grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

examples/advancedtls: example code for different security configurations for grpc-go using `advancedtls` (#7474) 

Add examples of advanced tls usage
This commit is contained in:
Gregory Cooke 2024-08-26 17:30:18 -07:00 committed by GitHub
parent 0b6f354315
commit 005b092ca3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
21 changed files with 1580 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
examples/examples_test.sh
View File

@ -51,6 +51,7 @@ pass () {
EXAMPLES=(
"helloworld"
"route_guide"
"features/advancedtls"
"features/authentication"
"features/authz"
"features/cancellation"
@ -75,12 +76,14 @@ EXAMPLES=(
declare -A SERVER_ARGS=(
["features/unix_abstract"]="-addr $UNIX_ADDR"
["default"]="-port $SERVER_PORT"
["features/advancedtls"]="-credentials_directory $(dirname $(realpath "$0"))/features/advancedtls/creds"
)
declare -A CLIENT_ARGS=(
["features/unix_abstract"]="-addr $UNIX_ADDR"
["features/orca"]="-test=true"
["default"]="-addr localhost:$SERVER_PORT"
["features/advancedtls"]="-credentials_directory $(dirname $(realpath "$0"))/features/advancedtls/creds"
)
declare -A SERVER_WAIT_COMMAND=(
@ -125,6 +128,7 @@ declare -A EXPECTED_SERVER_OUTPUT=(
["features/orca"]="Server listening"
["features/retry"]="request succeeded count: 4"
["features/unix_abstract"]="serving on @abstract-unix-socket"
["features/advancedtls"]=""
)
declare -A EXPECTED_CLIENT_OUTPUT=(
@ -149,6 +153,7 @@ declare -A EXPECTED_CLIENT_OUTPUT=(
["features/orca"]="Per-call load report received: map\[db_queries:10\]"
["features/retry"]="UnaryEcho reply: message:\"Try and Success\""
["features/unix_abstract"]="calling echo.Echo/UnaryEcho to unix-abstract:abstract-unix-socket"
["features/advancedtls"]=""
)
cd ./examples

28
examples/features/advancedtls/README.md Normal file
View File

@ -0,0 +1,28 @@
# gRPC Advanced Security Examples
This repo contains example code for different security configurations for grpc-go using `advancedtls`.
The servers run a basic echo server with the following setups:
* Port 8885: A server with a good certificate using certificate providers and crl providers.
* Port 8884: A server with a revoked certificate using certificate providers and crl providers.
* Port 8883: A server running using InsecureCredentials.
The clients are designed to call these servers with varying configurations of credentials and revocation configurations.
* mTLS with certificate providers and CRLs
* mTLS with custom verification
* mTLS with credentials from credentials.NewTLS (directly using the tls.Config)
* Insecure Credentials
## Building and Running
```
# Run the server
$ go run server/main.go -credentials_directory $(pwd)/creds
# Run the clients from the `grpc-go/examples/features/advancedtls` directory
$ go run client/main.go -credentials_directory $(pwd)/creds
```
Stop the servers with ctrl-c or by killing the process.
## Developer Note - Generate the credentials used in the examples
The credentials used for these examples were generated by running the `examples/features/advancedtls/generate.sh` script.
If the credentials need to be re-generated, run `./generate.sh` from `/path/to/grpc-go/examples/features/advancedtls` to re-create the `creds` directory containing the certificates and CRLs needed for these examples.

304
examples/features/advancedtls/client/main.go Normal file
View File

@ -0,0 +1,304 @@
/*
*
* Copyright 2024 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"flag"
"fmt"
"os"
"path/filepath"
"time"
pb "google.golang.org/grpc/examples/features/proto/echo"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/credentials/tls/certprovider"
"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
"google.golang.org/grpc/security/advancedtls"
)
const credRefreshInterval = 1 * time.Minute
const serverAddr = "localhost"
const goodServerPort string = "50051"
const revokedServerPort string = "50053"
const insecurePort string = "50054"
const message string = "Hello"
// -- TLS --
func makeRootProvider(credsDirectory string) certprovider.Provider {
rootOptions := pemfile.Options{
RootFile: filepath.Join(credsDirectory, "ca_cert.pem"),
RefreshDuration: credRefreshInterval,
}
rootProvider, err := pemfile.NewProvider(rootOptions)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
return rootProvider
}
func makeIdentityProvider(revoked bool, credsDirectory string) certprovider.Provider {
var certFile string
if revoked {
certFile = filepath.Join(credsDirectory, "client_cert_revoked.pem")
} else {
certFile = filepath.Join(credsDirectory, "client_cert.pem")
}
identityOptions := pemfile.Options{
CertFile: certFile,
KeyFile: filepath.Join(credsDirectory, "client_key.pem"),
RefreshDuration: credRefreshInterval,
}
identityProvider, err := pemfile.NewProvider(identityOptions)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
return identityProvider
}
func runClientWithProviders(rootProvider certprovider.Provider, identityProvider certprovider.Provider, crlProvider advancedtls.CRLProvider, port string, shouldFail bool) {
options := &advancedtls.Options{
// Setup the certificates to be used
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: identityProvider,
},
// Setup the roots to be used
RootOptions: advancedtls.RootCertificateOptions{
RootProvider: rootProvider,
},
// Tell the client to verify the server cert
VerificationType: advancedtls.CertVerification,
}
// Configure revocation and CRLs
options.RevocationOptions = &advancedtls.RevocationOptions{
CRLProvider: crlProvider,
}
clientTLSCreds, err := advancedtls.NewClientCreds(options)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
fullServerAddr := serverAddr + ":" + port
runWithCredentials(clientTLSCreds, fullServerAddr, !shouldFail)
}
func tlsWithCRLsToGoodServer(credsDirectory string) {
rootProvider := makeRootProvider(credsDirectory)
defer rootProvider.Close()
identityProvider := makeIdentityProvider(false, credsDirectory)
defer identityProvider.Close()
crlProvider := makeCRLProvider(credsDirectory)
defer crlProvider.Close()
runClientWithProviders(rootProvider, identityProvider, crlProvider, goodServerPort, false)
}
func tlsWithCRLsToRevokedServer(credsDirectory string) {
rootProvider := makeRootProvider(credsDirectory)
defer rootProvider.Close()
identityProvider := makeIdentityProvider(false, credsDirectory)
defer identityProvider.Close()
crlProvider := makeCRLProvider(credsDirectory)
defer crlProvider.Close()
runClientWithProviders(rootProvider, identityProvider, crlProvider, revokedServerPort, true)
}
func tlsWithCRLs(credsDirectory string) {
tlsWithCRLsToGoodServer(credsDirectory)
tlsWithCRLsToRevokedServer(credsDirectory)
}
func makeCRLProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider {
options := advancedtls.FileWatcherOptions{
CRLDirectory: crlDirectory,
}
provider, err := advancedtls.NewFileWatcherCRLProvider(options)
if err != nil {
fmt.Printf("Error making CRL Provider: %v\nExiting...", err)
os.Exit(1)
}
return provider
}
// --- Custom Verification ---
func customVerificaitonSucceed(info *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
// Looks at info for what you care about as the custom verification implementer
if info.ServerName != "localhost:50051" {
return nil, fmt.Errorf("expected servername of localhost:50051, got %v", info.ServerName)
}
return &advancedtls.PostHandshakeVerificationResults{}, nil
}
func customVerificaitonFail(info *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
// Looks at info for what you care about as the custom verification implementer
if info.ServerName != "ExampleDesignedToFail" {
return nil, fmt.Errorf("expected servername of ExampleDesignedToFail, got %v", info.ServerName)
}
return &advancedtls.PostHandshakeVerificationResults{}, nil
}
func customVerification(credsDirectory string) {
runClientWithCustomVerification(credsDirectory, goodServerPort)
}
func runClientWithCustomVerification(credsDirectory string, port string) {
rootProvider := makeRootProvider(credsDirectory)
defer rootProvider.Close()
identityProvider := makeIdentityProvider(false, credsDirectory)
defer identityProvider.Close()
fullServerAddr := serverAddr + ":" + port
{
// Run with the custom verification func that will succeed
options := &advancedtls.Options{
// Setup the certificates to be used
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: identityProvider,
},
// Setup the roots to be used
RootOptions: advancedtls.RootCertificateOptions{
RootProvider: rootProvider,
},
// Tell the client to verify the server cert
VerificationType: advancedtls.CertVerification,
AdditionalPeerVerification: customVerificaitonSucceed,
}
clientTLSCreds, err := advancedtls.NewClientCreds(options)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
runWithCredentials(clientTLSCreds, fullServerAddr, true)
}
{
// Run with the custom verification func that will fail
options := &advancedtls.Options{
// Setup the certificates to be used
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: identityProvider,
},
// Setup the roots to be used
RootOptions: advancedtls.RootCertificateOptions{
RootProvider: rootProvider,
},
// Tell the client to verify the server cert
VerificationType: advancedtls.CertVerification,
AdditionalPeerVerification: customVerificaitonFail,
}
clientTLSCreds, err := advancedtls.NewClientCreds(options)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
runWithCredentials(clientTLSCreds, fullServerAddr, false)
}
}
// -- credentials.NewTLS example --
func credentialsNewTLSExample(credsDirectory string) {
cert, err := tls.LoadX509KeyPair(filepath.Join(credsDirectory, "client_cert.pem"), filepath.Join(credsDirectory, "client_key.pem"))
if err != nil {
os.Exit(1)
}
rootPem, err := os.ReadFile(filepath.Join(credsDirectory, "ca_cert.pem"))
if err != nil {
os.Exit(1)
}
root := x509.NewCertPool()
if !root.AppendCertsFromPEM(rootPem) {
os.Exit(1)
}
config := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: root,
}
// Directly create credentials from a tls.Config.
creds := credentials.NewTLS(config)
port := goodServerPort
fullServerAddr := serverAddr + ":" + port
runWithCredentials(creds, fullServerAddr, true)
}
// -- Insecure --
func insecureCredentialsExample() {
creds := insecure.NewCredentials()
port := insecurePort
fullServerAddr := serverAddr + ":" + port
runWithCredentials(creds, fullServerAddr, true)
}
// -- Main and Runner --
// All of these examples differ in how they configure the
// credentials.TransportCredentials object. Once we have that, actually making
// the calls with gRPC is the same.
func runWithCredentials(creds credentials.TransportCredentials, fullServerAddr string, shouldSucceed bool) {
conn, err := grpc.NewClient(fullServerAddr, grpc.WithTransportCredentials(creds))
if err != nil {
fmt.Printf("Error during grpc.NewClient %v\n", err)
os.Exit(1)
}
defer conn.Close()
client := pb.NewEchoClient(conn)
req := &pb.EchoRequest{
Message: message,
}
context, cancel := context.WithTimeout(context.Background(), 10*time.Second)
resp, err := client.UnaryEcho(context, req)
defer cancel()
if shouldSucceed && err != nil {
fmt.Printf("Error during client.UnaryEcho %v\n", err)
} else if !shouldSucceed && err == nil {
fmt.Printf("Should have failed but didn't, got response: %v\n", resp)
}
}
func main() {
credsDirectory := flag.String("credentials_directory", "", "Path to the creds directory of this example repo")
flag.Parse()
if *credsDirectory == "" {
fmt.Println("Must set credentials_directory argument to this repo's creds directory")
os.Exit(1)
}
tlsWithCRLs(*credsDirectory)
customVerification(*credsDirectory)
credentialsNewTLSExample(*credsDirectory)
insecureCredentialsExample()
}

