From 074f5e6cdf4c4fa6a2fd86546fa63b848fb61d0e Mon Sep 17 00:00:00 2001 From: Dani Baeyens Date: Mon, 8 Aug 2022 15:04:24 +0200 Subject: [PATCH] Allows RSA signed trust anchors on linkerd cli (#7771) (#8868) * Allows RSA signed trust anchors on linkerd cli (#7771) Linkerd currently forces using an ECDSA P-256 issuer certificate along with a ECDSA trust anchor. Still, it's still cryptographically valid to have an ECDSA P-256 issuer certificate issued by an RSA signed CA. CheckCertAlgoRequirements checks if CA cert uses ECDSA or RSA 2048/4096 signing algorithm. Fixes #7771 Signed-off-by: Baeyens, Daniel Co-authored-by: Alejandro Pedraza --- .github/workflows/integration.yml | 1 + .github/workflows/release.yml | 1 + bin/_test-helpers.sh | 6 +- cli/cmd/install_test.go | 3 +- .../testdata/valid-with-rsa-anchor-crt.pem | 21 +++++ .../testdata/valid-with-rsa-anchor-key.pem | 5 ++ .../valid-with-rsa-anchor-trust-anchors.pem | 30 +++++++ pkg/healthcheck/healthcheck.go | 4 +- pkg/issuercerts/issuercerts.go | 73 ++++++++++++++--- .../integration/rsa-ca/install_rsa_ca_test.go | 80 +++++++++++++++++++ test/integration/rsa-ca/testdata/ca.crt | 19 +++++ test/integration/rsa-ca/testdata/ca.key | 27 +++++++ test/integration/rsa-ca/testdata/issuer.crt | 16 ++++ test/integration/rsa-ca/testdata/issuer.key | 5 ++ 14 files changed, 274 insertions(+), 17 deletions(-) create mode 100644 cli/cmd/testdata/valid-with-rsa-anchor-crt.pem create mode 100644 cli/cmd/testdata/valid-with-rsa-anchor-key.pem create mode 100644 cli/cmd/testdata/valid-with-rsa-anchor-trust-anchors.pem create mode 100644 test/integration/rsa-ca/install_rsa_ca_test.go create mode 100644 test/integration/rsa-ca/testdata/ca.crt create mode 100644 test/integration/rsa-ca/testdata/ca.key create mode 100644 test/integration/rsa-ca/testdata/issuer.crt create mode 100644 test/integration/rsa-ca/testdata/issuer.key diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 29950d65c..49c6f0cea 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -250,6 +250,7 @@ jobs: - cluster-domain - default-policy-deny - external + - rsa-ca # Skipping Helm upgrade test given chart in 2.11 is backwards-incompatible #- helm-upgrade - multicluster diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31c20ecb0..f87498913 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -166,6 +166,7 @@ jobs: - viz - default-policy-deny - external + - rsa-ca # Skipping Helm upgrade test given chart in 2.11 is backwards-incompatible #- helm-upgrade - uninstall diff --git a/bin/_test-helpers.sh b/bin/_test-helpers.sh index 31763a10f..c473a0c1e 100644 --- a/bin/_test-helpers.sh +++ b/bin/_test-helpers.sh @@ -6,7 +6,7 @@ set +e ##### Test setup helpers ##### -export default_test_names=(deep viz external helm-upgrade uninstall upgrade-edge upgrade-stable default-policy-deny) +export default_test_names=(deep viz external helm-upgrade uninstall upgrade-edge upgrade-stable default-policy-deny rsa-ca) export