYfFa/Sxlj +kw79uYB1z/f1ZrPLt2Zf4zzDq4RLxVmMdy8yXeGbJn2X8C17W2iUptzJW3NyXmY0 +vXPcJifDjN7D6gacwzXegxOzWbo5tHUNoIP+VWu4SCC+891aNixu54vTMD8gsn3Z +uKDoeFMhm5qnq8MQLdt/uo1giON4eSrhJPykv/jgLALbHR85gK3nf9p1qx267moV +sUiMOSMo+tvUdGnrsKfxMjPbYc4ZZa77FxKPeIzS41wiwV7xAoIBAQDT3mxutqS0 +w8qw9iBYJugpXOyRzKJkTbGxHiDWQBxYiMvG8bZT73vxbX4FbPVpRqTqWGDKQsNY +qypvVdc2y1pELr+6q2HNfss5MpW7NlZaRRGKC1HATb7i7kpbB78zJcdZ5+TUzvn9 +VehaI+t/oiYrR0lQVa5oANGGjyO4fYgWX+1ulx4DL0mZIIfERw+KDkTqymdD17pg +jJigto1Cbk7hBV21TR5EAlAI/BlWJKeQz/oXBxO8RO6YMAzaY0yl1y4XM6hxDQCY +mbdQeevO5EfXGmkGb71KF1ZWMc/RcwX/HABKwY4PHIXmJBMG+KT+Nn7P7LZce+kG +wJsYUYRE9547AoIBAQCpH3Soy6gZkkyCDX2/Bl5YrTZNhDq55tSmhmXQFyOdTqa4 +pA54pp7XIf/bSHrRsxlU0uMnkIc8B/bRbeYFYHZHPuzSftG9cDZFBv9esqz8b20H +LcCDRiPSUFeSDr6uD6RSdkRtjtKLG7gm1zkhgp2YrkjZuG2SeIJnErXIiQJSDE3t +6a9TfTt+jMBHWxXip4wXFYHJ9V16aklguQu3OpukKtqXDUkDJ6Rf+Xrjs8a1jSfO +m49CH+KrefDIO0rvoU7hxi1c91rmDvigr9w2JVVFy1a2B0ObIkXyWsm/Yox8gtbp +B6elxAsVv8WaSauUXl+d9YDoE8zsuC2fCRTmPvZhAoIBAQCmR5ucbLXptPxgVFrg +NHDi/a4hY5RT2nJKCtZEsH5OsdYUpmGtkHga7A8K3Q/idvI5hfE47Jr5/SRJyvok +ZAbNGk+ZhqY0rH18v4mqK6QsJqb0S5v2rE3TNqeet/7EerLxicEbj/G9dO3tyOEs +A6unLcSJSyWdNH889xxW0Ba9UL48nFeOsk814cUMM6UrebV2/DF9mlMJMW8cOwm0 +iHRZwGdiQkstnw8HbivIYu4sBj5GUmSXzxXe1V9RCrv+MFpZFU7uowDDw2iOvZFn +h9wmIvEofwv1mUlGTsPGo1qidGx6P1xp2b3w+IECaKS9azGtqB8biJhDl2hh9qAz +rI8/AoIBAQDpon6t8rOV8WjqYo+0UxC15muvSKW7TSpIJUqIpg6K+A2N8SxCU6IQ +4CWy4EbqZMI2k3ScGK7JmmS9S1aquhqRwx+TE0wYFfG7V5Vwadi8lzzTKVQ3GGp1 +hZoHFKzCmNsD7tJJhVGihkA8Bh6c2Ak1vU/Iv4D5RnOPyPlajFjzpriOme+GG/bd +l57irdAiCTxp549gXbaOWTikLcAfwXzYoqE5Hfr1cBjqYIOxYT8Ir7ogPJ1dlS39 +mIbqLkzMT0EVTOSCyAh+1VgFqER7+ORGdV8bN5UIQfisSL6HlJuPIh4rvFAiNsbz +vrV3bDMxUzXECSHwgLro9/i5I93N1CDX -----END PRIVATE KEY----- diff --git a/config/testdata/crl_cert_revoked.pem b/config/testdata/crl_cert_revoked.pem new file mode 100644 index 00000000..7122a6a3 --- /dev/null +++ b/config/testdata/crl_cert_revoked.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDCzCB9AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowJDAiAhEA5LKR/OwUvSRpyHNs0jw+txcNMjMw +ODAzMDkzMTU1WqAvMC0wHwYDVR0jBBgwFoAUf0t8NPOvKbf8TAwCimQ6TL55cwow +CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggIBAGdFRDMWIryk+QqDhCURClX1 +m5pSRH7AinqgzHbIx/MBiITt3+5A/RJ80WpUD1LE6sRi/RRvS3G5cbcVnKR6YlD8 +LKdY4BmYP+TnKg5Nq2S/JW0LR+25zeb4Uw3G6H4tAKJrsD6SezJ6KBEt6wfUs7Ea +gQb8lBwvT/21tF2smEwVIq/sKn2XAnMFRAYt1YnOK3B/ZKOhcz3P6oMLKE6rrJl9 +M1wockmTt+HWnikdJ4+H62jwPAv4RXqHxU56uEE4imzXPaUtQP16FbAgd8OmAASc +neflFCoxW/zQe3uMopbw/iVR05Ly6v2gb6EwWm1K01OCYUjkxr/jQIK9v4U7hD+R +WlpXYySiWe7tQ7JsCDVmKgPQOA0PafycCYt3Y/DrVAcF/vgKvsucMIVKWL5/YhAZ +WPV4P1SXLHl8FM4PbuB9Oo+BrN6IEJp3flHYLP/NTf6GSbcf3+LdRyhEy0USm6km +aeECBbAsL2giGnKGd0hJfWwq7fxQF7Nym0SE2EXbuAUhd/VOEcfHLY8IOSAqdYgk +1Ldf3ADavqB5LowwrcvIu2V2Y7ggTCfqgutBglt0t7U9Zfm6YnbnNVJbtK0FpPCY +SAceB2/Qzzbqy37MEXisrLMpmTbH3Mf4VGW+74igRV0qflFTr9YjKUebtzPsEt88 +tOmrMqUTgBIxFzxljdzE +-----END X509 CRL----- diff --git a/config/testdata/crl_cert_revoked_expired.pem b/config/testdata/crl_cert_revoked_expired.pem new file mode 100644 index 00000000..89e67418 --- /dev/null +++ b/config/testdata/crl_cert_revoked_expired.pem @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDCTCB8gIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaFw0yMzA4MDMwOTMxNTVaMCQwIgIRAOSykfzsFL0kachzbNI8PrcXDTIzMDgw +MzA5MzE1NVqgLzAtMB8GA1UdIwQYMBaAFH9LfDTzrym3/EwMAopkOky+eXMKMAoG +A1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQA1vQu0oyITvC1qL2HEsZNjTT0O +mVsyS8xPx4tcGQv5sEUOkEOgC5vVXkkYB0ZBhLbGRR1oJAZFkur1G55hNqZ14WX7 +efyvRd5jn+tYGGw/Gwp8t7kh30UmZjpS89Ko0JjWSVrR1+ljhcgOiJ0lRQKvyf9J +JwI3+mcJp9xBr+PkDLJBH0fDtv411W+ERrH+C5wk6RztJhFvFNPYmVbYm7mW9t23 +scC2wyM/q2zIwNhe79ndgM9UuuXZvkdhmsTnA3mNYvWH7qUdybOOfxosoYUrv4v+ +PS2SBAqf+0NlrWDTy3PTWDWEwrUL3AyFNZSS+Xe2aWBiPohuxQIOFG2PtCaPnOJ0 +orSpuGbKlpw1lDisuFjHoSD0gS6C8Tmtkm8QcZnozoqmYXpMgC0DTO6dEQIwt+6R +qW/lr58PCdR1UaZwRnBlX7NtP3AQOG8Ke+2jJSda+o2Uqwkx8lm9MDbCLX3hjskv +QdfoRuLOMIV35hXQMcXjPo+k3CQaTzP4tcDBujmMJ6w7UgHbOOk/Z8iggittLtNp +Q9k1l7YfGqHY1FgNifn6uct3Ik1ctA44fa3Lid8csORo/eptKI0VUtEZnE03yAbe +BSo6aaosrAg2MJzoZsL6floYr72csr/74+AguWpjT1RsDTLInmjXgnYKVklJIze0 +/6r+Dy3sW8Dl5FpqwA== +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_all_empty.pem b/config/testdata/crl_chain_all_empty.pem new file mode 100644 index 00000000..50ca213c --- /dev/null +++ b/config/testdata/crl_chain_all_empty.pem @@ -0,0 +1,36 @@ +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIC/DCB5QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMBQwEgIBARcNMjMwODAzMDkzMTU1WqAvMC0w +HwYDVR0jBBgwFoAUgvliDT1KWEmaDmYqZXzu86XI0EswCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggIBAJC84PCNIihidIWxw/M1hknbHfdUGGW6dSe1qEdvoU4V +Ik8IchISjL7FO1CF3gotvv+Whcc1ojodC8VVceWaDAL3cb8+VvfCIfi9HFseLeCC +SV/SQQhlowee7FsXa7le747hNp549GV5AYIduZ5E87w1hibb++TylReDrbNrh4NM +Y5X5BRzE8W1exlvD+DzlRtQTrBm3kSWxGjABHOkKielL8IOzh60Yq17DLwzKHXse +JLtkPO0khHERYy5R7UY8ItuzynHA9XOJP4u3ssH5yWUg+FjJhpUXeHyZjR7vQGqe +CTz22JVVzWXBPBigUBe4ILnOZ4q85qCMQ8bAmZJJEzdTRTlnCg9+LCgeV7P6FUy6 +jRBLJ24At8CGXjC0BvpZUlXmSLuUVeAeUitfUzakh0CrVtS0knN+kycNa6Sqo6q4 +UPU5m3qJ/QYJ7/hzWXyYkkN2ZQ9UkQuwBRQKNb19WsOYsyzhsRHdFdrn9qbk1ln1 +Iz+xqaqSaQbOLDZ7D8kmyYx8iIMUNOi2jOI71iXXdfH2+juolJNoEM5LKkVSsk3Y +I0TIEzs1dqMDCkgOhXx2H9lb9vAyFQE1iMn6TesJGKCBtOb6N/hFSC5NvQzcET1C +0IwRRdw/gpq6CQesp+9WYJW1y9FenZ9xn05iRRfDFDdxKKuMeLsCMNFw7WashsLb +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_cert_revoked.pem b/config/testdata/crl_chain_cert_revoked.pem new file mode 100644 index 00000000..2bd815dd --- /dev/null +++ b/config/testdata/crl_chain_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIC/DCB5QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMBQwEgIBARcNMjMwODAzMDkzMTU1WqAvMC0w +HwYDVR0jBBgwFoAUgvliDT1KWEmaDmYqZXzu86XI0EswCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggIBAJC84PCNIihidIWxw/M1hknbHfdUGGW6dSe1qEdvoU4V +Ik8IchISjL7FO1CF3gotvv+Whcc1ojodC8VVceWaDAL3cb8+VvfCIfi9HFseLeCC +SV/SQQhlowee7FsXa7le747hNp549GV5AYIduZ5E87w1hibb++TylReDrbNrh4NM +Y5X5BRzE8W1exlvD+DzlRtQTrBm3kSWxGjABHOkKielL8IOzh60Yq17DLwzKHXse +JLtkPO0khHERYy5R7UY8ItuzynHA9XOJP4u3ssH5yWUg+FjJhpUXeHyZjR7vQGqe +CTz22JVVzWXBPBigUBe4ILnOZ4q85qCMQ8bAmZJJEzdTRTlnCg9+LCgeV7P6FUy6 +jRBLJ24At8CGXjC0BvpZUlXmSLuUVeAeUitfUzakh0CrVtS0knN+kycNa6Sqo6q4 +UPU5m3qJ/QYJ7/hzWXyYkkN2ZQ9UkQuwBRQKNb19WsOYsyzhsRHdFdrn9qbk1ln1 +Iz+xqaqSaQbOLDZ7D8kmyYx8iIMUNOi2jOI71iXXdfH2+juolJNoEM5LKkVSsk3Y +I0TIEzs1dqMDCkgOhXx2H9lb9vAyFQE1iMn6TesJGKCBtOb6N/hFSC5NvQzcET1C +0IwRRdw/gpq6CQesp+9WYJW1y9FenZ9xn05iRRfDFDdxKKuMeLsCMNFw7WashsLb +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIDCzCB9AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowJDAiAhEA5LKR/OwUvSRpyHNs0jw+txcNMjMw +ODAzMDkzMTU1WqAvMC0wHwYDVR0jBBgwFoAUf0t8NPOvKbf8TAwCimQ6TL55cwow +CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggIBAGdFRDMWIryk+QqDhCURClX1 +m5pSRH7AinqgzHbIx/MBiITt3+5A/RJ80WpUD1LE6sRi/RRvS3G5cbcVnKR6YlD8 +LKdY4BmYP+TnKg5Nq2S/JW0LR+25zeb4Uw3G6H4tAKJrsD6SezJ6KBEt6wfUs7Ea +gQb8lBwvT/21tF2smEwVIq/sKn2XAnMFRAYt1YnOK3B/ZKOhcz3P6oMLKE6rrJl9 +M1wockmTt+HWnikdJ4+H62jwPAv4RXqHxU56uEE4imzXPaUtQP16FbAgd8OmAASc +neflFCoxW/zQe3uMopbw/iVR05Ly6v2gb6EwWm1K01OCYUjkxr/jQIK9v4U7hD+R +WlpXYySiWe7tQ7JsCDVmKgPQOA0PafycCYt3Y/DrVAcF/vgKvsucMIVKWL5/YhAZ +WPV4P1SXLHl8FM4PbuB9Oo+BrN6IEJp3flHYLP/NTf6GSbcf3+LdRyhEy0USm6km +aeECBbAsL2giGnKGd0hJfWwq7fxQF7Nym0SE2EXbuAUhd/VOEcfHLY8IOSAqdYgk +1Ldf3ADavqB5LowwrcvIu2V2Y7ggTCfqgutBglt0t7U9Zfm6YnbnNVJbtK0FpPCY +SAceB2/Qzzbqy37MEXisrLMpmTbH3Mf4VGW+74igRV0qflFTr9YjKUebtzPsEt88 +tOmrMqUTgBIxFzxljdzE +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_inter_ca_cert_revoked.pem b/config/testdata/crl_chain_inter_ca_cert_revoked.pem new file mode 100644 index 00000000..4d26fcfe --- /dev/null +++ b/config/testdata/crl_chain_inter_ca_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIDDDCB9QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMCQwIgIRAOSykfzsFL0kachzbNI8PrQXDTIz +MDgwMzA5MzE1NVqgLzAtMB8GA1UdIwQYMBaAFIL5Yg09SlhJmg5mKmV87vOlyNBL +MAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4ICAQCoVVRs4VL1QTdjPzdzgLp+ +4jsACI2ymRPzyo/c6GzR/59IVLAEL/a4X3TNGfyCBnblYpOc6XkGyuNuXYHvqfGy +CLog78eQxbjgTKQkFm6LxHsP/ap3wrMsi2w0UsVLDNrl0bpdM3GP5daLdGR+8qPt +9TY7mflHmFmVs1nsMFWv31zexlu0LxdU2e0WXidSzUkSg20gBRRnQtPeYSWTS473 +Uns/Qv0ahbmfaHlmW7cssiLeYkBIZf7DdI8uBPvX5j6TorDcCu7iyB/hOSHug4wm +81zhwJJaGgjV/A1HMVVzvVjmmCX0KjRRCijBE1y67ZXusaRFCV0jzM/rCtKq9YZ+ +s9JuX9v936pJqUlddbOiW21boGjuCckIeczYjZ2og1PBGbWBbUZZb01aPgcIkunu +1G9e3f/z2tZvY4o/X9KTYxYf3HYaoDKSZO8GfL6uqwPrqcRmWX2JjJOBRLkI0Igo +mD1+Yakoe3SloaZym7BHajghsG8d+PKgSsFlS9MDY+/2UtI1mPrlKcPjuzcRzmXk +KLNpph3JZ2ByrdXhuw1mCLFD9YHGPevPPHEu7v0/BpIWUu2ZKv3QXAPc7o7JDSSf +Wad0pka9zi+XdiOGNYE/TSDudKjMfTGv6jViwcUlzGQyKXv0RYdF+yB3jakAf1Ra +PATq1Ob9kFIdCSU2jtTjoQ== +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- diff --git a/config/testdata/crl_chain_irlvt_cert_revoked.pem b/config/testdata/crl_chain_irlvt_cert_revoked.pem new file mode 100644 index 00000000..968a56a3 --- /dev/null +++ b/config/testdata/crl_chain_irlvt_cert_revoked.pem @@ -0,0 +1,37 @@ +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- +-----BEGIN X509 CRL----- +MIIDFjCB/wIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxJTAjBgNVBAMTHFByb21ldGhldXMgVExTIElycmVsZXZhbnQgQ0EX +DTIzMDgwMzA5MzE1NVoYDzIwNTMwODAzMDkzMTU1WjAkMCICEQDkspH87BS9JGnI +c2zSPD63Fw0yMzA4MDMwOTMxNTVaoC8wLTAfBgNVHSMEGDAWgBTvFWDJkxY3FJ3E +GMTHcRIc74bhdzAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAgEAuFIMJe7d +mOIPMri2NtfJ1YBzM1hXI0bt1Cq16jnY4yuhpuH4Gkux5nomvbPzqGBVmWxg/Q1a +AzIoLVXhYzq6xOl92sRSQ9gVFOVO/jRlTbaG+COanRe+naDsJQ2uoKCD9ZNyK15K +Iqx3Kb5qsvN1ryh9aiyna2LWfSrinkqdQj+92EKpaxiVSdxFfC56r5INB+3mPfxa +Zdj9WEy52ecWigAJWvsEzEUbwbHcdMN75CFE0kMgSIaQa3gcSTqf3HTQCAPR9/Mw +JyNox+4bigVVqpF/ppk8sNvbAh3Tgl3NsX0zNZP9B7Woc8rzST0MtyfBLf5lw/I4 +AB39RTZcY/Xt4EquswbmUSESvNtQySNxRdLlmbGWE5FaCdM7FmYVNAPyqQI7LfR7 +3VjMeEB9eNcN3Nr8vIDrBWZ6AUMyRrKV2u9nFy72jkKuICj1OcSw5ACv5AEd35aI +JY9Wq8pptnZI6/XM1kuu2ueax1zYd7n0u9GEP+lxgkDthJCxHAzLxQjuvR7feg+7 +IaB8PEAs5p8WZ8v0DyilC7C9cs02qjh14YJ3LB8h8keeZij+aRp7yewYyMfFu5Uo +WHNEV9KQQBP8+GCDcnd2n7yLR/EmjDRR6/Zm2BWpMTJOzQLrHCWiU5VB2CRz57Wm +xcbXU87c+iOUWrHBWf3MwdCRmKAZudRimaE= +-----END X509 CRL----- diff --git a/config/testdata/crl_inter_empty.pem b/config/testdata/crl_inter_empty.pem new file mode 100644 index 00000000..335241d5 --- /dev/null +++ b/config/testdata/crl_inter_empty.pem @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC+zCB5AIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGjAYBgNVBAMTEVByb21ldGhldXMgVExTIENBFw0yMzA4MDMwOTMx +NTVaGA8yMDUzMDgwMzA5MzE1NVowFDASAgEBFw0yMzA4MDMwOTMxNTVaoC8wLTAf +BgNVHSMEGDAWgBR/S3w0868pt/xMDAKKZDpMvnlzCjAKBgNVHRQEAwIBATANBgkq +hkiG9w0BAQsFAAOCAgEAORjQ7fYyUgmcMjbASqVjOC9oq1ZCqNODw86RGQ7WKJ3e +JjAKfs9Vq36xiiFKDx1yECdZMFpINf5dU+mjoR7kaRMLW9JbrW168+7ax0As7nsP +cLdD8Tg/NYeR9IvDPdFriSNDbJsTXoAfVkDjm+8a15o/DVcSPyla9EHkLeJd9PhA +/Dz4Cw8Ec6WlDQVsSNxNecKRE1wOT/o+wG1izuAqJsCNLiiQdcRzTQzZFapXisR7 +vxdi1/CozgJFFkGjNYsBaStgvn7bxJclf5lGv0M7IecfB7qcRLNkPzKTGOp9/MFy +7Prmy2/M+kjr92Su27SvIuu85k6MEUlmLnFtOWLucUsjo9rNZLC58hCjgWyVE/A6 +PwrYrmJkacyMAAuJX83dKAV5fJBtFwa3XjY0SWHGlhLhx25cpStYW9Ci1PsgQTwD +VYs3lS2CVrzJZBzvypdIVpEz7XtE1pV2qLcAHiCy8R0NxtXlIa+Sufv7KkO0WFnQ +dvcu/Otgc6UimtYSZF5kyMFffI6q9uqhsZqSK1MddO+2cPHc8//iJy44WYtUx/DU +C+bQCA6v6ARh44cCXH3BnU36s+g66cRBHI7d5/jPU4DuY5qo0A7RqcJtUaWpt1sa +W/33KveDg245Sg4l77su8T2FHb1y0eNVaqAyS5COq/K5dMc0EwbsdS/3KbbpSTo= +-----END X509 CRL----- diff --git a/config/testdata/crl_root_empty.pem b/config/testdata/crl_root_empty.pem new file mode 100644 index 00000000..9dc7e87b --- /dev/null +++ b/config/testdata/crl_root_empty.pem @@ -0,0 +1,18 @@ +-----BEGIN X509 CRL----- +MIIC/DCB5QIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVUzETMBEGA1UE +ChMKUHJvbWV0aGV1czEpMCcGA1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkxGzAZBgNVBAMTElByb21ldGhldXMgUm9vdCBDQRcNMjMwODAzMDkz +MTU1WhgPMjA1MzA4MDMwOTMxNTVaMBQwEgIBARcNMjMwODAzMDkzMTU1WqAvMC0w +HwYDVR0jBBgwFoAUgvliDT1KWEmaDmYqZXzu86XI0EswCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQELBQADggIBAJC84PCNIihidIWxw/M1hknbHfdUGGW6dSe1qEdvoU4V +Ik8IchISjL7FO1CF3gotvv+Whcc1ojodC8VVceWaDAL3cb8+VvfCIfi9HFseLeCC +SV/SQQhlowee7FsXa7le747hNp549GV5AYIduZ5E87w1hibb++TylReDrbNrh4NM +Y5X5BRzE8W1exlvD+DzlRtQTrBm3kSWxGjABHOkKielL8IOzh60Yq17DLwzKHXse +JLtkPO0khHERYy5R7UY8ItuzynHA9XOJP4u3ssH5yWUg+FjJhpUXeHyZjR7vQGqe +CTz22JVVzWXBPBigUBe4ILnOZ4q85qCMQ8bAmZJJEzdTRTlnCg9+LCgeV7P6FUy6 +jRBLJ24At8CGXjC0BvpZUlXmSLuUVeAeUitfUzakh0CrVtS0knN+kycNa6Sqo6q4 +UPU5m3qJ/QYJ7/hzWXyYkkN2ZQ9UkQuwBRQKNb19WsOYsyzhsRHdFdrn9qbk1ln1 +Iz+xqaqSaQbOLDZ7D8kmyYx8iIMUNOi2jOI71iXXdfH2+juolJNoEM5LKkVSsk3Y +I0TIEzs1dqMDCkgOhXx2H9lb9vAyFQE1iMn6TesJGKCBtOb6N/hFSC5NvQzcET1C +0IwRRdw/gpq6CQesp+9WYJW1y9FenZ9xn05iRRfDFDdxKKuMeLsCMNFw7WashsLb +-----END X509 CRL----- diff --git a/config/testdata/self-signed-client.crt b/config/testdata/self-signed-client.crt index a0a5cdc6..45f28c89 100644 --- a/config/testdata/self-signed-client.crt +++ b/config/testdata/self-signed-client.crt @@ -1,30 +1,30 @@ -----BEGIN CERTIFICATE----- -MIIFLjCCAxagAwIBAgIRAMMSh5NoexSCjSvDRf1fpgUwDQYJKoZIhvcNAQELBQAw +MIIFLjCCAxagAwIBAgIRAOSykfzsFL0kachzbNI8PrkwDQYJKoZIhvcNAQELBQAw NjELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxv -Y2FsaG9zdDAgFw0yMjA3MDgwOTE1MDlaGA8yMDcyMDYyNTA5MTUwOVowNjELMAkG +Y2FsaG9zdDAgFw0yMzA4MDMwOTMxNTRaGA8yMDczMDcyMTA5MzE1NFowNjELMAkG A1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2FsaG9z -dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALtrXxnHr7eUM7Xh7awY -LwompmuznbTa/8+OsihSaelUN6RDsAdm7eOMA7KMqZB5NOfeDqEqMIUoaoQ1gzIm -0BJ4dCgi99SnA8b0MjAGqUpRJ3gLLSXsPa5647gxUSP5zQ0hWMMgGaw4rJ9LDOtU -z2S8dtqKTHrXl34mpdsLrZyLXwyz8UJ83Jq2Ngx4cApZrbs+g1XlMRV8Vh89Z2bk -bbKmDYmIOhTeE1wLdrZ/XecEOvkGZcj3bWiO/yTnP8mTER2hTvSxUrpyHn/55LkU -8PR6wCO7hntZ9LLWxg85XTRdWL7cIyjgJgfL9+hVQQyNEjWC2+LTq1QExqa+IxoH -iL4xX/1y+6o1W5XKLf/uplgaWuSK+mjQeqc387DwYbj61QWOjCoaJA1wl6RHuGGV -6ygpdAO1l8o+2U8nuULHW5lx+1BtMG5ytAXy9dWPercs5L8gh1IRNCVXWKsQCCWg -iG67nErFV5iRFLuAIX7ixLKJ5MGp/fVKUI9V1EViM2GUU46PVAPhhlZ1qcygjbZ5 -CelBnQ/XvGof5b4zm4eEgCc0ZkqsQDeS5jPjTtES8/y5WEKqbyijmvx2P40nuO/d -aTxNretMwaptWzu+WXHih0WG2Sq85m41070xsIMEwlqSfdiOOPdax6393NJgkdM7 -5NKC3+pzcHK1S1+x/Guawv0NAgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFIDATBgNV +dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOuj5H8NBXbdfP62rBfK +WlaZYq7uHkh04KKSkiOgUd4hXFPNdkGIT6+E5MsvtH2QmMv9qnwTlR5XLLoF2sCV +22EoZQMLRqbWRJ2zt8sgYMBVZ0SSZJnfotrZDOEymlfLK+TT+dM6OeGHHHGsWmXV +u6PuVd56XDFuVF0p/caHGL981lCaGUgtVtZNuPyEYA8pAb6VZunugIYsHfEjL7si +eoZx0BGtWKsFN6E8Cw3qXSDN4TyzVU9pFuPv40AOYu4d2hg+iOZRx/B2V76s5sAC +4N5ZMYPkT4LzvIeSTKGwq7538PO+BOny4JH4aW51u+Q8GkuLCkjo1uBIvDW5PblJ +ouVeHwYbBNJyr/WyTpmTfewgNzNV8GMh/6AlG0WlMYu7NNegSJqWGp7wN/MrAi4F +xcbX31NQv56yFmyQlZrIw1gjphJ2oDqEyBLmii4IY2A4kyeaOyAiYRASJ7MIVU+s +J6/bM6F06CW/SDtcWnt+JHqCZeoD5NdN/5FaAvEmaMALPuOiMlWUxNkacvJ8ZwOR +csr96zgLpYO3yTR1VtWWRmK+Ll2nW2Cz4Gd7fY9oHwL71guYGSfliQTIKZAPEc1B +O0NPuCmU4Fh7m/AaBc3A7QY1QXHTUDhGJJ7bcO+pwNQe84zoufhFXKL8gTr4yxHd +mcpBGi7dZLdBkczMl1HiNMl1AgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIFIDATBgNV HSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IC -AQBTLnU8jFCmYpPUBOqj/xzBqokiQK92axG/h/3JgB7fFSLzUCV3NtvwBVCU28rA -wHwBYPjmGhi1vyHha/hb6V2WMPt0jhMRpNxCf16dAMoyIoWNas88vU2Mef90Chfj -8e6wLtzqAquX/ruwIfsOMnbcSGuh+y54DspCXgsTZ9cnCI2lnQroXZi4WUqi3Enj -mFPpVc+mMlffGW6LISo3ehRLA7k3/01yJhqzpTQw44k9ZfJ7VXZTRJKJsaqeljzV -VfzDbDfW8ftbZ8IWQGAOQfTa23aHIYcvJfvyxpfQRyrwRxjGytLHoOH/G+1TZuOt -KBJ2Xdi9qrr+Wep4eNJm2cTBd1Fpr0hWZ9K27BwwYdZZF8Eu8eP8hSeRmA4PqzAj -HauCl8PgWJIWzMloXVZaGxiYX7sGVs79m/Yl9A6+p8RTpK7DVB9+sDIiD2bhiZqL -i9YWM8aD2cR20t2ZkuBBPlVTOouF/WotOWrLhT4J+SngkdmLkAjP/5jPFvpTfeGi -THyAmp4gigwaM0nIZskPcPCbkk+zFYPToyS49ZJwQMzqK2hkjyQ9LyzUdo9vlDjL -8lFjlUZzqaR0DF3pbf8fs5/16gPurR65SU/ebOs+uxZLYJrP2zKmeISE+q4AMudc -rQ0Z6KmGUiXnIvpB105UJ7jlXCxbsruc8gRTbjkgW7yoXg== +AQA5qKiFgmYjOsaCMueLV4H+wMlJPzaP7A7GH18SGf+yAnI3ZFSA+D5KiheqFZB9 +Q9hMpCwk9R2AspPad4fENzFJSzQBcZP0+rLJ2DinYmCxNL8xZmIAGQL9DNb4XQX1 +4DVI2SqM7UWeWOIBA6Y2TWFbkc5TIQEXc5M6LLZWWFzLAkAFH3/ezudwEd79/w8d +V97nMrq8n4QlP0JeR6OCbRghGhssElH3osxjHmOys5y++9S9rhV4RlOzXk861tDU +HKInBKdpmo4j4jJu/gsHb0UzyENK/lMcN7pxz0ef8iZIWkqaT6KrL0Y0HH+BCkQ7 +4V0q7/OmUy0wC5g+IKRjFvWLVm0Wp7WkxjP0IxE00+eV41BmsMNJHel9cHNXGzOa +eVGbfChNYq8ixo4YXuiBtDwGqqnfyWEQ4lnDtGlAZgqZKIHXPWVBUq7wSwHzRUcn +LQfuD0rnwMFDCXLazyMuSydVZNzP74Xd1BR7ZrTgNiSq0ZFxPQnImYq1WW054Rmq +OXy3uBy8aYScZ9RcyvASIQu8gcfJq4eJLL0yXPN0Pwsma90M7nZibiJZoI3mxqTN +rV1TxrYsEMcjju1ExYC1mypNKRQw83dxvKrfH69DA3qw0bUnyacgIjPHacdqfMYT +RrWXNpb0GBtNMpMp1B5iv6ew0Mopmnsm4Xd6JmLk6aYR3A== -----END CERTIFICATE----- diff --git a/config/testdata/self-signed-client.key b/config/testdata/self-signed-client.key index 4e4b2c2e..8221fb28 100644 --- a/config/testdata/self-signed-client.key +++ b/config/testdata/self-signed-client.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC7a18Zx6+3lDO1 -4e2sGC8KJqZrs5202v/PjrIoUmnpVDekQ7AHZu3jjAOyjKmQeTTn3g6hKjCFKGqE -NYMyJtASeHQoIvfUpwPG9DIwBqlKUSd4Cy0l7D2ueuO4MVEj+c0NIVjDIBmsOKyf -SwzrVM9kvHbaikx615d+JqXbC62ci18Ms/FCfNyatjYMeHAKWa27PoNV5TEVfFYf -PWdm5G2ypg2JiDoU3hNcC3a2f13nBDr5BmXI921ojv8k5z/JkxEdoU70sVK6ch5/ -+eS5FPD0esAju4Z7WfSy1sYPOV00XVi+3CMo4CYHy/foVUEMjRI1gtvi06tUBMam -viMaB4i+MV/9cvuqNVuVyi3/7qZYGlrkivpo0HqnN/Ow8GG4+tUFjowqGiQNcJek -R7hhlesoKXQDtZfKPtlPJ7lCx1uZcftQbTBucrQF8vXVj3q3LOS/IIdSETQlV1ir -EAgloIhuu5xKxVeYkRS7gCF+4sSyieTBqf31SlCPVdRFYjNhlFOOj1QD4YZWdanM -oI22eQnpQZ0P17xqH+W+M5uHhIAnNGZKrEA3kuYz407REvP8uVhCqm8oo5r8dj+N -J7jv3Wk8Ta3rTMGqbVs7vllx4odFhtkqvOZuNdO9MbCDBMJakn3Yjjj3Wset/dzS -YJHTO+TSgt/qc3BytUtfsfxrmsL9DQIDAQABAoICAAyGlIiIi/nc8cfKHbROuXYY -Ny8jhfq8WDRq+QUw3Ns3QbC8xVr5ShTXGrgoJnz9XMfSU2/5/dwoY1YKrYYAig9x -9XFpRN71eo8lauVCzLWmzth7Br1uGIE8vVNmGGIrI8Uo4WHJF24nK4JJ5cckl+fH -oLniXFIpbnqD4rnNAgFgXy3eKNWkuqmsW9hhhDts2uuUtfpbovgooyjbVbnOsnYq -GuWCMT+LyAdyzLBNutzhr39NKihQQQOn6u1wdxbluVMdoMVBxKGpVth+vwaPm7r7 -KTQ6KDa+QFhjekEyOERzqKa417C3qlMDEsJ4UCyikQD6ie+S7fRjjVM/ieEHd+AA -66CbJ8u3yfXxaicn+SPCeHVKd4GKmJgsg1KDSSg0+w5JWwmAiCJjEydX2HOdx2ys -SV2C4o+gxhA48U8ZgGTVoom0OgouQ7rnMd6n3juBDq2/Xp1FeDcE39yEffN7t4XN -vHfD7Hjp5capxVyEnpzu0tTVf8KP00NJKtS6I7d8IavUBCgFiJZFXJWdsbhgSsg9 -UdypUMd6rW81VaaKvi3JSjWwFpmUVAhr3hFNyQB9+2rxvDCWhUqFKWqjWdPfMgxx -qO6eam1S22vrZcyJVkfTzArFQd0J/41Ak0yErLJKLTDEYaBRxFPV0ujWskrmU96c -f+m4/k7p3sD8KooXfrERAoIBAQDWSmsFzSOugShur9phJV162XrtbOnV7n1Ko0Vu -U/ftohC5FNq0kHxAkY4kGMz2QHdJnqpQoJaCK8pJ+8nA1Osutt31tS3YrOotlNwk -KsFSiy+i9xf4NcOr9xKoSEstFPJeM650xPfVP1p4sq87BB2Z3uWfLtWnRxTJnpA2 -nwwtdrK5fO3pZnVlWQ4akqbndCjUWURXVOVxDHCyDdwoiz3BpGmVV6jCYanC3e3S -E7/OlRLJfRAXoCEbzFsQpsOYncaEG7cAz9pBBXA6VVyEPlVyMG0GHs30W7aG5Bfp -IcbhacGyjdV5Wwx8WGun1pOHoclLX7pJ6jOXLobpUVH4FUNTAoIBAQDf5gX9aBqK -QxBYcqhZ0aby9K9ZAXSRr03drf4s+TXSU7rUdBqV4BRj1cjQLB6pxpo2ryLoHhkf -tLVRnEWpRgSlfu7qSYxU8rNUacAKAPnebjQxU6NMVzFx7zDQz4TJT2StsxoSIw+l -O4MwWDvIxHcpjIrl1eZh79BSzrq5dsf3vrPCM+Xxivdkx82WJqiVX/LrY3l9R+kC -ud1b3O5vFdhpo8e0sygCdF0+sC0jwE82SCjMMGHMZWd74rmkuHFpJ1xSQf9/jRCf -yKhITI/su21FS4rn1rApWpzAvhfhV7HqnwWzFTtmLeGsI+yW4fb1j6oK7t/rVZ+p -lnwISXpOPBIfAoIBADnMttNIwsAV7F72pdOgLXeuY37Y6rWeb0MLiPW6RlxdY19Y -pakgc7NCz3EjE120g7hiyJOYzR/tSdHszT1q8MiX4ISeyu/vq/aBeWNz+NMX4dB2 -D4wOjGm86dZkMYrGZJ1OGVc7rZFiVjfKEoO7l3Rib9Mg4dYN0SiU0Vc6TSGSK6Dm -dpGG5lFg1PIL7mLtrPmh3lIj/wMgFOGh5Wk2LYEmpKf4jfdoOk7qZ3RLiWfiQ7// -MLD+qw+BbmquYIGwxNPrWdApQDhbjCrfzWWKHqf/Mdj9xBWOC0yVB3IFf0xbpzhP -E255RYPgoaESupZR6CahenDnb+TuUstp+M8OhSsCggEBANw/9gJ65yi9ohWv7MY2 -g+maI+gFk3tAnPOGFnR9TqGxdidKc2CeBtDS2/FUhXFzif5jOI5oFUToSjmW5bwH -wchfXn0gjqh9+0T9pkjw/tv9QuCHKyuM1noC1t2CVliF/j8U4X+X9+sN6RakpWLx -SVuZAoXnbfNHqoHbFToei8W9Vi2jSf7bOlRsbGPZcZtHwLonp7pDBAeHeSbF5dNn -BPWehHTQjHolqBhjzHPP2NxIDcIXkg00b6Ehvoc4XXAYpSvR+pmp1gGorUo57pbt -JSe2kVVRDwgPOAYuuWUWFFH9zuiE6WKxnb7ts+4VKRAVHCwXIjTpjN+Rxj+MsIDH -fPcCggEBAIRgZPwB6eI+rvYOPUGSeU681O+8/ZgjyAi8HSOk3dCc3J2fX31m/GsR -xM+FExbGYJ3BfdgB9YbLSI8eY7weJRodm0FoCuHePu81z4xj9yEi5hBodXhhDjQM -/xbgsSWeotQ+5lTmc5hgve1hl+3t09qNttHaELWASD+0ixBC6A6J4GB68ZKRIunW -+ZGiEvrNey6Uunf7T/Wgc+VDcA3HsniaY2yTZY/jWsmDxt/BAwUaQrNwAbHvm/1P -J04mvCreWfOITe7CURcLq4FMGzsCEXtdQ77/uJllew1Uv2Yn2WFUiqVxH+UicR1P -vOJ7/LvbOa8BlIMsprB2rz3PDSUSaIw= +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDro+R/DQV23Xz+ +tqwXylpWmWKu7h5IdOCikpIjoFHeIVxTzXZBiE+vhOTLL7R9kJjL/ap8E5UeVyy6 +BdrAldthKGUDC0am1kSds7fLIGDAVWdEkmSZ36La2QzhMppXyyvk0/nTOjnhhxxx +rFpl1buj7lXeelwxblRdKf3Ghxi/fNZQmhlILVbWTbj8hGAPKQG+lWbp7oCGLB3x +Iy+7InqGcdARrVirBTehPAsN6l0gzeE8s1VPaRbj7+NADmLuHdoYPojmUcfwdle+ +rObAAuDeWTGD5E+C87yHkkyhsKu+d/DzvgTp8uCR+GludbvkPBpLiwpI6NbgSLw1 +uT25SaLlXh8GGwTScq/1sk6Zk33sIDczVfBjIf+gJRtFpTGLuzTXoEialhqe8Dfz +KwIuBcXG199TUL+eshZskJWayMNYI6YSdqA6hMgS5oouCGNgOJMnmjsgImEQEiez +CFVPrCev2zOhdOglv0g7XFp7fiR6gmXqA+TXTf+RWgLxJmjACz7jojJVlMTZGnLy +fGcDkXLK/es4C6WDt8k0dVbVlkZivi5dp1tgs+Bne32PaB8C+9YLmBkn5YkEyCmQ +DxHNQTtDT7gplOBYe5vwGgXNwO0GNUFx01A4RiSe23DvqcDUHvOM6Ln4RVyi/IE6 ++MsR3ZnKQRou3WS3QZHMzJdR4jTJdQIDAQABAoICAGD6hqOzXDhbV4IM9C6mXR+e +6PpNjbEMSRcfc32uEYN1/2WN/clirEj0TKVC8OlshTYPJAcEmC5wejvlBO6Vvj/y +PABQt7caIAs3V8EFhkwh2epixXx+iavAAIj+Jn9TYrE+fGbuY7vpu08dO+cFW8BP +6o8xlJfTbG0bRxJZr1m/qwRpJ1aJMl/ohOWIJXCX09v36O8F9WdC6N/BN3ew7PRA +Cv37da6M6yQ0behAOCu0D6rHs6iG+6C7ra9DPHv7VTL9KaKAreTND7etuRn1FU7t +Lm+1mvOuFD1HfLpe15AAFO57mdIe30W0EtAfLED2a2wDwSvYh/aueKczoa+MGrm5 +H0yedLhqW/IQSl9rlKNYmJTVVfTUja7Qxg9QszxXVUbtFwF4YE+jfP3PNwkJUS6y +LuKWc+ylCCZDH0oRgg2vrGvcvPv7KZNKYJ2eLp6fy+jiUKpYhKIZDndCQLETatkS +Xh+iWwNS0dxRyFdhOlgglPkGm76XaUKlSfU+uSk4iFIjAcKz1uy+vnCjZgEJC4ij +1FG0LcDF5QKUImsh6QI9mF/KFLnGtqYzvsk62LEcDu+aaORH0X4Dsxo+h2nO20l1 +faGkNvYbaenNLg4LKQxhFJP4yMy89DcEOwe3E40jWqngOBz1+cxDMHH6WbEdiSH0 +CbXGSlELyQ9ng1dCN6rRAoIBAQD5ESYF1ximzBCm0t6W/VG3zxjVYq/91gy1MXRf +1evB6jnEWkIdAPSID+gRrfi1cyoPVTllGbiIyEKSCGWUE0cl5LRW81HEsnkeqMAr +RWph79pw50S/eIOCpU3nihZSNXq6/fQOtBVDmlv/8z8h3PRgMZwXOmEzJC3+wjzF +mp/PtTjVTXHboyuju/w2tpIER6/SBAtefbcolcdGMrywSbD5VQsehd2ayMyV2+Md +4DKrWHV/is1cXMjYQBa+l/iA2loCt7O+Z1dHPICCo5cfrHW3jSBG7Z9Ciz8LiEu1 +vU4BbEK1oLKgTnZSbyFnbAPd/KqjJKxl3F4wIGL0zfVf1XRfAoIBAQDyMxCV8bad +uJKBjR8LWKLJVS7ox50/2mydAgAhwp1n3nhTsXaCbD1yx91suw3J3dTADuWEBFPL +yg0vgxkHKozRUOGCuAa0HEwarwybqaCB6cvoDO54v4WPFh1xW08HS+B9WJ/XUJkt +w1543veg3ccaOJ3/TKz5CAQKE8SBxjEStd8VwB93IeZbnX4/GJ3Ah7AAYrysjZzq +kQGn0r6dIV4RlwWX8HgEeRdcy5PTKv8K5lX1swCqTLcMHBAsR3xieuBo1shbWHJH +2UsAW+skslnNATnryNydFXH0kFVrw2YB0NEjjVIdkao+gh/X87Gi4ZRs1cqZ2jUY +VSzKDhcYCrKrAoIBAQC8/ng9wkRgfUS9chGZvUt/ENUlRqeJFB28eHR4LFmjYdrH +1j2IyKrFfFx63ep1tZfa3q6YuvW+RUfOjDSYMjCw3mTB/gy0F0G1NBPuQdRB0MGP +Hs6aBBa20jzVT4E0jIQ+1GmXpqrkC4N4KtpjFckSHVL2hUQwjGmigT2gLH7MHBWu +NgAJzD1XF1SBJ/SQ7tzJnmwKHZcYYt89s05e7uwtpoyzcpz/0RL9PEeQ6glI3+z5 +BRhj17xH7AnWQnc9P3NB0KfB+aTO12gkuYH5dOI2kA5IBBPvaL5EP/5DQAyrI71T +GUeyQRej4dQVKG+eyRWqii+Pc7K9DjZI0Og6+jw9AoIBADO/63ROYDmU/WDG+XIg +LzAbjllYhWXmUry9d6+++IkABO/FBFBbtkl3IP2hfhG630FmLW4myozJkEWtmkRo +uAvlXznh/jSvsyckbeo4tT3s6Y+ca7vLGEt5azMUUm95q+68Z/LGmuQnUWE8Kubp +XChjHoc1J+RR7SMGFD+yTDv2NkNceJyo1qKOpTHwHYzMsTNz5WJtI7EO6K6mHepO +/d1+Skirrcku4moGaYB+OF5o1scXxzWcDKR+vonngFE+dgKQmeDCpjBp4leiTDzc +Csn90BVsJo89zMp3qHjNGFec+YLCKGB/BkQy44Dt5e+qiV8z0wVKlXusf1Rw7EhL +yN8CggEAd2LCoDA+jqI+t9i+2iIJZi4/HD4KBJhv/xxOfX68IPeA2/7cviC/+iBw +vYi3DgJ6G136e3ZDb86pXItu6cRwkx0pK8NzZ7pJ0bdsGY8LQ112Or6bgEq5q35A +CF5luP633LmOW9n0l/dNWKCt6ePRAdxYTE926/mNFHYjv0sHU8FpHEAts1pp8cZ0 +Bo6vICibJWGI0VQx/AYDiT5a2Q8u8JqxVYBklFECmqW15+JYlbKhoj5o+xpSfdgF +Hc/vx5UyA/dwxhiiVGVY//bHfk6WCROYtqBMBjOgerclAhyJv40M7RzzDNRCOBbl +3Y+cBLZchfsopoZIrUO9ItpzMk1DMw== -----END PRIVATE KEY----- diff --git a/config/testdata/server.crt b/config/testdata/server.crt index 1b86f58f..a90f5e04 100644 --- a/config/testdata/server.crt +++ b/config/testdata/server.crt @@ -1,33 +1,33 @@ -----BEGIN CERTIFICATE----- -MIIFsDCCA5igAwIBAgIRAMMSh5NoexSCjSvDRf1fpgMwDQYJKoZIhvcNAQELBQAw +MIIFsDCCA5igAwIBAgIRAOSykfzsFL0kachzbNI8PrYwDQYJKoZIhvcNAQELBQAw aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo -ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDdaGA8yMDcyMDYyNTA5MTUwN1owNjEL +ZXVzIFRMUyBDQTAgFw0yMzA4MDMwOTMxNDhaGA8yMDczMDcyMTA5MzE0OFowNjEL MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs -aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANPl1Iv/z+M8jHHU -SggOhvCS/0IfNi82+OprwalmhSL1FyRrGeHDpKArIrHhal7oukizJq96wKTddUVu -hjPR7srSYX7J2oPznjb2FmLHnD8y+zxO83XNA5WCDB0yA/KhWHhDmd2pihTTZOo9 -jvGi3+LyIqXUeiwIpxuNnH2ghoUy+DTzNCknLkIKAVnDPoM1AI0Wu24rs14A8ZVW -ivzY/P8xGwlMmDndrrHwJzMSEMeH7IJi9hx4zJalpoYTVq6Z0Rv0+7SpS+iswi/e -MILDhmSvLw0R4x31xkzsPOtUsocVjgBCGGGHo70ISsAxsL6E9QFe2uwZSvbBKfou -JaM0txRIZahMeHy5egh2+J08vuZKo9PDBWwKwqQZ4Kb7WtgekiycLmFa/OYHLUX+ -Ow8QXu5HU9v9XlP9GV2FQDka2IuMTtS5JCEt5e9ddSb4KVbkRAhfL2snA+w0nmrf -CBlrlThFz5Evy5QNAo1ORwiE+8gNUc12EAu9K3TK9WSUYNrLCbkN3oBL+DVp8Y6q -quUpKEbElhsJ9V49Err3LPaXpz5aW7Th6oFq7UOB7chqKQ2SNl3/hTlNUw8wFb9Q -i8AXs+4SzHo41IEe9QZBvpeucVmdewbJKvNS8Uxs2wmtTq2G2Ae3qGzWl682J7aU -w1X6Y46OanQDNtDVQvGN1CW5kvCXAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANLceYfZ+R+KrdrO +kmxzGlc7vfXQVr3RTIYNNfKUSLLshUdIqjnbhpYyf/f9xuiA5B3Tx6kseBgc94g7 +426cLbjH12oOXH2uINZPnEj4k7vaRPoUnWh+eHNqD6mYiHWDuHzrCAltfXjOPJVS +L/IeDGYh47XYtWhm0+x2Im2tPL1sN9WqaNuWMfZqD5u042CjIv1hHoF3I3EXiAu5 +p+OmXL7u5BKs9AusLsFL1neDvVeDXn83vkd91reCYuxg1ySJW81g8cGXKeBL71v0 +CMaeaJ6epdbhpveemmNXEIHo6898jh3oDuawfVY7CTBfcOFjBPpfiLP1Pv9eAHlo +SMC2NGgQRbtkhTIP3Uut9JkHuwOTsvcbhl580a+Pn42MysBCxSgS91q9OFukzYpE +yS8oHOu4nxIXvuKJExRsAK4kMmlH433G3Wvedd1quRuYl+A4NCy5ytmJwZTJuIAU +e7cIk4yH7HCnRSfvxjT3a9InNCZCPwyt+oDIHgOS7y9zMcSSr8Q7tKmXCT3Ga6rp +Jcg6kQKsZ/av3oT1ahTHrZI0FiKpFUdEeykjiOmslvJXWMGBtAmNt3wetLg/kYhO +B67Ds+mMXxlER4vuGoPsqaA9nLsxTbP79GAjo6W2F7jgXQiQhXvBGcOQZJH1lhz4 +Q5Y0vCFnmfmmmB3IWFlB6qdxo7VtAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G -A1UdIwQYMBaAFMaaHh5g0+YopeLd1IkizXyK9K/zMCAGA1UdEQQZMBeCCWxvY2Fs -aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAUXL/lzbgbs6whVrE -3wkp0oDGVZ0Jti1hpeQk7Slt3PHsgu9OQOSGcv9QHs0ybhkDWZQjoCH6Nurx5QaY -GnpNQjylfy3zAziO0c7C1uXf7Z9AEMQwbOHFLefnvq86MtnwJ7sadQo+ViwtMgOW -He4YhkTyu2CqK8GFXRQUNm/SunffXp5zErPCNQURh4hrDUGlXPzyxgx1DyqFvF4S -X8IpsoED3d7cbEL7E9dgXNl7wuy3qoPi9P9KydFTIELBGt1oco980S1attSM9159 -t9iUIUMT4EdzmZxpIyJMCD+Lz9Y3zWVyz7DTqFWOtAtmhM4lu44K4S4d/JfAGEal -3h3SMCbBPKwpsloO4r9TeGi2f+T7hfiFMdCezEyG8sXrObCDyVudyUnXnxDkZ5TQ -NOzqJaUJHeKzb+Z9WSovce3Pb8ok3GoDugmwqyjuN/rz/0jsDTJm18I6HHtONbUp -AIV/H/4+Kewc+Ztv97J7MeQB/2VKcY3vpZpMSEkg2ummRhXUfi0haxfoSCKvRwiD -BElUVtwHTsn3OBnKMGcBt32iLVsvbb/0AtNpohznPdQT7dqDVguejmwHn/fc4u4Q -vfAay/ACARti9XKGplQi7xn+OoYcAVPLYitYBRNEc6t+4f3EKehrDIMRCnxOFBVX -9Dnm1DebturSQQEOuX5rP15lG1I= +A1UdIwQYMBaAFH9LfDTzrym3/EwMAopkOky+eXMKMCAGA1UdEQQZMBeCCWxvY2Fs +aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAJKNu1UBKtIPJKkld +TXMQQukRMDkckqkyUcMWJkSPxfyPGYjSdcUScUnoMjqdxvcUoTWNKguHfrmaz0mF +L2219vsKfmPKv5efxNy1z/YiYG6qAw6mlKmEvnCXsrDWM9097p0gvDFkzzJQTNi2 +8dDTSPdZHNAfzhLeYEuGNdYi/vzp1OBqlWEy1lmLixzPsGwpP0bhcJlyFzuL+nFk +/aD/IiJ0TBtLMx1YH9VI9R/hbJl1qyqP0id8SiN47MWaC0UxktETN0kjwKgL5c9N +v571ZbNQgPDo23slA8Geh8q93tmVtwIlNDWxgXY9Qfj9DpOLl3HokCyTT9P2KGfc +9OwuKmjw30p1XT5Mnbthq90tsRDwe8w8s4kTucPQXEIPYikdIFFoSzwRVxW+aZL4 +4lSiqZrxqDjfa1njkofWD/hrVWTkV/D2do8Yv1ixrasvL0nwxx7NjK7ZS2vtTO96 +n+ocTBsE1NcuHpf9Wy/bsojqV3iyS0on9d/PhmthyMlS3pfs8ZwhVoVkxyTUP2/I +zVzjEM80HLKkycvb1b1Mk+/JL7aL+CBudp1LIp+fqi1dfSx3ygrGqTvYp/MZa9Gi +EbnmK3l8iZf3872LKd/Ku13t2Fe6kIHuXSN0ktuM+ZP17HCPBhsKAAn6bsAEY+xo +4fJX0u1uURY6ZU1hDvEiSw1IlhM= -----END CERTIFICATE----- diff --git a/config/testdata/server.key b/config/testdata/server.key index 678da7b1..b4c2b779 100644 --- a/config/testdata/server.key +++ b/config/testdata/server.