35
examples/features/advancedtls/creds/ca_cert.pem Normal file
View File

@ -0,0 +1,35 @@
-----BEGIN CERTIFICATE-----
MIIGJTCCBA2gAwIBAgIUQIWlFBWaWCYUunTANnlB4XZeFeUwDQYJKoZIhvcNAQEL
BQAwgaExCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdB
dGxhbnRhMRAwDgYDVQQKDAdUZXN0IENBMRwwGgYDVQQLDBNUZXN0IENBIE9yZ2Fu
emF0aW9uMR0wGwYDVQQDDBRUZXN0IENBIE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3
DQEJARYQdGVzdEBleGFtcGxlLmNvbTAeFw0yNDA4MDgxODA2MjFaFw0zNDA4MDYx
ODA2MjFaMIGhMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UE
BwwHQXRsYW50YTEQMA4GA1UECgwHVGVzdCBDQTEcMBoGA1UECwwTVGVzdCBDQSBP
cmdhbnphdGlvbjEdMBsGA1UEAwwUVGVzdCBDQSBPcmdhbml6YXRpb24xHzAdBgkq
hkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQCs+Px6CMv0x3dmmK9PEdIq95J0JQ7Y6NojD93oosZxqi0QLzxU
LiRamNOvoMSBgbUl1GtC8xcQQ/YiaBS0A+tc+7NxZ6SJXIa/i7tbJcebPY5bnbHc
ILXPOt4FLEgcBqyv9UquPstkYytJje4J0N+G/nqfKsh+mo+emnKFSy1QS7NoPr/T
fDKemnf2DBk0HOiBnIr2gh3gqThXqUt/dZlDNJALeJU+7IpLDThOM3sf1QOOkSF9
O1IM1YJt3B9GeTDwPnqKbXVOKf23eBi51QyvWde1ZscTRh0p9HX4VRCYOGfkQnWw
0d3BpFg/a6rGVNLSPBGE2H6O68L4K1bBDV0CvdTjVD8/vgrLm/7NAOlg/58TKIaq
NxFalXeLmdKr0c5d4JZEbbPgg26O8Fsq769s8Jc1dtnAiFwB2opIOvOLZkNwzPG8
EjAET9HmjWHHzZ/OmswWamqywPukW8jdLH5f4RsuGpGHsUvs/53fUUeAdAlceJ+1
KuLNuk7ULRU59TRbppt6m/Ws81bWJLQtw79BdyDNgJ4q7Vyl5tCuC2mZzDqOb/uK
py5Gx6Upoy0klAsMjvUBiw3cpkVCl1/RCSx2HmV85itS20QCiFcT+KeJ3xSbIc+P
ScNvinnbwtRhENQY+fy5MAfy9kvEdlYlsM2yp3l1B+Z4My6w8e2CcQO4RwIDAQAB
o1MwUTAdBgNVHQ4EFgQUUHbDXGsS4ZIPKPjyQ6aAwpzoVtYwHwYDVR0jBBgwFoAU
UHbDXGsS4ZIPKPjyQ6aAwpzoVtYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEAe7/P+MvYYM8gBN0AHQtmG4SaPpiE+Wi8TU4KSU6n+gzM347bPUnH
TbxMs1gYkiQ4IsYnU/uY2L+lCVvBpd66aIM9dJ5WGHS1RyRjRCUwZNEu9UIizemp
JSWu6hql96ib1AFAnXbjC8uNFG8OK+aF/NhChnu1pWKLLAMgBXhG8e5z7wNjQHqB
D/FOOBEn6ljR6MhBsRyPZxz/tqEt5hGflgeQnZXC2dzmQQDRfEWq9jjDgIVGpOjZ
VNYnua0GxdJGmRtExPHCf4bmClGf9uW1GK1ViCnj6Qlsvln0eOgNkI/m/VxjuSvE
NDUF+jWK7z+O0nagDSDTIGUU/enSFpdAHrUQuyqKS1S8WHhf4AIi0DNkUhHVojk6
40nUPxVHl8R7wPXu3K7sTCfNJFJsqY8+oMhS3lk05voDuPJAgWnvG3wnE5rDWi/Q
R7CLMnnYQ7oIyJ9mE8ZLDWd9Udov+n/y5VkFVh8WFbu9Vidvlpy9xXQKaJVP4EHa
K0nLHGSw1zRrB+zx0Ep7ow/zGDxT8kCcKMQ/Uonv6kRxpi90oBdvNNXzsTkQ+FZ3
168nBjWf+X6XX/HalbRiKmgww6SqG+hoVXP0cFw3vJwgESeXJHbxCcu1mJdzSbr3
HzRkGKgTKIBV0z2AMG3cLCW/DO4+45GKi/DYibz0GjvFkXT8cGhN5vM=
-----END CERTIFICATE-----

52
examples/features/advancedtls/creds/ca_key.pem Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCs+Px6CMv0x3dm
mK9PEdIq95J0JQ7Y6NojD93oosZxqi0QLzxULiRamNOvoMSBgbUl1GtC8xcQQ/Yi
aBS0A+tc+7NxZ6SJXIa/i7tbJcebPY5bnbHcILXPOt4FLEgcBqyv9UquPstkYytJ
je4J0N+G/nqfKsh+mo+emnKFSy1QS7NoPr/TfDKemnf2DBk0HOiBnIr2gh3gqThX
qUt/dZlDNJALeJU+7IpLDThOM3sf1QOOkSF9O1IM1YJt3B9GeTDwPnqKbXVOKf23
eBi51QyvWde1ZscTRh0p9HX4VRCYOGfkQnWw0d3BpFg/a6rGVNLSPBGE2H6O68L4
K1bBDV0CvdTjVD8/vgrLm/7NAOlg/58TKIaqNxFalXeLmdKr0c5d4JZEbbPgg26O
8Fsq769s8Jc1dtnAiFwB2opIOvOLZkNwzPG8EjAET9HmjWHHzZ/OmswWamqywPuk
W8jdLH5f4RsuGpGHsUvs/53fUUeAdAlceJ+1KuLNuk7ULRU59TRbppt6m/Ws81bW
JLQtw79BdyDNgJ4q7Vyl5tCuC2mZzDqOb/uKpy5Gx6Upoy0klAsMjvUBiw3cpkVC
l1/RCSx2HmV85itS20QCiFcT+KeJ3xSbIc+PScNvinnbwtRhENQY+fy5MAfy9kvE
dlYlsM2yp3l1B+Z4My6w8e2CcQO4RwIDAQABAoICAA//iW6KEL8nkcIR/ijsh4lE
061dXhWu17oldgtVvs/1gux7yfMpP2CHwRB96J7nzcbdcjxDeo8dEg9VnBCYSjUT
7KFhCiVQQwBFXsNL573SgC+2EqS++8Haen10/ohlD6TIpasfELXMvEy1zV3oDTyR
nerJzLh0+DKdq1jrvpmuHr5WC2z2kEH+HHlL3irlP5X5UhsBptzIGfd1p49244GF
Q4tkED29J/9QDjSha1Ji48zUXIoWKf0Y5FLf6J6eh+m4haH3BMIBfT9yYqsRavZu
81YKVwBP3FOskhqxV3MUyHsisHr1tjJ6TlUzUpy8bLFYL/CfC3mRkbtdWs1JPKBk
2BFZVBU0JeTS4SB2kSSjxHMDTi5lhCzTgdzNk9z3FvrwPYAYV9eTdEoWnwRlGjQo
IAwde0EQk508JCBG7RXpn+yp7ye0y1WvmxvwTx5mshSf9S90wrquaFryOZzAO+qa
FbQBPhWdtz/NBEqZa3teNo+kvhm90Ey6BcoO75EFVVPJaDlCjZ7jrzSy4XuYi99F
NjgmXUnGTRgYu+aOItBX1ckBNUg6kSVXk4iIVpXD65wANTjNladeK8ZWBq1k1JEd
V+VBdQu5H0JzOi01i4jDzzb/6T7lIj1NFpi5PL7T6q6EelC7QpxJpoKGd3YVQPWr
zvLR1bS2Fsg3hNlkFr6RAoIBAQDYsZjJcnlGREg6aNmjyY+s2jQhk3SU65VmBH+z
IKg8Nk1erW0eVtY/nYdFVcuyH84VxpINDDIfbVzwr7tz6qAWb3+dgEKZUVv1MHv0
S12snsO3NdZ0UKdrqr16K0d9oa3OyaCSi89zKKtfPhIPMxLRehZipXecyCM+1Rda
AHCAjmJWD9VA+izHtLQB92+d+pl3BUpWi5wxBomOP5VqJ2slOdpd2sD94EhumQbR
Gk0/4kj5PHx3r7nhgSJoAvO2HMV/PvvoiGXf+4Oi3vhgACnBA8N+zEaKvLHBRZNF
nIkoxAgu5erEsnuJJEOEgpnsiLD7ZChbnPQgpD4p9t7Da7jXAoIBAQDMWSb28T4m
DIm50G4Q2Hnhz6EEaGZSEbyq5AejWLrhgvJHpo/mOaFoNOPQuzV3WpBgM6Uvltcq
Kk6uthA6Vr3haiJkxWMXI5rnszHnEd2VMKBfsui60Z2leWOdiEH2CkBroU67ZV0x
9X7P3LlxClJ91yP9iPLz6Cx8QZWZ2WMQabODb86K8aQ5pqLcTgclujCk7NmSM9T3
eBz8mlVMFBsnudIe1A04e4EYHkVUvWtAltQbILsvbxLVMGRGNe2rKZ+wkke/xbf+
Agv1LL6LwyGOAdt+71DWzFsdML5UEAkJ5EA3ERiOthhpFllvmV3pr9cMCIS0ivSH
S925tO1rvt4RAoIBAGEWOSFQs7tizoW1AoYawc+tOBwvB9XNM3Ow4lIseJP5tHKN
+0zTlUyNVNUg2pHlJB2niTplU3O3OSPxaGhIIA/NRv0XQT+WL0BMx8ytk7vKql/E
tGAK3ugjaJ97Ep3cOZZjyhi+oWS0PQwAMHE07eKC89Kg1lWdagU1zi+Z8M34fWCX
2XEyZavYb6pN5Wl/pRCpgyQBiyqABlOAc35LSPs1z3urjjpxKaK7100Knr/Xr+BT
VGT/i6XYiMTXRcA7ZdVcL9uAeTyAYPsxMVE54XtEJ2wBND3myzGP7asLtnxYUF5K
zwPv/99zKvkM1tAeckVAG8DoMo0JaXy9yhL+iaMCggEAXFqSfJqM/v89o4fqppxf
gUmoOOjCDadMgGNsfEuWsmLPAsjpUiCLrR/yMhzZziZVB9Vve3GNrtXOF7Ha5bLc
QCsKfkajQQrrcHoRPKBbZ5jBcl7WRdCEkguplMHHJd5+POZ7QcBO/Uw5UtIr0UXc
AFmiP2yMeOVebY3qgcy4s+tBoU5/p1YMZa3E/xIYstlSMMeGkUfxoSJc32EU2bxg
hXS63QnzK6rNrkvIA8NT3K4OEHCbiJWHimhDeWPYFTpLnK6P1MEUJa1hIB5nw5yd
5qM6Q0T/YQSczTWBX1ab7yeESh7k3WK4542dQA2tXvcElsCm0T3Xw+nqvIpjnwV1
MQKCAQAbK3pgm6uE4x7iC7KuFm+j1ccm1BX9t80XlSqMv3aPTufF2wbv+OIOJgLA
HmY14nobAxt1f1AQ/9NfbZxiw8lzQMo407aXpubzHLSX4+S700quSAGBpexy2cqM
Sft9gHWiblHw7NNC1IWG/H7MUv7UA+b8GQuVhRYvVi/YeErk4eb+tAvp8T3jg465
PwQBCO4hkXZhUDYS8S0dL04vEeMSo8eh252LrNkjho/iU58ZDmGiyHr9XDq3awDR
mfdkufXVKVigaCan7HmEOJUt2Dt2sIVn1dQ3qFzulG5FDTrUi/mefsH/FaAJoNsa
/9XEh58NyCCGvjV0a6MHrcZRMl3y
-----END PRIVATE KEY-----