external_resource_test_names=(external-resources) export all_test_names=(cluster-domain cni-calico-deep multicluster "${default_test_names[*]}" "${external_resource_test_names[*]}") images_load_default=(proxy controller policy-controller web metrics-api tap) @@ -464,6 +464,10 @@ run_cni-calico-deep_test() { run_test "$test_directory/deep/..." --cni } +run_rsa-ca_test() { + run_test "$test_directory/rsa-ca/..." +} + run_external_test() { run_test "$test_directory/external/..." } diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index d8e3e21da..5c8204076 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -490,6 +490,7 @@ func TestValidate(t *testing.T) { expectedError string }{ {"valid", ""}, + {"valid-with-rsa-anchor", ""}, {"expired", "failed to validate issuer credentials: not valid anymore. Expired on 1990-01-01T01:01:11Z"}, {"not-valid-yet", "failed to validate issuer credentials: not valid before: 2100-01-01T01:00:51Z"}, {"wrong-algo", "failed to validate issuer credentials: must use P-256 curve for public key, instead P-521 was used"}, @@ -529,7 +530,7 @@ func TestValidate(t *testing.T) { t.Fatalf("Expected error string\"%s\", got \"%s\"", tc.expectedError, err) } } else if err != nil { - t.Fatalf("Expected no error bu got \"%s\"", err) + t.Fatalf("Expected no error but got \"%s\"", err) } } }) diff --git a/cli/cmd/testdata/valid-with-rsa-anchor-crt.pem b/cli/cmd/testdata/valid-with-rsa-anchor-crt.pem new file mode 100644 index 000000000..e87eae9cd --- /dev/null +++ b/cli/cmd/testdata/valid-with-rsa-anchor-crt.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDczCCAVugAwIBAgIQBnEaBGxW2/TyGJ0cE3hARDANBgkqhkiG9w0BAQsFADAl +MSMwIQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yMjAyMDMw +NTQ2MzZaFw0zMjAyMDEwNTQ2MzZaMCkxJzAlBgNVBAMTHmlkZW50aXR5Lmxpbmtl +cmQuY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAq1eW0j +d5hETb5jC5N2oZmJSNLLy1DQ0BbSmIEgoLhUmhRFjNvTm6PcqMnVykZZighF1Nhv +35JED57w7F7rTjijZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ +AgEAMB0GA1UdDgQWBBQc4E9DlG65aIumqcos/z03+C0KUDAfBgNVHSMEGDAWgBQF +L+ZbJA8ZzhZug1IYeyRqnuHhkTANBgkqhkiG9w0BAQsFAAOCAgEAyOrxL0aWmbUj +SjN7WUJOYDEy9aOYDzv3Itj7SIY9G8wg25RvmbMY5R9/LcmVDj9s2Y5ivwXnmfsE +VsYm7H4Q4H/MjkcFSI8J0iLbTtACkXgPvNx3rFaFXZ9Oe7tMXEfySE0NNXjGwa+a +kJtZ+ybpOqUIbNqjl+e3Srg1f9QznZik3hHbrBXaLEyAFOee5ijQyxFYFHS7VuhS +8b586FmGl/8a3/ES5VmGKJh3p4J3aD3MiuLvtL2phh+CdeFmGPYNz4jjb5y4QC1S +p1ZXoxYoeHJuvg6AVCqhwB+xOd8Hr03YUpZSw93tPn3WOtlYrHf8jpx/JV2CLyp3 +pTviAv+tnbSVRD378dSs7ir4Q7/jI9KV5N8v1D6/q442nRMVko7zyFMJfryEY+RU +RfsCsmmgJRCCUEgGXLxQObWyX7+103BqZgFRUfbEaWuSmM8yQyOkFdg5AGMHTOOn +We4gG0hnL3hTFZJxofa7Ll1QUe3kwTWTgZdcs/Qn+ZvaZi1VQRVo0lCEOJ+k2NUo +nDHH9xik7lEv+6cRXPUuQnuO58cXn53tXOqNpA966AXyEGbglsJIzd+Qhgqgz0T5 +9Ag+VdWoDqE5O3E3xhd2CVSHSRIEdlV6z38n/0I6xlFUh3VnPijfYuNv7KYAIQkN +wstaHKuqI8yy2STQKeVbw+8pCX6VhS0= +-----END CERTIFICATE----- diff --git a/cli/cmd/testdata/valid-with-rsa-anchor-key.pem b/cli/cmd/testdata/valid-with-rsa-anchor-key.pem new