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx -1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF -boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq -PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV -Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv -3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6 -LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F -/jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q -3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO -qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/ -UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2 -lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy -yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW -7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ -fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck -E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE -HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep -TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus -wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5 -mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa -mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8 -zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7 -tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq -SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG -pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr -sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ -wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF -JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB -5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X -Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e -X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv -05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U -m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7 -xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU -q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z -RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT -BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y -iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD -qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM -URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak -I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI -kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c -pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n -xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3 -aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV -psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0 -Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk -NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe -SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP -Rri7hsjysanKPyaPM1oofbRyWApMyRo= +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDS3HmH2fkfiq3a +zpJscxpXO7310Fa90UyGDTXylEiy7IVHSKo524aWMn/3/cbogOQd08epLHgYHPeI +O+NunC24x9dqDlx9riDWT5xI+JO72kT6FJ1ofnhzag+pmIh1g7h86wgJbX14zjyV +Ui/yHgxmIeO12LVoZtPsdiJtrTy9bDfVqmjbljH2ag+btONgoyL9YR6BdyNxF4gL +uafjply+7uQSrPQLrC7BS9Z3g71Xg15/N75Hfda3gmLsYNckiVvNYPHBlyngS+9b +9AjGnmienqXW4ab3nppjVxCB6OvPfI4d6A7msH1WOwkwX3DhYwT6X4iz9T7/XgB5 +aEjAtjRoEEW7ZIUyD91LrfSZB7sDk7L3G4ZefNGvj5+NjMrAQsUoEvdavThbpM2K +RMkvKBzruJ8SF77iiRMUbACuJDJpR+N9xt1r3nXdarkbmJfgODQsucrZicGUybiA +FHu3CJOMh+xwp0Un78Y092vSJzQmQj8MrfqAyB4Dku8vczHEkq/EO7Splwk9xmuq +6SXIOpECrGf2r96E9WoUx62SNBYiqRVHRHspI4jprJbyV1jBgbQJjbd8HrS4P5GI +Tgeuw7PpjF8ZREeL7hqD7KmgPZy7MU2z+/RgI6Olthe44F0IkIV7wRnDkGSR9ZYc ++EOWNLwhZ5n5ppgdyFhZQeqncaO1bQIDAQABAoICAGXDrA+JfjbfygoYuggHAQZq +ucIBu2s+sMzdYVTihbd8eNIvWqAzt1+TnbkEzFN3qSBQDkMyR/9zM2+XX6sJSvOr +1uXDapXpTMXBhC6fcUUvES0Ud+dvahhhbo+uIuV8HbSEBcvvAKgl+I0kLimOoPNF +lc00elCZl9u+I92ExxSwPr4q0RJxCUngZAoEodwIv6FDluJqqjsxXSIzhrhSmN45 +Eu+Ecv+TKLl3LVleximPKDMDpxx/ufm0vqNQFWT3ucuD5wlEOByc6TcaroWU++7Z +qDXtj5RgAijBYyEfVXc8qKX8Ufy53rOYKFYlKahNDqD7LFGVocLDDj2Ju9rt1Jon +hT1D1X/uX8XCXl3/wCaAX1dpSf1owR/J7sgtm5qysOnBkT4JWwJo6OaZkHmL73vR +APjxlawJVosR6bmHeqE+8kyysYywbZ3u+bstQhugcAF9dxHdWfwwOmwcLmBDOvFN +hakShySQevv3rBcUTBCmC+zLmsVVLpGUwyjYAtVwS9KAEyYT+C4Wjb/dRZXffan0 +u7VNjSS8BTFy+1Kf2HkFtoNV1otMDbO7KENW3bG3BXKsYACX429hBhKYA3/Vi8iI +vqNbmJMdPc4NWrmJnSP5RrMAlDOqgMEYPOqw4oMrqPKh6LzEVR8gtIdm/f3aq4dW +x/hMkS4ZB2dGyCkWaRINAoIBAQDWFe9exGgvjaGmi/Qt0ceXeT34ZlUyjOxI7Mgd +B59ZUPcyJJFQEzh9xilfEth2W5Anvu6xVYqcaVFSUBfQx2YMUuzIoi714WUlkMWN +EHTRLAgDCw7vqEx1aBPkF6V1GSyjGnKoImiT6iI2Tfuz3TUUfiw/xYLW/xap0r9m +a4JU5Zbh8GNAmerO1lRWXOmWic4kJnbPQY95CB1BS0jRnnBICorVJGGWcJ+H0K61 +cfTCiDzeUl4hmXjOjr139RwYTD+gbyxWO0juntzOb5X1c2kuy2pcOo4tc0iHJjP6 +E0+2/rUBTJlCHpizxOc052TTjIwPJ6t/2w3NpNwlsDW7u5HXAoIBAQD8JO29paCn +ww6T2h3YVOFcxzSJ8i3V+ukEa95KIr8m9DlGllQ9Khe3bbBHJTDifPFGEN8oCQ/u +AIRDoju2tC7i3CQ0MOYki3NJotwBmHU/jZQ6GXwSdqP9hu6PR3QOl3vasffYAiUP +mmmUafAe/hizNURxF4fo6hlPimuCBCxIH5v4T8dmqTHPDw7ajI+zbzk9WaCAZeb/ +H38aeHuvvRgse/wS7K0gxmoCnldjcO7AU8LknVZSnAjo2DjKUc2f7EGg1UWMIyU0 +v8zwdTcP9dzx++UvbBW//Tr6l6dhg9ftvF8Tj8KKzMn7fh4oQ0gDQwp4CtdSQ2ga +cv6aIevAwFJbAoIBAD4HuwS9aealZfoowQZpqygzhAYuOG9eL7RtjwoCRGSPtiA8 +QjJub0baHPCkOD4LB7jMdMLDI1dwmJR+Cnh+3g2iFWOIwoyR00nQKb1W0FIvLN8c +3CYKoKTAFEtZoqJMOgfESQZ4ec6p32HWtKCH7rJSYKXVp7R90uY/3x9g9TF+GHq8 +uTVlo4hsx6ECaNgqc6U70973gwexlzBtDNtXyfbFvzZExVXeqgqjJ4wBScb3zJMq +UIXxvvQynaldRteveBwXOkR+BwLE2vuhj1TALPDXFalFeh6nMZOfOR4zbDx8jpui +wyFKVjp4SfmlNiypo4dcmi+Am/5Cz1rINLmBfp8CggEAVQq/hK9QOET5rbRrTIOU +Xw5xEfW0r+8omG0pVCfUAPduOfiKAPcpeJxuUBCjJECvv8oA+ifUT5mtAoK9USoE +hk9phpDXjovaHoPnYEJjiUPfMplV14RcWy4fWAPpiOJey6wqw5g1l8WkxoHUkx9w +hUD6DIq7NDuAvesZx4hQxyKiIGYIAwAd5JBXmi6+aO6ih6arE6NK/dFJtUvdq7BD +bv2CT3+0BNHm/2sYXlnArO2TVjga3VHzT1VeEh71E3NDz1MfWdygt+HY5WEjaSar +lpI3An+Z9l8afVqZAbLOKUjXaGmcW+QmW8R1t2654x/BcCt35C8H9aPDa4j1UtWK +8QKCAQEApgvfp5JiER/CzjBt6YwCdo9kTDJM/mh8FDvavnIin4alNuPQbr+YesYl +0M5Tq3jUKpJZ7OBwOZO2E5/UY0gnRvfj5lizPog/sqA/UfWZVgsu+kpTluF+qrMh +qEDhKseogolm4KDb4gxdoxz9AH6lIcVdX1zOtMorGnmT3L/6G/PKxxUdoMgD6RW5 +efITBF4bm0FCjyrNiHc/f/B6lSyz9t54O5AXTPCw8cHMmTGTLbl5MFJZuPfp0DIm +J6tNt0zClxQ5/FV1Y7UWh1l6i4j60cHrzhOOsxkNLPVAu70phEnBg9nevilSADWL +BikBgOlpgA+bZNjb2zDsmwDkNKl0pQ== -----END PRIVATE KEY----- diff --git a/config/testdata/server_revoked.crt b/config/testdata/server_revoked.crt new file mode 100644 index 00000000..e708bab4 --- /dev/null +++ b/config/testdata/server_revoked.