127
examples/features/advancedtls/creds/client_cert.pem Normal file
View File

@ -0,0 +1,127 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com
Validity
Not Before: Aug 8 18:06:22 2024 GMT
Not After : Dec 25 18:06:22 2051 GMT
Subject: C=US, ST=Georgia, L=Atlanta, O=Test client, OU=Test client Organzation, CN=Test client Organization
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bf:8d:88:b7:20:0e:04:3e:5e:3a:f1:a3:78:2d:
a5:44:f6:68:b3:f3:ec:3c:7e:8f:cd:e2:cd:55:9c:
2c:a2:a6:a0:31:41:b4:10:cb:3a:a8:8e:9e:ae:b5:
65:13:18:02:fc:35:38:7c:5e:6d:ba:e0:13:31:f0:
65:bb:a6:d3:61:7c:7f:86:bd:d6:84:d2:b1:06:92:
fe:47:5d:dd:3e:1f:99:6c:55:6f:67:eb:44:eb:d8:
da:79:70:2e:d7:48:75:6f:1d:cb:bd:e6:59:17:22:
d7:d9:23:26:90:0c:b9:63:85:91:9f:8e:58:92:52:
b6:09:3a:80:b7:40:91:fe:47:b6:e8:3c:4d:44:97:
ef:1c:11:a7:75:e0:19:d2:79:cb:3e:5d:f9:0c:81:
95:63:6d:df:58:43:e5:03:62:78:52:0b:5b:5a:5c:
c3:d9:8e:39:15:e5:72:37:b0:3a:ce:99:67:c0:72:
ca:9f:65:25:7b:23:bf:87:bf:1f:a9:f5:0f:f2:bf:
a1:ec:43:3b:8a:67:d0:5f:61:d8:03:74:e6:b1:25:
91:45:70:85:d0:a2:70:65:df:4d:ed:39:6c:4d:c4:
fd:fe:8d:71:92:06:90:ad:19:8e:de:0b:35:e1:50:
79:30:6f:f6:bb:3d:74:a7:66:dd:0e:7b:d0:63:f2:
5d:58:dc:17:a1:a2:e4:45:4e:b7:9c:32:b8:bc:56:
88:31:de:6f:27:f3:56:29:54:45:07:68:f3:76:9d:
b7:63:c0:d7:cf:6b:11:c5:3a:d2:9f:1a:34:96:2a:
df:64:e1:df:fe:be:1d:4a:48:58:33:be:2e:c7:ac:
c7:12:6f:9a:a6:10:e5:ef:a4:ae:0b:8d:c9:56:2c:
49:60:ff:54:91:2c:41:05:90:74:70:3e:dd:54:58:
b3:83:ae:c4:b4:4e:91:0b:a5:f1:3d:e4:5a:6d:34:
5c:3b:ee:f6:d7:62:0b:a8:55:8f:5d:8a:ed:56:9a:
8d:e7:80:16:0f:97:1b:f5:eb:0d:7f:1f:9a:51:e1:
9b:3e:14:ac:f7:c3:36:42:06:11:7c:e9:ef:75:54:
ae:1b:3b:68:b7:c4:79:fd:67:5c:26:9e:a5:d4:55:
6c:c7:92:15:51:73:57:99:bc:de:fb:56:ab:70:db:
98:10:1a:63:71:9c:c3:9f:11:9f:c2:c5:8b:ac:5c:
52:69:c7:58:a1:b1:26:86:e3:68:85:23:17:68:62:
30:01:79:1a:51:d7:e9:1b:a4:da:81:b6:46:33:1e:
9a:2b:9b:f6:20:26:d0:21:10:b0:15:58:91:08:b5:
bd:b7:c0:05:c1:cf:2f:bd:3b:18:40:17:08:92:58:
6e:bb:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DE:03:BD:A3:0E:63:F4:97:C2:52:70:63:E8:BE:A9:DF:F1:9A:7B:56
X509v3 Authority Key Identifier:
50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:0.0.0.0
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
92:69:25:55:69:46:6e:3b:c3:a1:9d:00:b2:6e:b5:ae:1b:5a:
19:2a:77:7f:12:e3:f7:84:72:37:35:26:78:45:5e:90:3d:0b:
57:6f:1f:42:05:77:ec:4b:0c:29:dd:d7:db:02:cb:b7:2f:7b:
cc:81:4a:cc:71:2f:54:aa:3a:27:e3:8e:cd:87:76:c1:5f:60:
b6:34:0c:16:ef:fc:b6:ae:61:44:6b:b2:e1:db:86:15:e4:24:
db:47:48:f2:29:14:fb:61:0b:10:97:b1:b2:79:c3:69:dc:f3:
65:e9:15:a6:89:17:34:46:83:b1:a6:89:4f:12:e0:69:27:66:
f8:89:df:36:21:59:a9:a5:e5:6a:8b:10:8c:19:39:cf:6e:61:
a5:43:6f:34:b4:e1:79:7a:0a:f9:1d:2d:06:66:cb:a0:91:9c:
04:85:4f:0b:3d:c1:54:a8:06:d3:89:2e:16:5c:f2:29:c5:f7:
6e:d9:4b:ca:81:65:96:3c:ba:66:8e:40:16:a3:20:ca:ed:5a:
ea:72:97:7a:2c:c4:b6:b5:c2:00:83:fb:1b:8a:d0:72:85:49:
88:ad:81:9e:87:42:31:99:1a:39:ad:b5:ff:24:b5:e0:90:07:
08:2e:1d:4a:a7:01:ef:97:9a:07:d4:e6:09:f5:c8:36:37:ce:
e3:b2:94:2a:5e:95:e1:6a:06:68:d1:31:24:da:b4:fe:ce:af:
a5:23:87:bc:7e:35:54:dd:c3:77:a5:44:95:43:a0:b1:f5:c4:
f8:98:4d:a3:fc:33:ef:7a:d7:4b:5b:ae:de:2b:1f:7a:a1:3f:
df:85:6b:97:57:4d:fa:b1:1a:79:4b:a7:96:62:09:99:b0:54:
f1:46:65:dd:3a:31:bc:1b:07:97:ff:e7:1b:0a:d4:82:68:62:
cc:66:9c:06:d4:18:70:3b:71:82:2d:76:bf:e7:56:88:4f:d9:
5e:1b:46:9c:f9:9c:15:bc:73:ca:f5:e5:44:3d:f1:e4:b9:55:
e6:06:80:e2:0d:4f:ba:19:e2:01:29:da:5b:6f:1f:79:6a:6c:
d4:e8:c2:e1:12:c2:13:d0:5a:63:1d:35:f1:36:d4:1b:48:26:
72:18:df:5f:7e:30:8d:86:42:cf:22:90:db:f8:6c:9d:b0:e7:
3b:a1:0d:8a:b1:d9:de:a1:d0:4b:de:33:a2:fc:6c:cc:b0:7d:
a6:57:43:fe:db:2a:44:e3:6c:68:ff:c8:82:91:19:68:f0:c5:
6b:9d:3b:4c:f8:2d:8f:0e:44:04:79:4e:99:ec:08:c6:e6:25:
90:5b:2d:16:18:94:fe:0b:86:9b:01:f2:40:66:ec:fa:ac:28:
ba:33:fc:58:c1:8e:a2:06
-----BEGIN CERTIFICATE-----
MIIGIjCCBAqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl
c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl
c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu
Y29tMCAXDTI0MDgwODE4MDYyMloYDzIwNTExMjI1MTgwNjIyWjCBjDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV
BAoMC1Rlc3QgY2xpZW50MSAwHgYDVQQLDBdUZXN0IGNsaWVudCBPcmdhbnphdGlv
bjEhMB8GA1UEAwwYVGVzdCBjbGllbnQgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAv42ItyAOBD5eOvGjeC2lRPZos/PsPH6PzeLN
VZwsoqagMUG0EMs6qI6errVlExgC/DU4fF5tuuATMfBlu6bTYXx/hr3WhNKxBpL+
R13dPh+ZbFVvZ+tE69jaeXAu10h1bx3LveZZFyLX2SMmkAy5Y4WRn45YklK2CTqA
t0CR/ke26DxNRJfvHBGndeAZ0nnLPl35DIGVY23fWEPlA2J4UgtbWlzD2Y45FeVy
N7A6zplnwHLKn2UleyO/h78fqfUP8r+h7EM7imfQX2HYA3TmsSWRRXCF0KJwZd9N
7TlsTcT9/o1xkgaQrRmO3gs14VB5MG/2uz10p2bdDnvQY/JdWNwXoaLkRU63nDK4
vFaIMd5vJ/NWKVRFB2jzdp23Y8DXz2sRxTrSnxo0lirfZOHf/r4dSkhYM74ux6zH
Em+aphDl76SuC43JVixJYP9UkSxBBZB0cD7dVFizg67EtE6RC6XxPeRabTRcO+72
12ILqFWPXYrtVpqN54AWD5cb9esNfx+aUeGbPhSs98M2QgYRfOnvdVSuGztot8R5
/WdcJp6l1FVsx5IVUXNXmbze+1arcNuYEBpjcZzDnxGfwsWLrFxSacdYobEmhuNo
hSMXaGIwAXkaUdfpG6TagbZGMx6aK5v2ICbQIRCwFViRCLW9t8AFwc8vvTsYQBcI
klhuu7sCAwEAAaN2MHQwHQYDVR0OBBYEFN4DvaMOY/SXwlJwY+i+qd/xmntWMB8G
A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF
AAOCAgEAkmklVWlGbjvDoZ0Asm61rhtaGSp3fxLj94RyNzUmeEVekD0LV28fQgV3
7EsMKd3X2wLLty97zIFKzHEvVKo6J+OOzYd2wV9gtjQMFu/8tq5hRGuy4duGFeQk
20dI8ikU+2ELEJexsnnDadzzZekVpokXNEaDsaaJTxLgaSdm+InfNiFZqaXlaosQ
jBk5z25hpUNvNLTheXoK+R0tBmbLoJGcBIVPCz3BVKgG04kuFlzyKcX3btlLyoFl
ljy6Zo5AFqMgyu1a6nKXeizEtrXCAIP7G4rQcoVJiK2BnodCMZkaOa21/yS14JAH
CC4dSqcB75eaB9TmCfXINjfO47KUKl6V4WoGaNExJNq0/s6vpSOHvH41VN3Dd6VE
lUOgsfXE+JhNo/wz73rXS1uu3isfeqE/34Vrl1dN+rEaeUunlmIJmbBU8UZl3Tox
vBsHl//nGwrUgmhizGacBtQYcDtxgi12v+dWiE/ZXhtGnPmcFbxzyvXlRD3x5LlV
5gaA4g1PuhniASnaW28feWps1OjC4RLCE9BaYx018TbUG0gmchjfX34wjYZCzyKQ
2/hsnbDnO6ENirHZ3qHQS94zovxszLB9pldD/tsqRONsaP/IgpEZaPDFa507TPgt
jw5EBHlOmewIxuYlkFstFhiU/guGmwHyQGbs+qwoujP8WMGOogY=
-----END CERTIFICATE-----

127
examples/features/advancedtls/creds/client_cert_revoked.pem Normal file
View File