file mode 100644 index 000000000..3d29e4f6a --- /dev/null +++ b/cli/cmd/testdata/valid-with-rsa-anchor-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIBEi2tPdN7b8F4lLkq4X6f0EWm2NuJoOKMM0vHJD792NoAoGCCqGSM49 +AwEHoUQDQgAECrV5bSN3mERNvmMLk3ahmYlI0svLUNDQFtKYgSCguFSaFEWM29Ob +o9yoydXKRlmKCEXU2G/fkkQPnvDsXutOOA== +-----END EC PRIVATE KEY----- diff --git a/cli/cmd/testdata/valid-with-rsa-anchor-trust-anchors.pem b/cli/cmd/testdata/valid-with-rsa-anchor-trust-anchors.pem new file mode 100644 index 000000000..deacc8eff --- /dev/null +++ b/cli/cmd/testdata/valid-with-rsa-anchor-trust-anchors.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFGTCCAwGgAwIBAgIQYvKHmkN454rA18Vg9l8TrDANBgkqhkiG9w0BAQsFADAl +MSMwIQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yMjAyMDMw +NTQ1NTVaFw0zMjAyMDEwNTQ1NTNaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5j +bHVzdGVyLmxvY2FsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzbli +L5U1YpclMWjzK1wPQHK8E5RJT0x7yn09e8o/GaG+xo+PQBNe8f26DQQi75N6wpZD +oyDcnfOjPE4ptnB8DU9desDL+KJb1KhUoafqtnc7iXp0fqUIfe/CyLZ7Ve/5yM9C +RIFPNkLMV4WSXFbHr2xWFPtl78qovei2Ja4AJMkhFEemAxZspBPR2LL274zXBpsP +sYJl/ZA61RK5WvFF83cMPeM6fc1SzQIYPw3ptRf+eprsZRiX/51/QdGfkxBa7iJB +E5nCUYsCLhADlSdfljUqD6Jj5luUeYXJJ+UL92NBp/whA1rKXbhQQDs2yXZQyRat +dVNoSCUCGtsQn4f8mgRIPD3wGIB8hJtYBfigfvOit6KkquDKT3SUSA7HDgfJ14dA +L9ID5o1Jvdd6zhmzKTa5Uz9PgeDDk6+P0Ac2xssoVKJ5lSDbcEzn6u5RbQSUOuVX +ULYoYXO5i4FM3C1sO9PqYCpMR1YZTFL8qWk5Be5BNH3XwAg84rKmjzgxGWNjk1c/ +k5MYy2AZmNQsQS0Zcxcy2O4BovZlc6eJ1rIdk7norWh5Q6DhABzJswdRiK/E+5UQ +5WuwAUFI0D8+/34lHecB+TLPoSID8Zy5FdBFL3qJz6JNPsID3PyJyyrjqcNcemUE +LyOX0RzcUCYlifeqHigd7frOLS98rybv4u9VpjECAwEAAaNFMEMwDgYDVR0PAQH/ +BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAUv5lskDxnOFm6D +Uhh7JGqe4eGRMA0GCSqGSIb3DQEBCwUAA4ICAQDJW/5E4euxYMOvt4KDwVCLlLt7 +2Wt3u7Kq1rp0qssT47vdU9FtuYXWLI19smGI4KTg4D8r8gMLg6mbi1otZkyrSNLf +wIja9Aag1KCqk1OfgHLcdyfXLEADWvv3AuoFuBh/RgiciLII6ieOxG/g8j80EC7I +2PsxDaAKxrLOg5ZFZf8TSnXyZnENn++tAhb5tm0LqTnRKD0og2nZ7z7IeuYaJGJC +9q0+LZW5C5PhFsmBKKp4xQ96OsjPLQnyoEKMehpvwv3t/WFh5f5XSVNI3gcLoyNj +ZctHl6SUFJGY1L0uJDeWNrPaGyCpaClLVNeyZanjqV9A/jNC2cdtd02VGFZBLlr6 +7j7Aeioe26fJT0Tr6Ynu/eikuL1TEmgUwcHKwkIyUXV1qPTN4JDNnupmMAu9T7Z0 +21YpgYu64TysVRKrY7Zu4D4rDzol3Y46yvhFZGY+7KEBL+0TPq2ll9QRBPp/Rbzc +tcN9RSep/KJZlW0d7jgrPhg/pvAHuvq/FZlhMiPqQD5BGSyxbiTcyXtI7j5kDgvU +2WJfkgRRr9RfbpSlX7o1U4Y2UKxLXwmFnXkPAV8n+HLk7/bcdUVXaXgVsP6RVXgw +++9zFJi9fJj3ZnKQH/U6MIba6cn3oBMXQOTQs0BdN/JTh7Bt+knwqcdOvKT4wBbw +mcB/6uAtyaBhb8h/xg== +-----END CERTIFICATE----- diff --git a/pkg/healthcheck/healthcheck.go b/pkg/healthcheck/healthcheck.go index b6185c712..b56f83107 100644 --- a/pkg/healthcheck/healthcheck.go +++ b/pkg/healthcheck/healthcheck.go @@ -944,7 +944,7 @@ func (hc *HealthChecker) allCategories() []*Category { check: func(context.Context) error { var invalidAnchors []string for _, anchor := range hc.trustAnchors { - if err := issuercerts.CheckCertAlgoRequirements(anchor); err != nil { + if err := issuercerts.CheckTrustAnchorAlgoRequirements(anchor); err != nil { invalidAnchors = append(invalidAnchors, fmt.Sprintf("* %v %s %s", anchor.SerialNumber, anchor.Subject.CommonName, err)) } } @@ -994,7 +994,7 @@ func (hc *HealthChecker) allCategories() []*Category { hintAnchor: "l5d-identity-issuer-cert-uses-supported-crypto", fatal: true, check: func(context.Context) error { - if err := issuercerts.CheckCertAlgoRequirements(hc.issuerCert.Certificate); err != nil { + if err := issuercerts.CheckIssuerCertAlgoRequirements(hc.issuerCert.Certificate); err != nil { return fmt.Errorf("issuer certificate %w", err) } return nil diff --git a/pkg/issuercerts/issuercerts.go b/pkg/issuercerts/issuercerts.go index 37298e989..480ae3c09 100644 --- a/pkg/issuercerts/issuercerts.go +++ b/pkg/issuercerts/issuercerts.go @@ -3,6 +3,7 @@ package issuercerts import ( "context" "crypto/ecdsa" + "crypto/rsa" "crypto/x509" "fmt" "io/ioutil" @@ -133,25 +134,71 @@ func CheckExpiringSoon(cert *x509.Certificate) error { return nil } -// CheckCertAlgoRequirements ensures the certificate respects with the constraints -// we have posed on the public key and signature algorithms -func CheckCertAlgoRequirements(cert *x509.Certificate) error { +// CheckIssuerCertAlgoRequirements ensures the certificate respects with the constraints +// we have posed on the public key and signature algorithms. Issuer certificates can only +// be signed by an ECDSA certificate. +func CheckIssuerCertAlgoRequirements(cert *x509.Certificate) error { if cert.PublicKeyAlgorithm == x509.ECDSA { - // this is a safe cast here as we know we are using ECDSA - k, ok := cert.PublicKey.(*ecdsa.PublicKey) - if !ok { - return fmt.Errorf("expected ecdsa.PublicKey but got something %v", cert.PublicKey) - } - if k.Params().BitSize != 256 { - return fmt.Errorf("must use P-256 curve for public key, instead P-%d was used", k.Params().BitSize) + err := checkECDSACertRequirements(cert) + if err != nil { + return err } } else { - return fmt.Errorf("must use ECDSA for public key algorithm, instead %s was used", cert.PublicKeyAlgorithm) + return fmt.Errorf("issuer certificate must use ECDSA for public key algorithm, instead %s was used", cert.PublicKeyAlgorithm) } - if cert.SignatureAlgorithm != x509.ECDSAWithSHA256 { + return nil +} + +// CheckTrustAnchorAlgoRequirements ensures the certificate respects with the constraints +// we have posed on the public key and signature algorithms. Trust anchors can be signed by +// an ECDSA or RSA certificate. +func CheckTrustAnchorAlgoRequirements(cert *x509.Certificate) error { + if cert.PublicKeyAlgorithm == x509.ECDSA { + err := checkECDSACertRequirements(cert) + if err != nil { + return err + } + } else if cert.PublicKeyAlgorithm == x509.RSA { + err := checkRSACertRequirements(cert) + if err != nil { + return err + } + } else { + return fmt.Errorf("trust anchor must use ECDSA or RSA for public key algorithm, instead %s was used", cert.PublicKeyAlgorithm) + } + + return nil +} + +func checkECDSACertRequirements(cert *x509.Certificate) error { + k, ok := cert.PublicKey.