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIRAOSykfzsFL0kachzbNI8PrcwDQYJKoZIhvcNAQELBQAw +aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo +ZXVzIFRMUyBDQTAgFw0yMzA4MDMwOTMxNTBaGA8yMDczMDcyMTA5MzE1MFowNjEL +MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs +aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMU3dOu3uEJVu5Ie +2WpKjTaGGQ67TYhsHyqP2zlgus6kDj1rcag2gK0RlmmPJGk4ehyUhjhc6Myq5Ihb +p5zQtCwRSe9raROyiwjZuxwIf9FIigMxqHz3RIwyorkBLodVC7MhkM7nlg9TZldE +j9+pwdJ76vBznpxxigeTSsFLQ31fw5oDrNfrqvJEe5zHtEPdDDdAgumPpdt7TWTf +veB+M5Um1fjdhRDwCU9E203bRN9PgK0w6iXTbIV7eHzG68oyKVaKmY5iiHcLLk2z +yY60h1AugA050m3j2ojytgtpTo7R76/XA0A4ZSfFD7mSOkDhDGBz5Fb7TApFTy7+ +BMg8DEgn8BiSq7VdZ1etwgaehXtPkSuGavF+MctiS0TF2UzVucZ0zlHoPAss+6Ao +jKdFUdZVhX2wJ9/EdYvfrZgEkFYRhSEoyombZ0GlNQG5z0CcCIqNd4PALfN4xuEk +kSbApG6pyi5zU/2bv0kZy9G9RmbwhWsGHwu+b+X54JEKWZE/xIyXQKj1AMO1bep6 +lIqfDmtBeE5oReDXhdKcVwTHrs7RCM0hwM5rGWwhiokgmIHnl6R/MqCXaPfRxap4 +EdK1qy+4W9xAPShMgDTuoN03D5YiHfRvAutP38ne1zTox4lzSY+EayA/wkoB4wGN +apc6ouVL5PP9RnTk8ATH3eUAQX8jAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg +MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G +A1UdIwQYMBaAFH9LfDTzrym3/EwMAopkOky+eXMKMCAGA1UdEQQZMBeCCWxvY2Fs +aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEANyJvkB250c7GPE2f +SqP2XOp8Ql+ecmHDUDWGDprRLlXRukK9kJZLBoXysH1aZq+JdjbfaHc5Ym2TYGX2 +Tz6G156fMWgso1iAnnDyo+U2uJJV1bBRCXxjJgvJoQv2jAwq7mwgkmDpMyDJX2+T +tBe2etktR/UBKqmQF3uOq7FtLh6eBbAGwTiFwU/5iaZuYzSngCLSTMLsLFaTFtyL +RYXZ7pKCU6Lq2gsyAmIL2LboDdXQDftO4sH6BJnwKlwblkIVJrju6SmDYHRii/ft +SNw7wJtvSCHp7FcLt9lxyBuSP61ylfY+SlqR75Oypeo5naX93wCIZFDG8Xc9waz3 +LmQ6HmIr3U8Qyejaqex+8J+AJk8cKF0/4Y2yGlWs4JIvcT6WpBJ9z9oqQY0boDdk +qXTja83NKNdRaDF4Kn2h4m2oMjEV1/+KYgR1GUL4icJ0ahWcCHehwagjMrtzD1nt +8iLrMwaW68c90iJXjoyu0+n/NoTJ8iUdbgi3ZWe5Em2L7uZMqxzOR333uD+rV0Ff +e2aQ+lc0OY3lF4VB4IklUjNzqALeCc86lyqNnV1hq2g2H5adF6pqvIptEzP5hPl6 +DmaEv6HnAAqB2akG5Aliwn3+ZRfdvtb23y3RQzVMJ8OC3uvyvGHUgwK5EGuatueA +IShL3EHWNTQl/gYsoutsQ94ado0= +-----END CERTIFICATE----- diff --git a/config/testdata/server_revoked.key b/config/testdata/server_revoked.key new file mode 100644 index 00000000..d1030861 --- /dev/null +++ b/config/testdata/server_revoked.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDFN3Trt7hCVbuS +HtlqSo02hhkOu02IbB8qj9s5YLrOpA49a3GoNoCtEZZpjyRpOHoclIY4XOjMquSI +W6ec0LQsEUnva2kTsosI2bscCH/RSIoDMah890SMMqK5AS6HVQuzIZDO55YPU2ZX +RI/fqcHSe+rwc56ccYoHk0rBS0N9X8OaA6zX66ryRHucx7RD3Qw3QILpj6Xbe01k +373gfjOVJtX43YUQ8AlPRNtN20TfT4CtMOol02yFe3h8xuvKMilWipmOYoh3Cy5N +s8mOtIdQLoANOdJt49qI8rYLaU6O0e+v1wNAOGUnxQ+5kjpA4Qxgc+RW+0wKRU8u +/gTIPAxIJ/AYkqu1XWdXrcIGnoV7T5ErhmrxfjHLYktExdlM1bnGdM5R6DwLLPug +KIynRVHWVYV9sCffxHWL362YBJBWEYUhKMqJm2dBpTUBuc9AnAiKjXeDwC3zeMbh +JJEmwKRuqcouc1P9m79JGcvRvUZm8IVrBh8Lvm/l+eCRClmRP8SMl0Co9QDDtW3q +epSKnw5rQXhOaEXg14XSnFcEx67O0QjNIcDOaxlsIYqJIJiB55ekfzKgl2j30cWq +eBHStasvuFvcQD0oTIA07qDdNw+WIh30bwLrT9/J3tc06MeJc0mPhGsgP8JKAeMB +jWqXOqLlS+Tz/UZ05PAEx93lAEF/IwIDAQABAoICACLfxKAuM7ofOPUE2YNvPXtn +ySSOwI4gOH6pQ6Xo0f/aiN4ZktahFK4GDygJdPHaV9WX+ggbfds7WQA33PLhAQtN +31okD0e5adad0fWKFzgl8KnR7S5z9z4nchju+ZBa3J/HjrjXwPRi1hUWfa6acTjM +SuZMO78EYNkoFa8KpRuVhJxGjBj+hpMiww0dT2Y0v4VBtiShDz45lp0A5628A1kb +rfi9C1vMZokK7xDcdlha0bFOlgksUuNjyxGdh3KQ3jh8d9zy1ZjfdEevRDQk/kyS +fHhaQjjGcw2GheSMsaSVwSHCDsQbdN/MfBRfpEd2xF6F/9nVxEOIsBDqQGQ8IhuM +wV92kIUgggWGUKXSGTBEqzXH5u/vi/sRVEQTJnDPsKiOnbewdum3EjVangszB6Mg +BqiOZurCSSerOXtkzMxepIdIg0WLZdA4lxEjePVyo4/eKhPFPPg0wMjUyCepDzOw +lLfdLfI3x5Dq28gvGsdfdn482W5BZ+cyWePY8JBY9MV5ddCML8wJTeBg+ot+84pq +06WZYgEZg0WrpNIw9n6voLu6c+0K3xVw8kQs+skQcOt7d/HTz+zCNYcjew2+6Y7O +uvPf0ikk2qXcvJ1wA0ocmUSwUA4TeXgdEeujYEs2ibZ3oe3XBWk8rJFwMC6KWfMN +jtjJXNeS/30z+CT9jnD5AoIBAQDT0LH9ZBRGXIwpD5w2ceHOaj+aSm6it8fvC9jl +mKVZRSf96rs3iQzS7DlCKeulaWrGSncoAaLEMREFZf5r021L8iKBJzXDfMFeofvq +ZxZ1R0FqgoFqQB+lSyLvskGC3XVhs5k4CaKZbqii1rsFnUy8/B5FbH3ToRKIPsSB +DtrKTLx1vVn/fJnPVqow9B7kv4VJPIt3g2v/+RwSyN6TcWrPUXlq5NYUod6oefNN +8PbVry14v8YkCWgaxTnFBryL+fN9No/dcuz0VEU9FhsZjOMp1bO9qGpKHmhraBud +Exx+fuByMFLfZacbogBncoRuihVL1Gpm797We46/6CfyuwNFAoIBAQDuWyvTSVvt +Bhx4bufnqu31F2eOoGpTq2/nodKyAcmGGTSafeySYOdKT86HDxUb9+yBeSx1eRJo +PyKYVoTkZEI55uTUsGzx4scs5kNzgr2Wnj1psK+8CMoXMGzyg00JflNY0sd3YRPG +bxhynMAPquc2Y44FVpHUq5nwLueqnc8C6DgUt2saAE3WO3D/wnkUyaTRgicSyW0Z +XpArQ8EJew0lfhWMljilXo/hSpzdNtyTpHlQX8h/OA1QrMcuY54xe71cv+++7RzQ +2nmXpGDzMTqPabwS/yGrtHHwrttTs+02xqQsWnJYUMpZokOOVIaUr0IKDSwTdrTP +JNKOPKA7aytHAoIBAEwd4Ah98WdDlL6gtHNAQ3QI7GhGvTFON9Pofv4q96h32KI/ +ux1+65PUfdMP+3WKx2sQkXdX9yTnuQUmnOIkrU8waUPeUky4xUh7j2qxtvlYLOLY +mScUegrNUHWwqigb6zW786CWnc7jXEiAP98Jouz68OnjzefCJ0W8wKLcMrWmE8d/ +zxqnrSI8M5a582wigwRJdJjzKllnLLZ3Zry3cjmkPqyyJVhuvvPuNwfYQuuRMxcE +W3DRzI5qN5NdE1596QkjFVnwFcTLj8Ie8ogg//UlrZzHK8MM4FtQozO0DXZLo96F +DRLolb+xXNHP7lVG29ZPNBlfs8WBy0+dXtW0bL0CggEBAIGi3Ich0vlq5Xkq+L4r +XRh8DjqoTKwNBeP5Q1rFVhG1C8Mq0cwbIDBuj2ktbtGzWdJhUSjjHHvOOsaX59dA +IDTVu4diHR7BtIpbAjyE0xBkKAqfqjSeoytRjy+m8fND3Zjlqs7m4ZZ/PdC4KE1d +KjuOkeOdXdtJKYRUPnOxOLHgEwBRcdLGb48g7ShtYOVJdnbsTswM+WVe5RJi206I +unG1zYqU+WIXuDFUH1TBTd6PCdwI/EcU+Ujzb7FvRM6s+iTDz2UMGSwOZytun7wk +/jCZ1UyProRws7evomI37cBo8UmeN6qI5kUx14RFvJyJZWWKHHrJiTVQVaQ+nPc0 +JmkCggEBAKjZxaBFDlqmUehO+y349VAXILdi9AT731PhS0ajnWXJ/HvsCdxJ36X0 +39gvhItT83b07OJLiTAL3jQTOpMuwqczYpNfZrzM2VAthprqAv9GIqFc4s4UC6gi +FmRHWX9qjvc0NXozuJ/kvAwTTo9d5c5pGoWqHGW2zhGE74PFiQufEXlMef0+iIP5 +w6lpMkoXRgHu2HadGr6BXmqlD2gyZazBhEaGIBModq2EyaCiACl/XcNY02Rk7wKe +cGzdEM+0DBMlmgGkxrNqEsYTFe+KHuGdDp4QlGlL1zECh1vVDxyGrKp4aejzEbjE +SnVnrKSxwacqlVEmrtBcR1zboYd1SFw= +-----END PRIVATE KEY----- diff --git a/config/testdata/tls-ca-chain-add-irlvt-ca.pem b/config/testdata/tls-ca-chain-add-irlvt-ca.pem new file mode 100644 index 00000000..98a89606 --- /dev/null +++ b/config/testdata/tls-ca-chain-add-irlvt-ca.pem @@ -0,0 +1,100 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIRAOSykfzsFL0kachzbNI8PrQwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQ0WhgPMjA3MzA3MjEwOTMxNDRaMGkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChEDFJ3zUp +9XB6Ln+TYjNjcRmKn8+h4pM+RLTlP1CtwAMn7LYeZNwhu/aRW/QEr7DIDVkZiWzY +S0J0JjjdfGZG+e89o7k+HHWHiBtf210q55FiKKGUwoDfTVHHgImZ7AOOZxG2brwa +KRV7qSocs/Qea05OjuqGeOrKA7jJpuH5u4ZRo82YtiwWUXSqXiVihZfQYTSVUDK4 +1w5iAsAFBi17XbIPvmGHKDNminixyWO0XTKeU9zQAcv+/0kmRpTJoM2oVKLhFX6u +LZdspxHCmCbMmbsbV6phKQpdK67CsbivuqLLBCBr/RPI3riWehaEF5WMj8Ji0DoO +PAVkE7+zHmIsDMpiYh5BEEO1ZwiqqnfOSpP6omLI70jIyoAuWpq6luQKX+CWm5sK +JAbne4iu9xoILGrB0bP2wF/6qCIbmQU92k5whVAUJmWA8P8hLv+huL5BzBZjbuTU +cRVf5fxr3J9po2XqBii3VekHR+PEGHkD1pp+Wog7QeIdiQOv745f0rTP0+iy1eWY +Qj8gceld68tLLw6vBzPDhNlBbdXIIktzW1W9pDhO+VBxUJqUHwtgytjseokHud/e +pNmd6+8l51vf0RGs52yuxLAr9CHJeVLWeZ26pg6XvpolyuFwtqrPU5W7CLO/Rvs2 +sCxyT/iXlCd4BEZFzeOT+rn0IY5ANYWPLQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/ +S3w0868pt/xMDAKKZDpMvnlzCjAfBgNVHSMEGDAWgBSC+WINPUpYSZoOZiplfO7z +pcjQSzANBgkqhkiG9w0BAQsFAAOCAgEAbqPq2gWPeV+dVYuKyqMyG2Y2jbCpPaib +gWNmrQQUxh8G8sqDkI94dq4w691CtycVwpKr0KAqi/dA/6TS5rNOmkpDBsJ9pCOc +7KUZAXJ/5W8Mr8VxaxH8YCDhIuQa1lvydRcGoMwEf08gLxEAZ96MSO0FVEiTLu6N +vAb69ZEmItY+7xW3wxAS6qbMlN2NtEO9knQtRdnjFy02aiyXotxXPuCrL2jFS2bb +lkHJ8J3ib3FmOOilBcXZX9PKk39JU7+56D5gZU2vtEqBJC6wXJHR3m02RMCS2kLm +Xjv2ArllddNL8J6f06tqwHBnX9f8+eXOxSy8zglIf31j2hB7DXxRjejPEvTrnCnz +f74lQKZiQDm6x+16q9UEgJhxHmPinwbGAqMjQ+JeLN3ono7m5UsqwSvuoTfkEdM/ +XORhnZ4oA9jRsCsq2R9/Izh+cMb9VfdRNNyZFLzYkfiol0Q/FpGOeeDdY8PddgUE +b0Bd/gMmllMKqGUTbVLbg2Bbcc6pxnD/70GIzhsO2nF7QD+B4ToU6tlbQE5y3lkv +Ai++jLF55nMnJrHAuwkL8dFBJf6nI+UqYhHY7727rTOVNuf3DYZJpvtjcyQubvBg +yzjMipCOeyoeV7WVbdAIrVkUe7uywTd1SQylQ+MRnoRoEPTuwYhAeh9WBV44elex +TODbpyk7l+8= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFtDCCA5ygAwIBAgIRAOSykfzsFL0kachzbNI8PrMwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQyWhgPMjA3MzA3MjEwOTMxNDJaMGox +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMSUHJvbWV0aGV1 +cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvSVaPYcW +cJ1n0ugR6Ns2ITqbSiUTl2xkLAvyVOwVGaoEjYM+2NtJjg0Dr1hlT8I9rHeWcB4G +pC1Jj5wMbEP1hoUyxCxz6dbEplrdXu0GEd/leyGsAe+4qnIvvG+Ic4N5ndkNxEQo +xYBqD9kVtQi1iKlQDvCwvApu9LFp7PmFAzDjP/Kcz9U9PTtTCuuNy/GxiU6Ez9Z2 +JaaTi0ogoGumkTikgu3udFdny1n8XH9GSOysy8ndueE9AvGirpKP5UscSNsA+x7N +s2QZizVH6/w8K/wkPG3xxAMCp9nUZm9H6/dnQ6dpx7JENB/BQCJhr2J+3TEUaeZm +gtu9gSDzcvQtnjgtEUbkQBPGgnE/tJ+urFFBq5GhJo50+YkOt2e3B1kiD2+wCfqo +cN21UuxJuA3If5UrTB8R0Salnh6V/A3qWAqSYvm8eAKihmtOTg15X2DaeprnsK1P +lHzxegBf24B7u0390Am82h8EJTq6HQ/hSPK9kLfF3DRlaaoVWM2xW0/01zyTLNIw +u6oU8WEDpVDCMpv1gpR7j8gmKdHK5mceuNkjmVo/XL/PIMYQN0RbBcJtvdfsKD3d +EVIqV9T5PP7NpnCCNzTesfzjSOfmr6eIL/8pDb0CUQL3YU2jLjgcwiIAK5P9bEYW +Kn6WdM2Lih8iWU7UAKtIk447ddo6+h4mBpUCAwEAAaNTMFEwDgYDVR0PAQH/BAQD +AgGmMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +gvliDT1KWEmaDmYqZXzu86XI0EswDQYJKoZIhvcNAQELBQADggIBACiHJUxeNiUJ +t2L9cfLLbWK3wqOpZ+totPhEilM0kqG3sP+Oh8mM9o83OrBFt7DLzxXXrvuGwsH7 +DIVXhctCL8gqO0AL67fJIJHL6Kl5NubMf3A//KlwPI4Qij5loQbYWyiXtnUvLScC +jWliTjhJZBZ9ztJ/FnJ/DMF+YlrET3ak3lQKHEQba5t9mXkT507ru8Wuyp1hb9GA +BU2ZbCkzXlkv8Jern+yffBOPcXUMSU4Qoi3eJDcYqSflB83vr3M3AM35+HzZPdBD +2HnTvCCZQwQqAKMpXeB16gVlOGi4HKx7fVPBmRmM4SAB+PgTa4LiAA/BRJq1yEAq +jTbzLYXBfAhciJyzH7UX7LoSmrHr2pDodI51HopFANfhvHu+YrxUhXgI6Kr59xaJ +uBDlCSlCjeNd4NiswbdlRZM6eO6ke1iwX7VHfNIJGGwRuALyaksFpxclrdAsi3/k +RCM2l7OL1FnXrgdD5laYgDCo5IxYh+0jDroJO2W0ppR99+rdWSqXeGzTZA6YDUJC +unypdNY7q3za05LAgvy0RDkB1MBRNCjpJuvBRhMW0snZU64Byv15wFkhtDzhaoaZ +aZRAOXZK6VgcVNkZ7HEPuVDGFVytKZpjiR9G45JXgSTWfLspT/LfWl7X4hbrpMpd +0KwX3b1IVRfk+mGGgiYNIIAJIqWTyC04 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFyDCCA7CgAwIBAgIRAOSykfzsFL0kachzbNI8PrUwDQYJKoZIhvcNAQELBQAw +dDELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYDVQQDExxQcm9tZXRo +ZXVzIFRMUyBJcnJlbGV2YW50IENBMCAXDTIzMDgwMzA5MzE0NloYDzIwNzMwNzIx +MDkzMTQ2WjB0MQswCQYDVQQGEwJVUzETMBEGA1UEChMKUHJvbWV0aGV1czEpMCcG +A1UECxMgUHJvbWV0aGV1cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgNVBAMT +HFByb21ldGhldXMgVExTIElycmVsZXZhbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQDDc+J7JkJEXRQ/2tJBS+1/2+iQZ3FOePQA1cZZ/sSURyNT ++gA3Xfrh7zyXL9lsrXNwu0VJUqPl4Y8nLmFxY5AiqGAONAiUTbQfwchS9nn4zWxm +Up1cTss7g+6RO5kppeDyXMDQt2UwzeD5C0Lf4Wp8L6U+M7mrIsU6WUwUHOI7z+TH +Uy8mQUrdM5fe+TBwP+3MQN8Hdvy7ZcmR7pBZAlbJmp7EJpcuE7i3tZ2U6yrmsJ4X +fAtg6RQykHKEETGMKErh69w/n5bBliIGFbUVPFrYefu9FKqbP+TYggd0bKJMQLfe +ZLSxP+rwI2qFl8hBnhfdA51X551FkvnSSoAjWFOnA9xU49ZBv0m9CKVj6xEyM21J +ckLfGc61tSsi1vIsCbra7dJ+eDC2kk00aOtweptGeMnT7wp66x0po+TmFZf0wN8R +ujZpo7adwzIUDVrf0OSq+c79dQayKLoHyRk/ywqVL/EKDvhbzKE1pTDc/bXyF2Zs +gbb4hcSnKKIGjWqU5EURxnMTOJiWofYV0JYzrKFjZY2yAddRduWJdl3gnlAyYWem +hsTAqUta7HT8GyoP2etwXuFzbv1MC3X5flIlpJ5lvYUmS9ootMGgDotpeYrGLBav +m8QEaRP+vNQTz1iTogm6OhOsqISNWShuXT2Au09Rr54VKQaBBfLbcH8sv/tMyQID +AQABo1MwUTAOBgNVHQ8BAf8EBAMCAaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBTvFWDJkxY3FJ3EGMTHcRIc74bhdzANBgkqhkiG +9w0BAQsFAAOCAgEAR7H4YRVGUaT9gVSFN6GPs99GKxMyxjtqt5abIv5PZMNyukhn +fc3naoAY7XAiCL3kYKQSDBPp/ABHSA8qjOuj0IcoL13PoEGDJFL3xY3+URL8gYbK +2MpFm3rXjqzKyp2VGbLk8IfivfanwFlSuQS0yqm7H3aqK71xP8oUhWMLjW/cbUxp +vDFu/ejuk6RVu9rWi6wuBGKxWEXueQZJyz/sszJpbqXkf2uJk/UAGKq130wH98WK +/QM9kKoPcxUJhY0iXIAJur4oIOrAyFAlr397vd1cy71BwP0abZtRmCiJiMdNbcN/ +KRsg+o68MXQrKFM7seZMKDMIwvqONlHk6TVjHTaA0FRNCru6/eH3pHqS4ik3LTQD +FJ7v4HbsUoISoJjbQThBEgS5iGnKr1pL0R98OKeU02sCzAY9YbxON0kMgpV9ypJP +CFNmxQMn5QOHOzSwwnfl5Jgg23Mo5QieQS+Jb83sNwBM4JKvaIVNWxkqgB2rR8AK +Cn7S03hRGENmuRezPlRLzPtyTmHVwPPeJlqmxG0/vnTXB9Te+KtSbFG1PORi9Z2t +bzmLhOMHrWkOb0hDQtiuCmfrG+PEq6APbnIGT4EPnp9fGlQYMMl5U7kLOUbJNz57 +MuvcexVkn1bpAamBUq3CqxV5ZpSLAklpcDReeL3RXMKEfknDnJ5UOP6u1Lk= +-----END CERTIFICATE----- diff --git a/config/testdata/tls-ca-chain.pem b/config/testdata/tls-ca-chain.pem index b67023a7..2827ff0b 100644 --- a/config/testdata/tls-ca-chain.pem +++ b/config/testdata/tls-ca-chain.pem @@ -1,67 +1,67 @@ -----BEGIN CERTIFICATE----- -MIIF1DCCA7ygAwIBAgIRAMMSh5NoexSCjSvDRf1fpgIwDQYJKoZIhvcNAQELBQAw +MIIF1DCCA7ygAwIBAgIRAOSykfzsFL0kachzbNI8PrQwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo -ZXVzIFJvb3QgQ0EwIBcNMjIwNzA4MDkxNTA2WhgPMjA3MjA2MjUwOTE1MDZaMGkx +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQ0WhgPMjA3MzA3MjEwOTMxNDRaMGkx CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 -cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXtUbZhHR2 -xElyGJ+BwcZh4hm4dh1OhlJ6g98H2rEOK6bBxeO5YZnthfCnHI6WYN270ylusUc6 -JVkuU/1PO7NLYsl1D4ZIrRKQBWfg88BYrDO38HUkrm4aohlpT0+f7SiA7eRl1Mb5 -x6fi5BAVE5wnQJTE8VPBU+lXJB+SfZEixu+o1PlxVAdMYPAu1Yijakr1lDuZex+/ -j/700mihSAcwOvJ/+p4u2WNj0CMvQWiV5+VBZYrfpRN4/201FoyWILIv3HLq5OKp -Bpl/TvJ4J8oG1Cbzjm52qLgUOvHkAJ0I04DxWWywHF0VRumwLSqae0xo+KPPijj7 -bdnCx+vy37PbFOghzKzSIbPuccfKivVpChgy9n0kkgQhm9cgFE5SBuO6jfRwto0g -drSOMIzyXELDG0h0nB2gsPUHjD/OD1DT0VsW/9xXOPBfVgtPFn5LoZ8ninAFmk2r -ZiRJhCXhh+Rlw2F/s2STP66RnUGVdfP2syV+UlgJlE7EPE8cDbyfQqg7FTflq+t+ -HgXFCAkJ4S34+/qCbGv3DlbnC1lq+FiVwexm1TcfL/lYfhPr/J6VoeFZw4bjTPNa -jUILpsXv6IQzgPfCBxeZC6dDkK1D0cEXAqRRYKEFxdLnMjBcUZlWUV9uTuk01fDc -58bmlHt5sEqhcdUqHrR5PdoWJVOSbFwYBwIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC -AqQwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTG -mh4eYNPmKKXi3dSJIs18ivSv8zAfBgNVHSMEGDAWgBRJPrEOm2ZrMgr9AFTz9LZy -0fDNNjANBgkqhkiG9w0BAQsFAAOCAgEAoc0OImcyyKSbVK63QA8VmD2o9Xr7abxX -o+f+QXWDqKAlNDAuXLYBjHMCc9YFsxXa9XkuKZeIxzop4h9iGG+fxMVPTx3T0gTm -MAuHcPka10z4Gy6ZxLzDmxJPkJ46b1n0K2fsv9XshzsHERz3VavwHXbC5mBo1CwI -6xLLtTWMuJdoyt0261D7Dat1JAFIWm2j+kxGvyIP0gNtRsUKOFA22Tlt42sEYnXa -7wmY7b15rndG69Xg9ZiVI5Mb/10gDJQcym23PXRn+JEgssE+WcYhll8f/LRmD49v -ZlBBD1dVoc9JyrgT+An+2Z8lE6wCSPqWSwhzvBW4dyB/u7Jn23dlV1SwJR8x/IaW -j/DhCELNqD6cSlRK3yjE/a2/iK0F6pNrVgKDY+/9uwFxwkjIRwqfcFtT6YpZ33mg -kSdTTbYpeg3XkLYZayE3ntzEhooyQdrJR6YyFVwsgcBCkeLrEbC7y/AG1MQEdKsZ -i3q730vztGQBR1ymPwgbB6qzGOXhmnhJHnQjeP2CJWnzDeOh2Vs4CxLAQZJ/dhYd -qrbYPAT8FJkp2PvoJP8zpmD7a8QC+6Gr17kl9OupPQrIIfxCXYZKDdGOlkDSUC16 -6y0E1WZnI+LVbQB1M584lB2/8jU4xqMqUPfoIcbjkjih9nvVA6t547527MeeTvXT -0ig2QvMFWMw= +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChEDFJ3zUp +9XB6Ln+TYjNjcRmKn8+h4pM+RLTlP1CtwAMn7LYeZNwhu/aRW/QEr7DIDVkZiWzY +S0J0JjjdfGZG+e89o7k+HHWHiBtf210q55FiKKGUwoDfTVHHgImZ7AOOZxG2brwa +KRV7qSocs/Qea05OjuqGeOrKA7jJpuH5u4ZRo82YtiwWUXSqXiVihZfQYTSVUDK4 +1w5iAsAFBi17XbIPvmGHKDNminixyWO0XTKeU9zQAcv+/0kmRpTJoM2oVKLhFX6u +LZdspxHCmCbMmbsbV6phKQpdK67CsbivuqLLBCBr/RPI3riWehaEF5WMj8Ji0DoO +PAVkE7+zHmIsDMpiYh5BEEO1ZwiqqnfOSpP6omLI70jIyoAuWpq6luQKX+CWm5sK +JAbne4iu9xoILGrB0bP2wF/6qCIbmQU92k5whVAUJmWA8P8hLv+huL5BzBZjbuTU +cRVf5fxr3J9po2XqBii3VekHR+PEGHkD1pp+Wog7QeIdiQOv745f0rTP0+iy1eWY +Qj8gceld68tLLw6vBzPDhNlBbdXIIktzW1W9pDhO+VBxUJqUHwtgytjseokHud/e +pNmd6+8l51vf0RGs52yuxLAr9CHJeVLWeZ26pg6XvpolyuFwtqrPU5W7CLO/Rvs2 +sCxyT/iXlCd4BEZFzeOT+rn0IY5ANYWPLQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/ +S3w0868pt/xMDAKKZDpMvnlzCjAfBgNVHSMEGDAWgBSC+WINPUpYSZoOZiplfO7z +pcjQSzANBgkqhkiG9w0BAQsFAAOCAgEAbqPq2gWPeV+dVYuKyqMyG2Y2jbCpPaib +gWNmrQQUxh8G8sqDkI94dq4w691CtycVwpKr0KAqi/dA/6TS5rNOmkpDBsJ9pCOc +7KUZAXJ/5W8Mr8VxaxH8YCDhIuQa1lvydRcGoMwEf08gLxEAZ96MSO0FVEiTLu6N +vAb69ZEmItY+7xW3wxAS6qbMlN2NtEO9knQtRdnjFy02aiyXotxXPuCrL2jFS2bb +lkHJ8J3ib3FmOOilBcXZX9PKk39JU7+56D5gZU2vtEqBJC6wXJHR3m02RMCS2kLm +Xjv2ArllddNL8J6f06tqwHBnX9f8+eXOxSy8zglIf31j2hB7DXxRjejPEvTrnCnz +f74lQKZiQDm6x+16q9UEgJhxHmPinwbGAqMjQ+JeLN3ono7m5UsqwSvuoTfkEdM/ +XORhnZ4oA9jRsCsq2R9/Izh+cMb9VfdRNNyZFLzYkfiol0Q/FpGOeeDdY8PddgUE +b0Bd/gMmllMKqGUTbVLbg2Bbcc6pxnD/70GIzhsO2nF7QD+B4ToU6tlbQE5y3lkv +Ai++jLF55nMnJrHAuwkL8dFBJf6nI+UqYhHY7727rTOVNuf3DYZJpvtjcyQubvBg +yzjMipCOeyoeV7WVbdAIrVkUe7uywTd1SQylQ+MRnoRoEPTuwYhAeh9WBV44elex +TODbpyk7l+8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIFtDCCA5ygAwIBAgIRAMMSh5NoexSCjSvDRf1fpgEwDQYJKoZIhvcNAQELBQAw +MIIFtDCCA5ygAwIBAgIRAOSykfzsFL0kachzbNI8PrMwDQYJKoZIhvcNAQELBQAw ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo -ZXVzIFJvb3QgQ0EwIBcNMjIwNzA4MDkxNTA0WhgPMjA3MjA2MjUwOTE1MDRaMGox +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQyWhgPMjA3MzA3MjEwOTMxNDJaMGox CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEbMBkGA1UEAxMSUHJvbWV0aGV1 -cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArkzRPi21 -E299vXw4FBbMfCXI258SxvvjRVRuKdAHLOBpEEqkYH6r6ScbZaisBFtIePv4ddKl -rmv+nDwN84/KS54OOtw1cWD4AnDB0kL3B0pWXjTS1F/u57hRLxM6Ta0UubKbta/h -WqSOR/fAA5sgcl+JbbR61QWVeYYXg9bM8YGTwQMeJod26tIUeX/Reo9BHuiW4jPb -pvVf7rsOs8E2cGwfYjZu6Zj2qcCxQ/ivCpopKFLNlaKko/KlGDGz9KxK5X3ik+sE -fPK9LzLC0k2RLGc3EmcMkdyqE3VNih9nV9SalAXN5yBdYaWWjJXykty7ilU32MBF -yO4myL48vif2K68pD/CFhG8YmIOud3woMm1IYS9xlsYKf7+f5CNlxqz+eSoOGhcG -dSDNft3h5nuq9J/qb2rIgWMSc2puFNRsx+fis0kS5GvjVadR0lxtArbrNm4S+F22 -EjGxeBF5VIWiu31uppbdASIw6DTKcrSVVoWxq+Fk3OOB+7q+rornosop9a/omXGH -0cTmgarjJtMqa0TEQiUPQPPnmpC1joeC7/kh7aks93wfHtY73uAVnTjLGTOwlr50 -CgRShcRoLLN049V93l46AFHU/4HWns8dqgdcdGnvIdUCFik916pKDSvEc/DfMLGh -H6w9Xlg4+2LgCyG2/FBEMTj+bLoraydzyaECAwEAAaNTMFEwDgYDVR0PAQH/BAQD -AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -ST6xDptmazIK/QBU8/S2ctHwzTYwDQYJKoZIhvcNAQELBQADggIBAHM79R/uQwQX -vsBDfKyBXWFlrhHAgX8XAwMKHjstpQYCcJoiGLRJaMMjxj31T1tylqPdcxz88THN -uj9kVFYMo1GU5K9E9lq0LoWQBmX2R7/RgxWqB7FNS+S0xfGyeUb3YPVPI1yhtsKa -6mCtTuCVgsgs/hTa+umjtffxj7l+IQxD8Fq0RFBae+S0v5mjVC2sUVd6usqVt7F6 -LUVuYShyAI705guIV9nkz8ZyLzUBJnQAJ8g6DU+nLmdizigUG+JoD/hBbK2hvcjX -SL7JLAhYRI4kzWcYR0GUfDf2knFEWNhU8gCPnw70FHMD9QC3NKkQsPvyQRyJh99+ -ipwUFbGJJRYWjFBbUxlqZNqBg6+ylZNFGEnG42u2KvPXjgPdivlQWkrX6nG0ayyl -rYrvi0FawP3OBpCrhYhqsqkA2m+5L2Pl+J2SsDv4qmPB6fh7K0YDVB37AZSG+nfL -oXXpUtwfc9tR71S7GmgkcqYOkHfSzl7ecxXtE2xyl3zhkUPR9YcG+rQhXRRp0lxF -kR0EtGOGuvXMCQ/vBVPNEDS3jdceqIrIRI1yPUdhFkF7lrLsfFULllOt6qQWnhn2 -A2ObxHToohwuyri/v8QhqNI2Bg0jJHcAJi8I8taToAstCWrtn+WXyfj/QknAik47 -aOK9l5wSyyqPfkHybKvT6z9pqWUchJsz +cyBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvSVaPYcW +cJ1n0ugR6Ns2ITqbSiUTl2xkLAvyVOwVGaoEjYM+2NtJjg0Dr1hlT8I9rHeWcB4G +pC1Jj5wMbEP1hoUyxCxz6dbEplrdXu0GEd/leyGsAe+4qnIvvG+Ic4N5ndkNxEQo +xYBqD9kVtQi1iKlQDvCwvApu9LFp7PmFAzDjP/Kcz9U9PTtTCuuNy/GxiU6Ez9Z2 +JaaTi0ogoGumkTikgu3udFdny1n8XH9GSOysy8ndueE9AvGirpKP5UscSNsA+x7N +s2QZizVH6/w8K/wkPG3xxAMCp9nUZm9H6/dnQ6dpx7JENB/BQCJhr2J+3TEUaeZm +gtu9gSDzcvQtnjgtEUbkQBPGgnE/tJ+urFFBq5GhJo50+YkOt2e3B1kiD2+wCfqo +cN21UuxJuA3If5UrTB8R0Salnh6V/A3qWAqSYvm8eAKihmtOTg15X2DaeprnsK1P +lHzxegBf24B7u0390Am82h8EJTq6HQ/hSPK9kLfF3DRlaaoVWM2xW0/01zyTLNIw +u6oU8WEDpVDCMpv1gpR7j8gmKdHK5mceuNkjmVo/XL/PIMYQN0RbBcJtvdfsKD3d +EVIqV9T5PP7NpnCCNzTesfzjSOfmr6eIL/8pDb0CUQL3YU2jLjgcwiIAK5P9bEYW +Kn6WdM2Lih8iWU7UAKtIk447ddo6+h4mBpUCAwEAAaNTMFEwDgYDVR0PAQH/BAQD +AgGmMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +gvliDT1KWEmaDmYqZXzu86XI0EswDQYJKoZIhvcNAQELBQADggIBACiHJUxeNiUJ +t2L9cfLLbWK3wqOpZ+totPhEilM0kqG3sP+Oh8mM9o83OrBFt7DLzxXXrvuGwsH7 +DIVXhctCL8gqO0AL67fJIJHL6Kl5NubMf3A//KlwPI4Qij5loQbYWyiXtnUvLScC +jWliTjhJZBZ9ztJ/FnJ/DMF+YlrET3ak3lQKHEQba5t9mXkT507ru8Wuyp1hb9GA +BU2ZbCkzXlkv8Jern+yffBOPcXUMSU4Qoi3eJDcYqSflB83vr3M3AM35+HzZPdBD +2HnTvCCZQwQqAKMpXeB16gVlOGi4HKx7fVPBmRmM4SAB+PgTa4LiAA/BRJq1yEAq +jTbzLYXBfAhciJyzH7UX7LoSmrHr2pDodI51HopFANfhvHu+YrxUhXgI6Kr59xaJ +uBDlCSlCjeNd4NiswbdlRZM6eO6ke1iwX7VHfNIJGGwRuALyaksFpxclrdAsi3/k +RCM2l7OL1FnXrgdD5laYgDCo5IxYh+0jDroJO2W0ppR99+rdWSqXeGzTZA6YDUJC +unypdNY7q3za05LAgvy0RDkB1MBRNCjpJuvBRhMW0snZU64Byv15wFkhtDzhaoaZ +aZRAOXZK6VgcVNkZ7HEPuVDGFVytKZpjiR9G45JXgSTWfLspT/LfWl7X4hbrpMpd +0KwX3b1IVRfk+mGGgiYNIIAJIqWTyC04 -----END CERTIFICATE----- diff --git a/config/testdata/tls-ca-no-root.pem b/config/testdata/tls-ca-no-root.pem new file mode 100644 index 00000000..f6dcdb02 --- /dev/null +++ b/config/testdata/tls-ca-no-root.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIRAOSykfzsFL0kachzbNI8PrQwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy +b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDExJQcm9tZXRo +ZXVzIFJvb3QgQ0EwIBcNMjMwODAzMDkzMTQ0WhgPMjA3MzA3MjEwOTMxNDRaMGkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpQcm9tZXRoZXVzMSkwJwYDVQQLEyBQcm9t +ZXRoZXVzIENlcnRpZmljYXRlIEF1dGhvcml0eTEaMBgGA1UEAxMRUHJvbWV0aGV1 +cyBUTFMgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChEDFJ3zUp +9XB6Ln+TYjNjcRmKn8+h4pM+RLTlP1CtwAMn7LYeZNwhu/aRW/QEr7DIDVkZiWzY +S0J0JjjdfGZG+e89o7k+HHWHiBtf210q55FiKKGUwoDfTVHHgImZ7AOOZxG2brwa +KRV7qSocs/Qea05OjuqGeOrKA7jJpuH5u4ZRo82YtiwWUXSqXiVihZfQYTSVUDK4 +1w5iAsAFBi17XbIPvmGHKDNminixyWO0XTKeU9zQAcv+/0kmRpTJoM2oVKLhFX6u +LZdspxHCmCbMmbsbV6phKQpdK67CsbivuqLLBCBr/RPI3riWehaEF5WMj8Ji0DoO +PAVkE7+zHmIsDMpiYh5BEEO1ZwiqqnfOSpP6omLI70jIyoAuWpq6luQKX+CWm5sK +JAbne4iu9xoILGrB0bP2wF/6qCIbmQU92k5whVAUJmWA8P8hLv+huL5BzBZjbuTU +cRVf5fxr3J9po2XqBii3VekHR+PEGHkD1pp+Wog7QeIdiQOv745f0rTP0+iy1eWY +Qj8gceld68tLLw6vBzPDhNlBbdXIIktzW1W9pDhO+VBxUJqUHwtgytjseokHud/e +pNmd6+8l51vf0RGs52yuxLAr9CHJeVLWeZ26pg6XvpolyuFwtqrPU5W7CLO/Rvs2 +sCxyT/iXlCd4BEZFzeOT+rn0IY5ANYWPLQIDAQABo3QwcjAOBgNVHQ8BAf8EBAMC +AaYwDwYDVR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR/ +S3w0868pt/xMDAKKZDpMvnlzCjAfBgNVHSMEGDAWgBSC+WINPUpYSZoOZiplfO7z +pcjQSzANBgkqhkiG9w0BAQsFAAOCAgEAbqPq2gWPeV+dVYuKyqMyG2Y2jbCpPaib +gWNmrQQUxh8G8sqDkI94dq4w691CtycVwpKr0KAqi/dA/6TS5rNOmkpDBsJ9pCOc +7KUZAXJ/5W8Mr8VxaxH8YCDhIuQa1lvydRcGoMwEf08gLxEAZ96MSO0FVEiTLu6N +vAb69ZEmItY+7xW3wxAS6qbMlN2NtEO9knQtRdnjFy02aiyXotxXPuCrL2jFS2bb +lkHJ8J3ib3FmOOilBcXZX9PKk39JU7+56D5gZU2vtEqBJC6wXJHR3m02RMCS2kLm +Xjv2ArllddNL8J6f06tqwHBnX9f8+eXOxSy8zglIf31j2hB7DXxRjejPEvTrnCnz +f74lQKZiQDm6x+16q9UEgJhxHmPinwbGAqMjQ+JeLN3ono7m5UsqwSvuoTfkEdM/ +XORhnZ4oA9jRsCsq2R9/Izh+cMb9VfdRNNyZFLzYkfiol0Q/FpGOeeDdY8PddgUE +b0Bd/gMmllMKqGUTbVLbg2Bbcc6pxnD/70GIzhsO2nF7QD+B4ToU6tlbQE5y3lkv +Ai++jLF55nMnJrHAuwkL8dFBJf6nI+UqYhHY7727rTOVNuf3DYZJpvtjcyQubvBg +yzjMipCOeyoeV7WVbdAIrVkUe7uywTd1SQylQ+MRnoRoEPTuwYhAeh9WBV44elex +TODbpyk7l+8= +-----END CERTIFICATE-----