@ -0,0 +1,127 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com
Validity
Not Before: Aug 8 18:06:22 2024 GMT
Not After : Dec 25 18:06:22 2051 GMT
Subject: C=US, ST=Georgia, L=Atlanta, O=Test client, OU=Test client Organzation, CN=Test client Organization
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bf:8d:88:b7:20:0e:04:3e:5e:3a:f1:a3:78:2d:
a5:44:f6:68:b3:f3:ec:3c:7e:8f:cd:e2:cd:55:9c:
2c:a2:a6:a0:31:41:b4:10:cb:3a:a8:8e:9e:ae:b5:
65:13:18:02:fc:35:38:7c:5e:6d:ba:e0:13:31:f0:
65:bb:a6:d3:61:7c:7f:86:bd:d6:84:d2:b1:06:92:
fe:47:5d:dd:3e:1f:99:6c:55:6f:67:eb:44:eb:d8:
da:79:70:2e:d7:48:75:6f:1d:cb:bd:e6:59:17:22:
d7:d9:23:26:90:0c:b9:63:85:91:9f:8e:58:92:52:
b6:09:3a:80:b7:40:91:fe:47:b6:e8:3c:4d:44:97:
ef:1c:11:a7:75:e0:19:d2:79:cb:3e:5d:f9:0c:81:
95:63:6d:df:58:43:e5:03:62:78:52:0b:5b:5a:5c:
c3:d9:8e:39:15:e5:72:37:b0:3a:ce:99:67:c0:72:
ca:9f:65:25:7b:23:bf:87:bf:1f:a9:f5:0f:f2:bf:
a1:ec:43:3b:8a:67:d0:5f:61:d8:03:74:e6:b1:25:
91:45:70:85:d0:a2:70:65:df:4d:ed:39:6c:4d:c4:
fd:fe:8d:71:92:06:90:ad:19:8e:de:0b:35:e1:50:
79:30:6f:f6:bb:3d:74:a7:66:dd:0e:7b:d0:63:f2:
5d:58:dc:17:a1:a2:e4:45:4e:b7:9c:32:b8:bc:56:
88:31:de:6f:27:f3:56:29:54:45:07:68:f3:76:9d:
b7:63:c0:d7:cf:6b:11:c5:3a:d2:9f:1a:34:96:2a:
df:64:e1:df:fe:be:1d:4a:48:58:33:be:2e:c7:ac:
c7:12:6f:9a:a6:10:e5:ef:a4:ae:0b:8d:c9:56:2c:
49:60:ff:54:91:2c:41:05:90:74:70:3e:dd:54:58:
b3:83:ae:c4:b4:4e:91:0b:a5:f1:3d:e4:5a:6d:34:
5c:3b:ee:f6:d7:62:0b:a8:55:8f:5d:8a:ed:56:9a:
8d:e7:80:16:0f:97:1b:f5:eb:0d:7f:1f:9a:51:e1:
9b:3e:14:ac:f7:c3:36:42:06:11:7c:e9:ef:75:54:
ae:1b:3b:68:b7:c4:79:fd:67:5c:26:9e:a5:d4:55:
6c:c7:92:15:51:73:57:99:bc:de:fb:56:ab:70:db:
98:10:1a:63:71:9c:c3:9f:11:9f:c2:c5:8b:ac:5c:
52:69:c7:58:a1:b1:26:86:e3:68:85:23:17:68:62:
30:01:79:1a:51:d7:e9:1b:a4:da:81:b6:46:33:1e:
9a:2b:9b:f6:20:26:d0:21:10:b0:15:58:91:08:b5:
bd:b7:c0:05:c1:cf:2f:bd:3b:18:40:17:08:92:58:
6e:bb:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DE:03:BD:A3:0E:63:F4:97:C2:52:70:63:E8:BE:A9:DF:F1:9A:7B:56
X509v3 Authority Key Identifier:
50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:0.0.0.0
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
58:b7:35:45:3b:6b:5e:7d:6b:58:70:be:e6:39:96:14:2e:69:
17:fc:a4:8e:1b:ae:ca:62:73:ec:12:92:ca:a8:1f:92:b8:1e:
09:a5:7e:c0:49:d2:a3:29:48:2f:4c:67:ae:a6:fb:ad:7a:1b:
2a:29:0b:75:6d:11:0f:99:8c:1d:dc:af:1c:a8:e7:cb:7c:66:
34:de:7e:8f:e6:aa:26:6e:56:17:aa:1f:34:e9:1f:ff:7a:58:
d2:7e:7c:65:62:56:d1:de:04:bd:71:cf:a2:6c:ad:47:cb:10:
e8:72:b0:0a:9e:24:79:e0:1a:b6:e2:61:6f:fd:94:8b:3c:19:
d0:8e:62:4f:a2:3a:fd:3d:97:c2:e7:93:1f:2c:aa:13:f5:c6:
d0:03:4c:ee:90:48:94:3b:03:d9:2c:80:59:97:fb:a2:7f:00:
23:19:51:0b:89:2a:92:36:57:94:0b:73:8b:f3:ae:5d:f0:68:
29:ea:a1:f3:eb:83:48:f5:19:d1:42:fe:94:cd:13:37:c9:9a:
c1:65:b3:97:eb:7e:82:f1:e3:98:c8:da:0c:41:c0:6f:4f:42:
49:38:8b:c4:57:f4:07:cb:7f:f5:70:81:f0:72:3e:c7:e1:69:
e3:38:e5:d0:4a:97:b2:b6:bf:25:c9:fe:91:79:39:d0:eb:04:
a5:5d:b6:ca:4a:83:6e:9a:32:a2:6f:b1:ed:34:71:6f:9e:ee:
ed:e4:c3:1b:07:ec:e1:d2:19:9f:f8:b0:a0:91:e6:dd:92:cf:
2a:dd:45:b5:29:12:57:1b:6c:f2:04:37:be:4d:20:e8:f4:f4:
2c:f1:bc:3e:76:ed:85:64:26:0f:81:c5:dc:63:f6:6e:77:fc:
32:18:0b:a0:e4:8a:b5:af:93:d3:55:26:5d:7f:5d:a1:5d:1d:
2e:f2:11:66:bd:5a:32:cc:80:6d:cf:c2:45:17:b4:bf:46:c6:
99:2d:ae:1e:20:b8:21:b0:80:8f:72:25:9d:62:b6:80:71:9e:
90:80:ef:52:19:a3:68:05:80:f9:8b:dc:f5:89:57:35:5c:1b:
11:f0:e0:15:4e:ca:19:3c:19:61:86:8f:6b:3c:c3:d1:cf:6f:
c5:28:88:35:7d:c8:ae:1b:98:a1:7c:b8:e8:df:36:a9:9a:9b:
bd:71:48:c2:89:d6:5c:27:31:c9:c3:4c:71:95:67:aa:7a:c4:
2e:7e:05:6f:d2:53:16:cc:6b:5b:64:43:ff:e5:1a:d5:47:d9:
ff:47:1f:28:91:43:88:5d:34:ca:61:fe:38:b7:8f:35:43:51:
78:b1:c1:2b:e2:29:2a:a1:69:bb:1f:14:2e:c5:f3:18:9d:81:
ee:bc:d6:fc:e7:52:d6:d6
-----BEGIN CERTIFICATE-----
MIIGIjCCBAqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl
c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl
c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu
Y29tMCAXDTI0MDgwODE4MDYyMloYDzIwNTExMjI1MTgwNjIyWjCBjDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV
BAoMC1Rlc3QgY2xpZW50MSAwHgYDVQQLDBdUZXN0IGNsaWVudCBPcmdhbnphdGlv
bjEhMB8GA1UEAwwYVGVzdCBjbGllbnQgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAv42ItyAOBD5eOvGjeC2lRPZos/PsPH6PzeLN
VZwsoqagMUG0EMs6qI6errVlExgC/DU4fF5tuuATMfBlu6bTYXx/hr3WhNKxBpL+
R13dPh+ZbFVvZ+tE69jaeXAu10h1bx3LveZZFyLX2SMmkAy5Y4WRn45YklK2CTqA
t0CR/ke26DxNRJfvHBGndeAZ0nnLPl35DIGVY23fWEPlA2J4UgtbWlzD2Y45FeVy
N7A6zplnwHLKn2UleyO/h78fqfUP8r+h7EM7imfQX2HYA3TmsSWRRXCF0KJwZd9N
7TlsTcT9/o1xkgaQrRmO3gs14VB5MG/2uz10p2bdDnvQY/JdWNwXoaLkRU63nDK4
vFaIMd5vJ/NWKVRFB2jzdp23Y8DXz2sRxTrSnxo0lirfZOHf/r4dSkhYM74ux6zH
Em+aphDl76SuC43JVixJYP9UkSxBBZB0cD7dVFizg67EtE6RC6XxPeRabTRcO+72
12ILqFWPXYrtVpqN54AWD5cb9esNfx+aUeGbPhSs98M2QgYRfOnvdVSuGztot8R5
/WdcJp6l1FVsx5IVUXNXmbze+1arcNuYEBpjcZzDnxGfwsWLrFxSacdYobEmhuNo
hSMXaGIwAXkaUdfpG6TagbZGMx6aK5v2ICbQIRCwFViRCLW9t8AFwc8vvTsYQBcI
klhuu7sCAwEAAaN2MHQwHQYDVR0OBBYEFN4DvaMOY/SXwlJwY+i+qd/xmntWMB8G
A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF
AAOCAgEAWLc1RTtrXn1rWHC+5jmWFC5pF/ykjhuuymJz7BKSyqgfkrgeCaV+wEnS
oylIL0xnrqb7rXobKikLdW0RD5mMHdyvHKjny3xmNN5+j+aqJm5WF6ofNOkf/3pY
0n58ZWJW0d4EvXHPomytR8sQ6HKwCp4keeAatuJhb/2UizwZ0I5iT6I6/T2XwueT
HyyqE/XG0ANM7pBIlDsD2SyAWZf7on8AIxlRC4kqkjZXlAtzi/OuXfBoKeqh8+uD
SPUZ0UL+lM0TN8mawWWzl+t+gvHjmMjaDEHAb09CSTiLxFf0B8t/9XCB8HI+x+Fp
4zjl0EqXsra/Jcn+kXk50OsEpV22ykqDbpoyom+x7TRxb57u7eTDGwfs4dIZn/iw
oJHm3ZLPKt1FtSkSVxts8gQ3vk0g6PT0LPG8PnbthWQmD4HF3GP2bnf8MhgLoOSK
ta+T01UmXX9doV0dLvIRZr1aMsyAbc/CRRe0v0bGmS2uHiC4IbCAj3IlnWK2gHGe
kIDvUhmjaAWA+Yvc9YlXNVwbEfDgFU7KGTwZYYaPazzD0c9vxSiINX3IrhuYoXy4
6N82qZqbvXFIwonWXCcxycNMcZVnqnrELn4Fb9JTFsxrW2RD/+Ua1UfZ/0cfKJFD
iF00ymH+OLePNUNReLHBK+IpKqFpux8ULsXzGJ2B7rzW/OdS1tY=
-----END CERTIFICATE-----

52
examples/features/advancedtls/creds/client_key.pem Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC/jYi3IA4EPl46
8aN4LaVE9miz8+w8fo/N4s1VnCyipqAxQbQQyzqojp6utWUTGAL8NTh8Xm264BMx
8GW7ptNhfH+GvdaE0rEGkv5HXd0+H5lsVW9n60Tr2Np5cC7XSHVvHcu95lkXItfZ
IyaQDLljhZGfjliSUrYJOoC3QJH+R7boPE1El+8cEad14BnSecs+XfkMgZVjbd9Y
Q+UDYnhSC1taXMPZjjkV5XI3sDrOmWfAcsqfZSV7I7+Hvx+p9Q/yv6HsQzuKZ9Bf
YdgDdOaxJZFFcIXQonBl303tOWxNxP3+jXGSBpCtGY7eCzXhUHkwb/a7PXSnZt0O
e9Bj8l1Y3BehouRFTrecMri8Vogx3m8n81YpVEUHaPN2nbdjwNfPaxHFOtKfGjSW
Kt9k4d/+vh1KSFgzvi7HrMcSb5qmEOXvpK4LjclWLElg/1SRLEEFkHRwPt1UWLOD
rsS0TpELpfE95FptNFw77vbXYguoVY9diu1Wmo3ngBYPlxv16w1/H5pR4Zs+FKz3
wzZCBhF86e91VK4bO2i3xHn9Z1wmnqXUVWzHkhVRc1eZvN77Vqtw25gQGmNxnMOf
EZ/CxYusXFJpx1ihsSaG42iFIxdoYjABeRpR1+kbpNqBtkYzHporm/YgJtAhELAV
WJEItb23wAXBzy+9OxhAFwiSWG67uwIDAQABAoICAA9XpZV5UUtrYr5uNULTxnLV
blcfgz091oR4lSwKuWkrrGqq5w0Yogb3KWQ37jO5zsoRnzJtmR9d1tu/SVQJjXu3
mOVGFkUG38agMRKumiEMLzcwnp7gXAxXOaR+ukRkWYJADN4Vxu6l9qDoglcJAIj6
nUp+KxTz4ABcObazyshm87z6e3vc1CTXkHtOAEjN7YaoyIuvuLNBN8wzip0bSXoq
I7PYo0KCdDW57iHiESEUGMMezqDhXT+q13/mwdap5Lrzjg4aPSNy+OBy5KDeP6NS
WCY2LYRORm9lE9zw0P5noqpn/NU5MQ7+8Y+nrotF7UxWY2462A7tG76PEdwM1ly7
GyslA5o+V9RE1CsQJfK0yInD0W2cC9cggdcGlzm5p0jhWKk3Z3QaEXv6KxlkQjct
q9uX7xdQff01WQVnS96VG4I5YlJP8vdTww3KL+7fpsBS1uNn1/pxDZW3LgT1XEHf
lJxRSHKwyViHJtQyVaKzuzS9AOztOO1OWJvIwLAwImdjyXZeoKdBptkVLRfbX4+U
4zCE0fgwkkmuFrvFQSoXvQsul+BXULiUhRTilUaN6VweP1Q99g9dzVqkyNLmm6+2
vaOR4F3y+DYgu5wa7wQdULnpkzpHwiPUcqulOgg5xLo7tr5Q9nVrwyQy5zvuvYas
N/LsYR2xBrMqRZRbxSWVAoIBAQD5mBydPI2jtw2jw6NBs9lqZasmUXoFkUO1IPuG
oNauIzQdhQ7OCdBmwyWVyI7QnM0ZNB495qOg+lmxMpkg3hoQlN0PFKEBvVZde6Yz
sB4eCL95x5bdp3oblUvq7h/0d4i+1I8OVKZz56zSn6CyoEH5zIxq+dXgGVsdfWOW
tqnLSGM0apZlfKWoHTPc5OtJAiXXwWA0aGBGCa3M438HJ8V6qy4QREOOxR6HapUJ
VODPsj9h6XL5jxFqcbaojjpckpb3SYh7rB3kgoriuSBgPGKM+PLjW1mCGwcLgGYB
cn+2EHxKLvm+ShzZGdwjrpCv0aRuiYIGEb1/Afu4nOGnnJXnAoIBAQDEeBQBez5E
SBiy6W5ZCIUXMS8DHFVei/GYDsAYMH0+vnbwUxBWNDKpUbiVVE6yrTjiRPfNamf0
0zKSsI2MOMLNnb8nIkEWeVweHfQF5R1xxubemqmQ55Rd11ep59p9Er7O1WtR0968
KWwT9ZN4OoXSRIFHV0fjY2V2Ns0VDyHl8vWgDk80JpEX/4BWFtRzuPaRCGuxFAJY
3Md5ynCwOPaPKPXMc1by1ZCKGBxpXoeErWM0/hvbt2YUfI8+n80W0ws2p1/YDWE+
9PhCHUFPxxTvb7+rSYYHJs3tcnS7c3K3jhkxbbR9FS95IVMTopjD24nl3G6nSyPT
UJP+qnE3WgkNAoIBAEKqt5HkF60P+uuwGM423K7HozRj9OTBzUT3H1fxZAY1TvlH
jhHIm0qne0WLwWHFUB8YRa+hCDm6RPTIoBAgYvPk3zrk9rCBQy1LFrSdqR26lnJP
tmNUFZCCizmgCxcASp02J1Pblm5FBmtnycOMfLLdSPBV9SObgjPZRx19gtLSbfUV
N0C6T4Ec87pfxtzEXxlHBIxbCMQMV8jvRwHBRMUkLfSYVzcuPZ5MAKzyZ+3yHW3o
rhYseall4DUbcElDumEo2fS2n3Fm0PQIILazylr/L9k8kCbpUzNmQ1jFnYki1B/4
diq2nwf6GUvKl8juhS4lOn6mhGgFPpgsBzX+5CcCggEAL/1Epbf81aDmp4ztL0It
gCS7Xv8kuxtjv8iak04EybasRreDXgsR9NnJRHB7aJl3M421Ga/MBLkxuTL24DFd
I+xMLLrpOxwZrCGU4Xu9XXVAH0+X65UlYGahOxcu/y38/XiT5kDiPwO/KoDprIxe
86VYDpz7Kke1GNL59RLlLM3TwWy9W/evqTT3nA+nhTzAvVxZMb+5cws6jj0smV7Q
mtdecroZmucfjxuklPhKEdZoTSFknJ6HiKmEM7/E0LZsHsVzW8qo3j/oA/4xXdM7
AeFB6AzleAm6cy1p5f+lHcDP1or9czAhkGzbZghpWC3f2Q2m2aY48fzUqXfof6S2
YQKCAQEAhnYgWar6sj/llQiKGmwQxxw9PkJMHGLAX44H3P9xAPwDIsgkL+hGmVIR
7/ILhEbPtBGCvaoI/bqR5zh8VdMbqnm8ocZqz4xnu4WMpMfmF07TxF8aVC9TBoas
Ad6khQfL4c91YrwTThvfyZ6im3aP/e8CSiZrkg89tF3a6rLvsJRx1qlj0DciLxW5
/7soumtv9DCa1YmuuBAad14WprxEvAG7OVpH6SJPx6V3Di7LdWZUJQ79xeWn3Coh
jfC/JlCEkRvxmzW8oDPWxHzbIJ194ukXPQot8eFzH+oOWtGkODxjhbdiTBl6ty2f
egtZ+t//dA1KBWPMdPk3MoWZopTVgw==
-----END PRIVATE KEY-----

20
examples/features/advancedtls/creds/crl/client_revoked.crl Normal file
View File

@ -0,0 +1,20 @@
-----BEGIN X509 CRL-----
MIIDOzCCASMCAQEwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdBdGxhbnRhMRAwDgYDVQQKDAdUZXN0IENB
MRwwGgYDVQQLDBNUZXN0IENBIE9yZ2FuemF0aW9uMR0wGwYDVQQDDBRUZXN0IENB
IE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNvbRcN
MjQwODA4MTgwNjIyWhcNMjQwOTA3MTgwNjIyWjAoMBICAQIXDTI0MDgwODE4MDYy
MVowEgIBBBcNMjQwODA4MTgwNjIyWqAjMCEwHwYDVR0jBBgwFoAUUHbDXGsS4ZIP
KPjyQ6aAwpzoVtYwDQYJKoZIhvcNAQELBQADggIBAArFuFeXXCWCCNLy8qk0UG5r
CljVMSWrOPTy3eyQH+pSbzdwA5PYW2i5BOBcr6ULKW5aamFjhYMviqroFXrib7yU
hNhiK8FtH9cl2O7pbdFGBdjqHoGOSOWXG++0LU+Hhh5kTr/iZrgkYvB3RHycofC1
85nY01t//fGZZJ3e8hBwf8sNdR4L7vQ2WJtbzj8mj6mU4K//UkTiqZv2yGlbDXmh
p0HDdu9/nBFLrLE35N/0m/1R4pW7AXm3R6WBiqxY8KdA4Us9tC9+qvtsWwEe/klN
5E9FLcARMTl9kwJLNJZpVoe6tyt/S4WXs4nh+XEpiD5uZgbMh0N0jwaCMWyz3wo6
tLkMmg+4mXEViAKQZTGVU2fTVaBH1C6A4ugB7IcFG1gXVw2DnF6I1XQB9+EcPbpb
6ZTBo1msSR0Bzr0sUOdCiKhSc60DTjeNjcLhNT4k06cVvzQcyb2KePG+NnA/Tfbz
yMuDcx62T2BTL1X2aVMUSLY3mwWnqyFdHbEQOoKH084Nrhizq7H2YwdoL992UTuH
PzjyEqJN3hIePthlHl2g9fGh9dIJtxu6didm2M4WoHKeCfpWPH8fc37zhX8QYpqj
U9vDvc2F567lRpAGwyqKZti+2xg2L2K/qBSGvKdtf5hPsOvVlEnWC4mTbjo19aUn
YvLKT6e3D16ao5jVKITj
-----END X509 CRL-----

24
examples/features/advancedtls/creds/localhost-openssl.cnf Normal file
View File

@ -0,0 +1,24 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Georgia
localityName = Locality Name (eg, city)
localityName_default = Atlanta
organizationName = Organization Name (eg, company)
organizationName_default = Test Department
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 0.0.0.0

94
examples/features/advancedtls/creds/openssl-ca.cnf Normal file
View File

@ -0,0 +1,94 @@
base_dir = .
certificate = $base_dir/ca_cert.pem # The CA certifcate
private_key = $base_dir/ca_key.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 10000 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
crl_extensions = crl_ext
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 4096
default_keyfile = ca_key.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Georgia
localityName = Locality Name (eg, city)
localityName_default = Atlanta
organizationName = Organization Name (eg, company)
organizationName_default = Test CA
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Test CA Organization
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA Organization
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

127
examples/features/advancedtls/creds/server_cert.pem Normal file
View File

@ -0,0 +1,127 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com
Validity
Not Before: Aug 8 18:06:21 2024 GMT
Not After : Dec 25 18:06:21 2051 GMT
Subject: C=US, ST=Georgia, L=Atlanta, O=Test Server, OU=Test Server Organzation, CN=Test Server Organization
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bd:47:df:b7:d5:38:92:af:b4:69:e7:48:3b:a0:
7b:9e:6b:83:0e:76:91:06:06:94:a3:80:a3:73:8f:
50:e5:43:80:f8:f7:fb:65:7b:f0:a3:94:cc:8e:a6:
7e:fe:59:43:ce:80:68:6d:55:67:8e:33:aa:90:79:
21:ac:de:6e:f0:03:27:1e:6f:50:31:cf:d2:3e:c3:
8e:98:f5:bb:f9:e9:44:3f:3f:59:ae:7c:a3:b8:a7:
ae:94:ff:68:70:d0:fb:7b:cb:cc:35:7d:04:81:f5:
2b:12:78:bf:6e:1b:a3:cd:d1:74:41:41:9f:ee:02:
1f:b3:42:fd:c9:01:b5:28:43:ee:31:03:3a:5d:60:
d3:df:8f:69:1e:73:4a:c4:83:35:95:00:93:83:6e:
d6:b0:d2:0b:30:31:7f:95:eb:ce:c9:73:83:b9:76:
eb:45:f1:20:8b:75:de:81:a3:32:b0:f7:0f:21:64:
a7:1d:cc:3b:00:82:c8:48:74:c9:3a:0b:f9:cb:6e:
8c:ab:fc:b0:94:20:bd:60:06:eb:d0:12:15:55:48:
d7:d3:30:ef:59:67:98:df:f6:31:92:6d:63:1c:4a:
93:7c:97:a8:99:f6:61:e5:78:12:36:a2:24:56:37:
4b:38:ce:63:00:a2:26:b3:31:05:93:23:3c:c1:ed:
b1:fb:25:7d:fc:54:04:3a:b9:3a:f7:17:a4:58:10:
4f:e8:6d:90:69:49:b6:1f:1b:81:fb:f5:c7:6c:aa:
b3:e0:4a:b1:38:40:77:83:a2:aa:8c:e2:7c:91:a9:
3e:cd:43:be:90:c3:e7:b1:23:94:47:f9:68:db:e4:
2c:df:65:e7:88:b6:64:dc:62:d0:86:33:9b:13:64:
94:37:aa:0e:56:9f:a3:42:19:67:30:a1:e9:3b:5b:
4a:e6:e1:81:52:81:21:2a:78:ac:c1:77:77:52:fc:
4a:95:b9:3f:f7:e6:32:9e:59:5b:46:4c:a9:8a:12:
d3:2c:fc:33:73:3a:28:26:28:22:4c:1c:a9:b1:59:
96:ab:a5:f6:e9:e7:55:32:a8:2b:a2:33:de:a0:e2:
5f:77:d8:cd:d1:aa:1f:4f:c6:69:10:66:4e:9d:aa:
77:83:82:78:96:5a:07:21:12:db:4c:97:51:cd:ba:
ea:00:cd:94:97:40:b8:50:62:90:2b:8c:b0:1b:2c:
aa:a5:63:0c:bb:7d:d5:7d:3f:c1:4a:00:6b:cb:74:
fa:23:35:26:1e:26:1a:30:b2:96:bc:1b:16:2a:62:
96:1f:51:20:72:95:36:1a:87:20:26:9f:76:d6:84:
1b:67:2a:32:68:b7:e0:c7:80:75:a3:fa:b7:da:a3:
03:71:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4C:57:E2:72:97:CF:DC:C4:B8:4E:DB:D4:C1:C6:3D:AE:EF:D7:0A:19
X509v3 Authority Key Identifier:
50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:0.0.0.0
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
10:9b:66:d5:4b:8f:e2:7b:25:8b:fe:5b:9c:a6:dd:4e:d5:ee:
27:ad:a9:e5:c4:5d:9b:f9:2c:f1:d6:8d:0e:d6:9b:e6:9f:87:
0b:14:1b:c9:a3:dc:da:82:d0:1e:e8:c5:f7:f4:ea:99:ea:01:
f1:2e:7c:f0:07:15:28:74:15:b0:36:27:a5:3f:2d:c7:32:fc:
81:61:44:15:9a:9a:88:20:fb:c6:d9:8a:26:61:df:e2:04:a2:
54:98:76:90:40:98:80:d3:eb:ff:73:29:d7:2f:3f:79:ca:ba:
c3:1b:34:53:6e:f0:da:06:f8:19:3e:97:de:34:74:d1:4c:90:
e1:ce:6a:36:31:6e:58:d2:22:b1:5a:05:71:d8:0b:d9:c2:03:
17:0d:98:78:f5:e2:24:7c:0a:7d:7b:49:4f:fe:31:a6:c3:0e:
11:9e:af:6e:88:83:72:5a:34:a9:34:94:ef:6b:ee:cc:c1:71:
5c:53:c6:dd:52:7e:a7:4c:9a:48:76:e9:72:b9:c4:26:74:87:
64:c9:89:34:7d:bc:f2:ff:8a:ac:32:b5:3d:50:19:09:5f:30:
19:49:6e:86:4e:84:e3:13:cc:9f:4c:a9:4a:20:89:5e:e3:91:
ad:8d:5e:3f:ac:ea:63:f1:48:18:f2:22:e9:b6:c3:6f:dc:b4:
46:fc:41:71:33:ee:a7:4b:33:79:11:0f:c9:81:4d:10:c3:df:
b6:4d:75:62:74:39:e4:8d:5d:33:37:1b:91:ce:23:a3:47:15:
58:57:5b:09:ba:4f:d5:1b:0f:4f:7b:03:10:d7:49:76:86:e0:
69:7f:1a:7e:cb:6c:2a:80:b4:d8:9e:03:66:5c:89:3c:d3:82:
86:d9:50:65:d9:15:51:e1:0b:3b:2f:e8:c7:44:6d:27:e3:09:
2d:58:ce:a1:af:f9:d9:2f:0a:fd:fb:65:3d:3b:30:5a:42:b1:
ab:34:28:20:0d:a4:31:dd:84:65:eb:87:d1:59:33:1d:db:b1:
64:e3:e5:6f:25:1a:15:ae:f1:39:b6:cc:91:d0:82:6e:e6:82:
9e:f0:fc:c9:41:2b:a4:d7:b5:e7:af:1e:13:46:c0:e6:04:ac:
98:53:ab:52:f3:85:bb:95:0d:b0:fb:e0:0a:c9:5e:da:99:ec:
63:6c:7c:78:21:12:8d:21:6b:c3:bf:6c:cb:88:dc:c3:7a:24:
b9:4b:ba:36:63:b3:01:91:b3:07:a9:b0:1f:2c:ab:ae:d4:cd:
a7:a2:46:c0:29:df:1f:c2:29:d4:f9:49:9e:c5:e0:ca:02:f7:
eb:de:b8:b9:6e:1f:18:3a:6d:0f:07:0d:97:d2:16:0d:84:2c:
81:24:c6:e6:e5:f5:e4:59
-----BEGIN CERTIFICATE-----
MIIGIjCCBAqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl
c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl
c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu
Y29tMCAXDTI0MDgwODE4MDYyMVoYDzIwNTExMjI1MTgwNjIxWjCBjDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV
BAoMC1Rlc3QgU2VydmVyMSAwHgYDVQQLDBdUZXN0IFNlcnZlciBPcmdhbnphdGlv
bjEhMB8GA1UEAwwYVGVzdCBTZXJ2ZXIgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAvUfft9U4kq+0aedIO6B7nmuDDnaRBgaUo4Cj
c49Q5UOA+Pf7ZXvwo5TMjqZ+/llDzoBobVVnjjOqkHkhrN5u8AMnHm9QMc/SPsOO
mPW7+elEPz9ZrnyjuKeulP9ocND7e8vMNX0EgfUrEni/bhujzdF0QUGf7gIfs0L9
yQG1KEPuMQM6XWDT349pHnNKxIM1lQCTg27WsNILMDF/levOyXODuXbrRfEgi3Xe
gaMysPcPIWSnHcw7AILISHTJOgv5y26Mq/ywlCC9YAbr0BIVVUjX0zDvWWeY3/Yx
km1jHEqTfJeomfZh5XgSNqIkVjdLOM5jAKImszEFkyM8we2x+yV9/FQEOrk69xek
WBBP6G2QaUm2HxuB+/XHbKqz4EqxOEB3g6KqjOJ8kak+zUO+kMPnsSOUR/lo2+Qs
32XniLZk3GLQhjObE2SUN6oOVp+jQhlnMKHpO1tK5uGBUoEhKniswXd3UvxKlbk/
9+YynllbRkypihLTLPwzczooJigiTBypsVmWq6X26edVMqgrojPeoOJfd9jN0aof
T8ZpEGZOnap3g4J4lloHIRLbTJdRzbrqAM2Ul0C4UGKQK4ywGyyqpWMMu33VfT/B
SgBry3T6IzUmHiYaMLKWvBsWKmKWH1EgcpU2GocgJp921oQbZyoyaLfgx4B1o/q3
2qMDccECAwEAAaN2MHQwHQYDVR0OBBYEFExX4nKXz9zEuE7b1MHGPa7v1woZMB8G
A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF
AAOCAgEAEJtm1UuP4nsli/5bnKbdTtXuJ62p5cRdm/ks8daNDtab5p+HCxQbyaPc
2oLQHujF9/TqmeoB8S588AcVKHQVsDYnpT8txzL8gWFEFZqaiCD7xtmKJmHf4gSi
VJh2kECYgNPr/3Mp1y8/ecq6wxs0U27w2gb4GT6X3jR00UyQ4c5qNjFuWNIisVoF
cdgL2cIDFw2YePXiJHwKfXtJT/4xpsMOEZ6vboiDclo0qTSU72vuzMFxXFPG3VJ+
p0yaSHbpcrnEJnSHZMmJNH288v+KrDK1PVAZCV8wGUluhk6E4xPMn0ypSiCJXuOR
rY1eP6zqY/FIGPIi6bbDb9y0RvxBcTPup0szeREPyYFNEMPftk11YnQ55I1dMzcb
kc4jo0cVWFdbCbpP1RsPT3sDENdJdobgaX8afstsKoC02J4DZlyJPNOChtlQZdkV
UeELOy/ox0RtJ+MJLVjOoa/52S8K/ftlPTswWkKxqzQoIA2kMd2EZeuH0VkzHdux
ZOPlbyUaFa7xObbMkdCCbuaCnvD8yUErpNe1568eE0bA5gSsmFOrUvOFu5UNsPvg
Csle2pnsY2x8eCESjSFrw79sy4jcw3okuUu6NmOzAZGzB6mwHyyrrtTNp6JGwCnf
H8Ip1PlJnsXgygL36964uW4fGDptDwcNl9IWDYQsgSTG5uX15Fk=
-----END CERTIFICATE-----

127
examples/features/advancedtls/creds/server_cert_revoked.pem Normal file
View File

@ -0,0 +1,127 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com
Validity
Not Before: Aug 8 18:06:21 2024 GMT
Not After : Dec 25 18:06:21 2051 GMT
Subject: C=US, ST=Georgia, L=Atlanta, O=Test server, OU=Test server Organzation, CN=Test server Organization
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bd:47:df:b7:d5:38:92:af:b4:69:e7:48:3b:a0:
7b:9e:6b:83:0e:76:91:06:06:94:a3:80:a3:73:8f:
50:e5:43:80:f8:f7:fb:65:7b:f0:a3:94:cc:8e:a6:
7e:fe:59:43:ce:80:68:6d:55:67:8e:33:aa:90:79:
21:ac:de:6e:f0:03:27:1e:6f:50:31:cf:d2:3e:c3:
8e:98:f5:bb:f9:e9:44:3f:3f:59:ae:7c:a3:b8:a7:
ae:94:ff:68:70:d0:fb:7b:cb:cc:35:7d:04:81:f5:
2b:12:78:bf:6e:1b:a3:cd:d1:74:41:41:9f:ee:02:
1f:b3:42:fd:c9:01:b5:28:43:ee:31:03:3a:5d:60:
d3:df:8f:69:1e:73:4a:c4:83:35:95:00:93:83:6e:
d6:b0:d2:0b:30:31:7f:95:eb:ce:c9:73:83:b9:76:
eb:45:f1:20:8b:75:de:81:a3:32:b0:f7:0f:21:64:
a7:1d:cc:3b:00:82:c8:48:74:c9:3a:0b:f9:cb:6e:
8c:ab:fc:b0:94:20:bd:60:06:eb:d0:12:15:55:48:
d7:d3:30:ef:59:67:98:df:f6:31:92:6d:63:1c:4a:
93:7c:97:a8:99:f6:61:e5:78:12:36:a2:24:56:37:
4b:38:ce:63:00:a2:26:b3:31:05:93:23:3c:c1:ed:
b1:fb:25:7d:fc:54:04:3a:b9:3a:f7:17:a4:58:10:
4f:e8:6d:90:69:49:b6:1f:1b:81:fb:f5:c7:6c:aa:
b3:e0:4a:b1:38:40:77:83:a2:aa:8c:e2:7c:91:a9:
3e:cd:43:be:90:c3:e7:b1:23:94:47:f9:68:db:e4:
2c:df:65:e7:88:b6:64:dc:62:d0:86:33:9b:13:64:
94:37:aa:0e:56:9f:a3:42:19:67:30:a1:e9:3b:5b:
4a:e6:e1:81:52:81:21:2a:78:ac:c1:77:77:52:fc:
4a:95:b9:3f:f7:e6:32:9e:59:5b:46:4c:a9:8a:12:
d3:2c:fc:33:73:3a:28:26:28:22:4c:1c:a9:b1:59:
96:ab:a5:f6:e9:e7:55:32:a8:2b:a2:33:de:a0:e2:
5f:77:d8:cd:d1:aa:1f:4f:c6:69:10:66:4e:9d:aa:
77:83:82:78:96:5a:07:21:12:db:4c:97:51:cd:ba:
ea:00:cd:94:97:40:b8:50:62:90:2b:8c:b0:1b:2c:
aa:a5:63:0c:bb:7d:d5:7d:3f:c1:4a:00:6b:cb:74:
fa:23:35:26:1e:26:1a:30:b2:96:bc:1b:16:2a:62:
96:1f:51:20:72:95:36:1a:87:20:26:9f:76:d6:84:
1b:67:2a:32:68:b7:e0:c7:80:75:a3:fa:b7:da:a3:
03:71:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4C:57:E2:72:97:CF:DC:C4:B8:4E:DB:D4:C1:C6:3D:AE:EF:D7:0A:19
X509v3 Authority Key Identifier:
50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:0.0.0.0
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
07:74:84:18:37:74:23:9c:c2:f1:e8:d2:44:49:57:f8:51:fa:
cb:db:0e:42:04:6b:61:5b:60:f0:82:7a:df:1b:af:69:75:a8:
17:62:89:18:b7:71:3e:8c:40:10:5d:2b:88:35:6a:97:9c:44:
9f:93:24:f3:b8:d2:56:dd:2f:aa:27:55:96:67:07:fa:b1:8d:
20:df:ea:f7:96:51:9e:46:e5:35:9a:34:53:d0:e7:60:da:a7:
02:76:68:c2:12:6d:aa:bc:b6:81:e0:c9:96:67:b6:9e:fa:6d:
43:63:80:19:70:49:9b:38:78:68:3d:aa:f2:5d:ec:af:45:65:
4c:75:3c:d6:0b:92:8e:d7:7c:c9:76:55:51:ef:c6:d6:33:68:
66:58:17:47:21:d7:14:4f:69:d1:59:1e:b2:78:bb:45:f4:24:
8b:6b:ba:c4:83:6d:e8:11:c1:56:d8:df:84:3c:56:d2:e7:00:
6c:b6:5c:f5:b8:33:e4:11:27:76:88:16:bd:d3:3d:ba:7b:d9:
25:68:17:9c:0a:02:2f:d5:d0:57:b4:c9:f3:b1:9d:8e:6b:c9:
f1:6f:8f:39:8a:ad:0b:38:07:29:9b:cb:9a:3b:06:b5:03:1a:
83:f4:ef:1e:91:a1:4b:eb:cf:fa:89:6f:91:47:5e:f2:bc:cb:
c2:8a:dd:7b:19:54:f4:9f:c7:54:7f:d2:e8:ea:a8:d9:c8:c1:
6d:17:63:a3:47:30:05:5b:80:90:47:54:81:1f:0a:9b:11:48:
c6:ee:52:80:c3:b9:75:9d:d2:ee:1b:83:43:b2:de:05:aa:52:
d9:01:a3:f1:71:d3:23:90:28:35:25:0a:71:80:1d:ae:1a:6a:
72:c1:2b:ee:a7:a2:72:54:f0:0e:19:87:97:a4:62:79:1a:ea:
ec:e2:73:b1:79:d5:c7:25:4f:c7:e6:a4:55:ad:be:3d:d7:59:
8c:fb:ee:c3:2e:75:6d:1f:65:4a:be:46:c9:4e:54:bd:2e:49:
3e:2f:70:b6:97:eb:8a:41:f4:bb:75:64:84:f4:71:29:e3:f2:
b2:30:75:41:5a:04:ac:a6:d1:d0:9c:4d:52:19:76:7f:0d:c7:
08:f4:6e:cf:20:c7:3c:a6:d9:6f:72:88:46:16:0c:43:12:28:
24:a1:d2:63:d3:04:4c:cd:12:67:1c:8f:00:e6:7b:47:0a:03:
87:18:02:d6:bc:01:59:da:90:c4:c6:b1:72:b1:e6:a4:bc:23:
fd:5c:cf:32:0c:d9:e0:24:83:5b:55:7a:d0:db:3c:d6:b2:9f:
22:a1:a0:f4:48:96:fb:d6:73:a1:43:f7:46:e0:ef:dd:b1:9a:
0e:ef:6f:1d:1a:b4:b2:d4
-----BEGIN CERTIFICATE-----
MIIGIjCCBAqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl
c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl
c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu
Y29tMCAXDTI0MDgwODE4MDYyMVoYDzIwNTExMjI1MTgwNjIxWjCBjDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV
BAoMC1Rlc3Qgc2VydmVyMSAwHgYDVQQLDBdUZXN0IHNlcnZlciBPcmdhbnphdGlv
bjEhMB8GA1UEAwwYVGVzdCBzZXJ2ZXIgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAvUfft9U4kq+0aedIO6B7nmuDDnaRBgaUo4Cj
c49Q5UOA+Pf7ZXvwo5TMjqZ+/llDzoBobVVnjjOqkHkhrN5u8AMnHm9QMc/SPsOO
mPW7+elEPz9ZrnyjuKeulP9ocND7e8vMNX0EgfUrEni/bhujzdF0QUGf7gIfs0L9
yQG1KEPuMQM6XWDT349pHnNKxIM1lQCTg27WsNILMDF/levOyXODuXbrRfEgi3Xe
gaMysPcPIWSnHcw7AILISHTJOgv5y26Mq/ywlCC9YAbr0BIVVUjX0zDvWWeY3/Yx
km1jHEqTfJeomfZh5XgSNqIkVjdLOM5jAKImszEFkyM8we2x+yV9/FQEOrk69xek
WBBP6G2QaUm2HxuB+/XHbKqz4EqxOEB3g6KqjOJ8kak+zUO+kMPnsSOUR/lo2+Qs
32XniLZk3GLQhjObE2SUN6oOVp+jQhlnMKHpO1tK5uGBUoEhKniswXd3UvxKlbk/
9+YynllbRkypihLTLPwzczooJigiTBypsVmWq6X26edVMqgrojPeoOJfd9jN0aof
T8ZpEGZOnap3g4J4lloHIRLbTJdRzbrqAM2Ul0C4UGKQK4ywGyyqpWMMu33VfT/B
SgBry3T6IzUmHiYaMLKWvBsWKmKWH1EgcpU2GocgJp921oQbZyoyaLfgx4B1o/q3
2qMDccECAwEAAaN2MHQwHQYDVR0OBBYEFExX4nKXz9zEuE7b1MHGPa7v1woZMB8G
A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF
AAOCAgEAB3SEGDd0I5zC8ejSRElX+FH6y9sOQgRrYVtg8IJ63xuvaXWoF2KJGLdx
PoxAEF0riDVql5xEn5Mk87jSVt0vqidVlmcH+rGNIN/q95ZRnkblNZo0U9DnYNqn
AnZowhJtqry2geDJlme2nvptQ2OAGXBJmzh4aD2q8l3sr0VlTHU81guSjtd8yXZV
Ue/G1jNoZlgXRyHXFE9p0Vkesni7RfQki2u6xINt6BHBVtjfhDxW0ucAbLZc9bgz
5BEndogWvdM9unvZJWgXnAoCL9XQV7TJ87GdjmvJ8W+POYqtCzgHKZvLmjsGtQMa
g/TvHpGhS+vP+olvkUde8rzLwordexlU9J/HVH/S6Oqo2cjBbRdjo0cwBVuAkEdU
gR8KmxFIxu5SgMO5dZ3S7huDQ7LeBapS2QGj8XHTI5AoNSUKcYAdrhpqcsEr7qei
clTwDhmHl6RieRrq7OJzsXnVxyVPx+akVa2+PddZjPvuwy51bR9lSr5GyU5UvS5J
Pi9wtpfrikH0u3VkhPRxKePysjB1QVoErKbR0JxNUhl2fw3HCPRuzyDHPKbZb3KI
RhYMQxIoJKHSY9METM0SZxyPAOZ7RwoDhxgC1rwBWdqQxMaxcrHmpLwj/VzPMgzZ
4CSDW1V60Ns81rKfIqGg9EiW+9ZzoUP3RuDv3bGaDu9vHRq0stQ=
-----END CERTIFICATE-----

52
examples/features/advancedtls/creds/server_key.pem Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC9R9+31TiSr7Rp
50g7oHuea4MOdpEGBpSjgKNzj1DlQ4D49/tle/CjlMyOpn7+WUPOgGhtVWeOM6qQ
eSGs3m7wAyceb1Axz9I+w46Y9bv56UQ/P1mufKO4p66U/2hw0Pt7y8w1fQSB9SsS
eL9uG6PN0XRBQZ/uAh+zQv3JAbUoQ+4xAzpdYNPfj2kec0rEgzWVAJODbtaw0gsw
MX+V687Jc4O5dutF8SCLdd6BozKw9w8hZKcdzDsAgshIdMk6C/nLboyr/LCUIL1g
BuvQEhVVSNfTMO9ZZ5jf9jGSbWMcSpN8l6iZ9mHleBI2oiRWN0s4zmMAoiazMQWT
IzzB7bH7JX38VAQ6uTr3F6RYEE/obZBpSbYfG4H79cdsqrPgSrE4QHeDoqqM4nyR
qT7NQ76Qw+exI5RH+Wjb5CzfZeeItmTcYtCGM5sTZJQ3qg5Wn6NCGWcwoek7W0rm
4YFSgSEqeKzBd3dS/EqVuT/35jKeWVtGTKmKEtMs/DNzOigmKCJMHKmxWZarpfbp
51UyqCuiM96g4l932M3Rqh9PxmkQZk6dqneDgniWWgchEttMl1HNuuoAzZSXQLhQ
YpArjLAbLKqlYwy7fdV9P8FKAGvLdPojNSYeJhowspa8GxYqYpYfUSBylTYahyAm
n3bWhBtnKjJot+DHgHWj+rfaowNxwQIDAQABAoICAAg2RBMvtwKg3jecsdo/E4iY
qtjydUbzpiM/Li2R/DUrgT72qKY12FzgfyIj6xfnO4qMBlEoBr7OqF8YQkkZEBXD
ApbOxttCZEwWI+uoTagsDKqfJFRDqBQXglAzPI7DIlteniomlbl7BOFfnRPj3cQi
NY8B5TRoTIPJ1kTlmWcj0K5jsMvjADjkz0S478zS0dJNx23zsxt8zBYihPc2LISP
nxlperpQGdSzH8eJaGZGccDweFJR+AVaUeItiZrGcOdN5ostArmKf2zZIAX+TYVO
Yb68ksXS5CO4r1yQ+QnTL87qAttF1egkwMrfV1WTlI85tRCOoxXcfJzDnJvf+ia9
+laYPj5av7ZoXwZQ4tIh3RqpIFHXZMQU1jRCYOibYNhdOO/H9Z6eH+8HyyFQ9ihe
7keGKouLSo/E6dSIJ9D1g+Tr8xELj816a4KL8ShYLTXP+ga43yFVdp94Yd0vFHWK
qjyu/x2wLqZAPpVbYg9PkO6Dr4tmyolhL1ZjruM5IqAI+hALzUZDccYQVXu2swpC
6p6evB24MI5LQ87+28U4rCcbo/xfdQAEY4LSP9XfvSQ32zUyDHYX1gLvF99fZD5Y
1IEX11bGbGFCT0EIwFPXJUuxJlpvMF1bZ+Z+eXVL43yTNdeu+7E7dhpPjz5W3cRa
6SKxxcUAbdxpQP2DtIP5AoIBAQD+AuqckaGK/sZotPWstgcRlG31ptW6d2ZNk5X3
i99mqaTPDOx+UavkpsBfcUPYmYjo6fEC4yMhkx97XC9tUxi97LBXJrBfwLDnCqQL
vhOVcWs9mDcJTJDVT1P2StBm7a6DmCmiqUcxiG57UY9dgSanLwxg+6K4PgOin11Y
ChECWFNvdwdOmyQhWm+O0y0R2s7iGINKF6s1t2RweCfXw1W2N8iaTVkNei71bblW
sTjPGdEm2CFwlBf031Hkr5S2MIo23RX53tkalMzvyCGfREn+wrWcMfagygHjEjn/
C4ZcQIOXC5u9tIc4tps1mr1C8nMScxfSrIHRManE1haqXcBLAoIBAQC+wznR5wzR
Az5r0ek1s2sr6gwsmJfbA6tNHwgqrYblsxYMR6BdbGUBkSqwEYDjDw/rreDcQk6D
nMxc6BYh2Dk6t/AJQ3c76tuJohlmZfbuFXL+KAwApVnbwpZuAQGgkNMhVm/8FAgi
PgCvuHuvOISTHmniQBU91kWGpsqFoF826Mcxa7bmbe2c+jgCmFikp0rzN7jA6Ps/
bIRKVIpPhCtAgH5JsFEpim0HubV8qRNmeBh1oSyAFicntEAeL/VSLmDI44kjJyqO
qmspz+uyANt7/xxYfAZed1Q503K1tLUws1K8Ux+EEdo1zXGxoL6b90OfcjivJC0d
/bv8X5DEyMajAoIBAQCGYSabJBQxQ23V0P4zm60LqNmvXs6tMiOGIPDyoCXU2ySc
gPrQLQbiFTGqjHJXMYqTpcfiPiXEyl+aVH+mt5JcT85OnOIsFfXAlQmKSMl1gyY3
1MIxAjeREcGah6PPACkV5zcHncRTORkx1kkhL4UyZxqGaDmCfRRRQTwRqmmrMu0Z
CABunnazynNAPQoX6wkN5ef3F6R064uQUJDLfcRnfQV8VDUrgxs6rgyiB2nFbqQO
h8LRGxe9bTOW5yimZfGI6teIdFOo01XD+L2I04jN5VZMxsXx9EyhQ3A5NHCld1/m
VbbT2qC66SgdaLp9o2QrO4Y75xVahYqJ3rTo9mYXAoIBAF6qrWfwPFkBPhntqsj+
h+HcHTyIYVvL31e/XaMoSDh3fiqL5RZXs2xqqP+FQCvuDp2LxXoo4aPIzVYRyuHy
1rvACjveoi4258nOisJZOYh/VniwUPyFEinP0C05DKCtHkl+BsbW/g5YLKkHaUHU
T15fCnbADIqKaihfX0OfCYFLVYa+CJ8j0HZFakRHbD4R000Nyv7Y385iwOfOOnEp
ivlQittwx2ZRDrh1vY3mrfz8/k5ptJa/56B5gBQ7AohNAbTPzf+G8USpZ9LxHutQ
J5vKRzvWGKcKmt6zg0qPKhfH9fgFXC+DWIG4uYJH3i+yLnnTCjRIRKeMgpzEpCgz
5vcCggEBAIi6qKDHfoh4KaMFgW+/EvjssXslDtozMXlPYAswjST+5fegIKVxi8Nz
c19KRiWNpsIfACRC1VuI2p2tcJpamiHV+C3nd3e/CMGWKTcA6u6zynhO8pDjfg/A
k8Vg85S8bxGkiaVqL9DdmgRJohUbULV365gG2LvncNxps8Jr4VQaUHB4VJYNH+6B
DXwDb3N4iNs5wfmM2GB7MlPpu0pS6qoYSxZvXQexPFQ7sQzZc3mP04/BvHm11kSR
2DOV28IdXE/ewJfL9cr/ywXuoyz+0tD6FmTGUpzDSxhlvq4TcVnsWRbfqandbg8g
znviHVPPYZhKHQW5wGuGa6eMMWa6aog=
-----END PRIVATE KEY-----

19
examples/features/advancedtls/creds/server_revoked.crl Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN X509 CRL-----
MIIDJzCCAQ8CAQEwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdBdGxhbnRhMRAwDgYDVQQKDAdUZXN0IENB
MRwwGgYDVQQLDBNUZXN0IENBIE9yZ2FuemF0aW9uMR0wGwYDVQQDDBRUZXN0IENB
IE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNvbRcN
MjQwODA4MTgwNjIxWhcNMjQwOTA3MTgwNjIxWjAUMBICAQIXDTI0MDgwODE4MDYy
MVqgIzAhMB8GA1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMA0GCSqGSIb3
DQEBCwUAA4ICAQAvc4fK9H6OnUrtIzBls7ctVnmg4Up8NLWS9BWM9Ncw4MxLEXwM
4iD2Tgg5Yq51iE5pDNet5shae3l/kDNWigPixhpfiT8xwxnrOA3BUtD3affc0Nem
kS9Heq99jqvRdDF2nlEoiJesElxlSrwaljpev2SDzX/qnP5iRsBEuRS7Dr+83rcf
ysYt0Hd84MCaSJ2iITF7Kg7Zg7R+HV0O++k+ZXCuJkDDo8TGa+Kr87WtFsER1+SX
rtIgZEmikF/rEiKOHYV7QSujn8bzSsKzW2S/8/xygQnZ39vk5OPKKokPMUqesMPE
8hUwGjCnDDijj6WGyP54FHKcH61P6R5a1EsjNfTUli9J7BNSHjb7AqPFRMCz6Ihj
GUidGqCz4mpxkUpOwGJZWyefeWlKCdoBqDHlRtf8EjdE9BClOacJeVx2dmXd7k5r
y6grIFfNjHYJmVa8+o2YCV80wY9XFtRUsGpEwHFTrtAjec+y2gtILKpsv5aqyvOa
+nffFdMAR05Dx4MeFJSKYQGk64hPmgrRK+MGc224JPmQDi9uMwDKo+jB1TkCgwvR
ZTF0VpPWBfhkB6x2haYyq2whf6zHfR+jMA0npUA8vHSUIiQrgWbvwsCc3nFGt4nz
WjEZ7Q8Sw9CBfcvXrSV+WQdJF6kHgwaiI56x7DvdEAoDxuDLbmb+D/5gIg==
-----END X509 CRL-----

91
examples/features/advancedtls/generate.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
if [ -d "creds" ]; then
echo "creds directory already exists. Remove it and re-run this script."
exit 1
fi
mkdir creds
pushd creds
touch index.txt
echo "01" > serial.txt
cp "../localhost-openssl.cnf" .
cp "../openssl-ca.cnf" .
# Create the CA private key and certificate
openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -nodes -days 3650 -subj "/C=US/ST=Georgia/L=Atlanta/O=Test CA/OU=Test CA Organzation/CN=Test CA Organization/emailAddress=test@example.com"
#################### Server cert
# Generate Server private key
openssl genrsa -out server_key.pem 4096
# Generate Server Certificate Signing Request (CSR)
openssl req -config "localhost-openssl.cnf" -new -key server_key.pem -out server_csr.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test Server/OU=Test Server Organzation/CN=Test Server Organization/emailAddress=testserver@example.com"
# Use the CA to sign the Server CSR
openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out server_cert.pem -in server_csr.pem -keyfile ca_key.pem -cert ca_cert.pem -batch
# Verify the server cert works
openssl verify -verbose -CAfile ca_cert.pem server_cert.pem
## Generate another server cert to be revoked
openssl req -config "localhost-openssl.cnf" -new -key server_key.pem -out server_csr_revoked.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test server/OU=Test server Organzation/CN=Test server Organization/emailAddress=testserver@example.com"
# Use the CA to sign the server CSR
openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out server_cert_revoked.pem -in server_csr_revoked.pem -keyfile ca_key.pem -cert ca_cert.pem -batch
# Verify the server cert works
openssl verify -verbose -CAfile ca_cert.pem server_cert_revoked.pem
# Revoke the cert
openssl ca -config "openssl-ca.cnf" -revoke server_cert_revoked.pem
# Generate the CRL
openssl ca -config "openssl-ca.cnf" -gencrl -out server_revoked.crl
# Make sure the cert is actually revoked
openssl verify -verbose -CAfile ca_cert.pem -CRLfile server_revoked.crl -crl_check_all server_cert_revoked.pem
#################### Client cert
# Generate client private key
openssl genrsa -out client_key.pem 4096
# Generate client Certificate Signing Request (CSR)
openssl req -config "localhost-openssl.cnf" -new -key client_key.pem -out client_csr.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test client/OU=Test client Organzation/CN=Test client Organization/emailAddress=testclient@example.com"
# Use the CA to sign the client CSR
openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out client_cert.pem -in client_csr.pem -keyfile ca_key.pem -cert ca_cert.pem -batch
# Verify the client cert works
openssl verify -verbose -CAfile ca_cert.pem client_cert.pem
## Generate another client cert to be revoked
openssl req -config "localhost-openssl.cnf" -new -key client_key.pem -out client_csr_revoked.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test client/OU=Test client Organzation/CN=Test client Organization/emailAddress=testclient@example.com"
# Use the CA to sign the client CSR
openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out client_cert_revoked.pem -in client_csr_revoked.pem -keyfile ca_key.pem -cert ca_cert.pem -batch
# Verify the client cert works
openssl verify -verbose -CAfile ca_cert.pem client_cert_revoked.pem
# Revoke the cert
openssl ca -config "openssl-ca.cnf" -revoke client_cert_revoked.pem
# Generate the CRL
openssl ca -config "openssl-ca.cnf" -gencrl -out client_revoked.crl
# Make sure the cert is actually revoked
openssl verify -verbose -CAfile ca_cert.pem -CRLfile client_revoked.crl -crl_check_all client_cert_revoked.pem
mkdir crl
mv client_revoked.crl crl/
rm 01.pem
rm 02.pem
rm 03.pem
rm 04.pem
rm *csr*
rm *.txt*
popd

24
examples/features/advancedtls/localhost-openssl.cnf Normal file
View File

@ -0,0 +1,24 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Georgia
localityName = Locality Name (eg, city)
localityName_default = Atlanta
organizationName = Organization Name (eg, company)
organizationName_default = Test Department
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 0.0.0.0

94
examples/features/advancedtls/openssl-ca.cnf Normal file
View File

@ -0,0 +1,94 @@
base_dir = .
certificate = $base_dir/ca_cert.pem # The CA certifcate
private_key = $base_dir/ca_key.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 10000 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
crl_extensions = crl_ext
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 4096
default_keyfile = ca_key.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Georgia
localityName = Locality Name (eg, city)
localityName_default = Atlanta
organizationName = Organization Name (eg, company)
organizationName_default = Test CA
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Test CA Organization
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA Organization
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

175
examples/features/advancedtls/server/main.go Normal file
View File

@ -0,0 +1,175 @@
/*
*
* Copyright 2024 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package main
import (
"context"
"flag"
"fmt"
"net"
"os"
"path/filepath"
"time"
pb "google.golang.org/grpc/examples/features/proto/echo"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/credentials/tls/certprovider"
"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
"google.golang.org/grpc/security/advancedtls"
)
type server struct {
pb.UnimplementedEchoServer
name string
}
const credRefreshInterval = 1 * time.Minute
const goodServerWithCRLPort int = 50051
const revokedServerWithCRLPort int = 50053
const insecurePort int = 50054
func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) {
return &pb.EchoResponse{Message: req.Message}, nil
}
func insecureServer() {
createAndRunInsecureServer(insecurePort)
}
func createAndRunInsecureServer(port int) {
creds := insecure.NewCredentials()
s := grpc.NewServer(grpc.Creds(creds))
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
if err != nil {
fmt.Printf("Failed to listen: %v\n", err)
}
pb.RegisterEchoServer(s, &server{name: "Insecure Server"})
if err := s.Serve(lis); err != nil {
fmt.Printf("Failed to serve: %v\n", err)
os.Exit(1)
}
}
func createAndRunTLSServer(credsDirectory string, useRevokedCert bool, port int) {
identityProvider := makeIdentityProvider(useRevokedCert, credsDirectory)
defer identityProvider.Close()
rootProvider := makeRootProvider(credsDirectory)
defer rootProvider.Close()
crlProvider := makeCRLProvider(filepath.Join(credsDirectory, "crl"))
defer crlProvider.Close()
options := &advancedtls.Options{
IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: identityProvider,
},
RootOptions: advancedtls.RootCertificateOptions{
RootProvider: rootProvider,
},
RequireClientCert: true,
VerificationType: advancedtls.CertVerification,
}
options.RevocationOptions = &advancedtls.RevocationOptions{
CRLProvider: crlProvider,
}
serverTLSCreds, err := advancedtls.NewServerCreds(options)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
s := grpc.NewServer(grpc.Creds(serverTLSCreds))
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
if err != nil {
fmt.Printf("Failed to listen: %v\n", err)
}
name := "Good TLS Server"
if useRevokedCert {
name = "Revoked TLS Server"
}
pb.RegisterEchoServer(s, &server{name: name})
if err := s.Serve(lis); err != nil {
fmt.Printf("Failed to serve: %v\n", err)
os.Exit(1)
}
}
func makeRootProvider(credsDirectory string) certprovider.Provider {
rootOptions := pemfile.Options{
RootFile: filepath.Join(credsDirectory, "/ca_cert.pem"),
RefreshDuration: credRefreshInterval,
}
rootProvider, err := pemfile.NewProvider(rootOptions)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
return rootProvider
}
func makeIdentityProvider(useRevokedCert bool, credsDirectory string) certprovider.Provider {
certFilePath := ""
if useRevokedCert {
certFilePath = filepath.Join(credsDirectory, "server_cert_revoked.pem")
} else {
certFilePath = filepath.Join(credsDirectory, "server_cert.pem")
}
identityOptions := pemfile.Options{
CertFile: certFilePath,
KeyFile: filepath.Join(credsDirectory, "server_key.pem"),
RefreshDuration: credRefreshInterval,
}
identityProvider, err := pemfile.NewProvider(identityOptions)
if err != nil {
fmt.Printf("Error %v\n", err)
os.Exit(1)
}
return identityProvider
}
func makeCRLProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider {
options := advancedtls.FileWatcherOptions{
CRLDirectory: crlDirectory,
}
provider, err := advancedtls.NewFileWatcherCRLProvider(options)
if err != nil {
fmt.Printf("Error making CRL Provider: %v\nExiting...", err)
os.Exit(1)
}
return provider
}
func main() {
credentialsDirectory := flag.String("credentials_directory", "", "Path to the creds directory of this repo")
flag.Parse()
if *credentialsDirectory == "" {
fmt.Println("Must set credentials_directory argument")
os.Exit(1)
}
go createAndRunTLSServer(*credentialsDirectory, false, goodServerWithCRLPort)
go createAndRunTLSServer(*credentialsDirectory, true, revokedServerWithCRLPort)
insecureServer()
}

1
examples/go.mod
View File

@ -11,6 +11,7 @@ require (
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142
google.golang.org/grpc v1.65.0
google.golang.org/grpc/gcp/observability v1.0.1
google.golang.org/grpc/security/advancedtls v1.0.0
google.golang.org/grpc/stats/opentelemetry v0.0.0-20240816220358-f8d98a477c22
google.golang.org/protobuf v1.34.2
)

2
examples/go.sum
View File

@ -1793,6 +1793,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/grpc/gcp/observability v1.0.1 h1:2IQ7szW1gobfZaS/sDSAu2uxO0V/aTryMZvlcyqKqQA=
google.golang.org/grpc/gcp/observability v1.0.1/go.mod h1:yM0UcrYRMe/B+Nu0mDXeTJNDyIMJRJnzuxqnJMz7Ewk=
google.golang.org/grpc/security/advancedtls v1.0.0 h1:/KQ7VP/1bs53/aopk9QhuPyFAp9Dm9Ejix3lzYkCrDA=
google.golang.org/grpc/security/advancedtls v1.0.0/go.mod h1:o+s4go+e1PJ2AjuQMY5hU82W7lDlefjJA6FqEHRVHWk=
google.golang.org/grpc/stats/opencensus v1.0.0 h1:evSYcRZaSToQp+borzWE52+03joezZeXcKJvZDfkUJA=
google.golang.org/grpc/stats/opencensus v1.0.0/go.mod h1:FhdkeYvN43wLYUnapVuRJJ9JXkNwe403iLUW2LKSnjs=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=