(*ecdsa.PublicKey) + if !ok { + return fmt.Errorf("expected ecdsa.PublicKey but got something %v", cert.PublicKey) + } + if k.Params().BitSize != 256 { + return fmt.Errorf("must use P-256 curve for public key, instead P-%d was used", k.Params().BitSize) + } + if cert.SignatureAlgorithm != x509.ECDSAWithSHA256 && + cert.SignatureAlgorithm != x509.SHA256WithRSA { return fmt.Errorf("must be signed by an ECDSA P-256 key, instead %s was used", cert.SignatureAlgorithm) } + + return nil +} + +func checkRSACertRequirements(cert *x509.Certificate) error { + k, ok := cert.PublicKey.(*rsa.PublicKey) + if !ok { + return fmt.Errorf("expected rsa.PublicKey but got something %v", cert.PublicKey) + } + if k.N.BitLen() != 2048 && k.N.BitLen() != 4096 { + return fmt.Errorf("RSA must use at least 2084 bit public key, instead %d bit public key was used", k.N.BitLen()) + } + if cert.SignatureAlgorithm != x509.SHA256WithRSA { + return fmt.Errorf("must be signed by an RSA 2048/4096 bit key, instead %s was used", cert.SignatureAlgorithm) + } + return nil } @@ -168,7 +215,7 @@ func (ic *IssuerCertData) VerifyAndBuildCreds() (*tls.Cred, error) { } // we check the algo requirements of the issuer cert - if err := CheckCertAlgoRequirements(creds.Certificate); err != nil { + if err := CheckIssuerCertAlgoRequirements(creds.Certificate); err != nil { return nil, err } diff --git a/test/integration/rsa-ca/install_rsa_ca_test.go b/test/integration/rsa-ca/install_rsa_ca_test.go new file mode 100644 index 000000000..1b64a559b --- /dev/null +++ b/test/integration/rsa-ca/install_rsa_ca_test.go @@ -0,0 +1,80 @@ +package rsaca + +import ( + "context" + "fmt" + "os" + "testing" + + "github.com/linkerd/linkerd2/testutil" +) + +////////////////////// +/// TEST SETUP /// +////////////////////// + +var ( + TestHelper *testutil.TestHelper +) + +func TestMain(m *testing.M) { + TestHelper = testutil.NewTestHelper() + os.Exit(m.Run()) +} + +////////////////////// +/// TEST EXECUTION /// +////////////////////// + +func TestRsaCa(t *testing.T) { + err := TestHelper.CreateControlPlaneNamespaceIfNotExists(context.Background(), TestHelper.GetLinkerdNamespace()) + if err != nil { + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to create %s namespace", TestHelper.GetLinkerdNamespace()), + "failed to create %s namespace: %s", TestHelper.GetLinkerdNamespace(), err) + } + + // Install CRDs + cmd := []string{ + "install", + "--crds", + "--controller-log-level", "debug", + "--set", fmt.Sprintf("proxy.image.version=%s", TestHelper.GetVersion()), + "--set", "heartbeatSchedule=1 2 3 4 5", + } + + // Pipe cmd & args to `linkerd` + out, err := TestHelper.LinkerdRun(cmd...) + if err != nil { + testutil.AnnotatedFatal(t, "'linkerd install --crds' command failed", err) + } + + out, err = TestHelper.KubectlApplyWithArgs(out) + if err != nil { + testutil.AnnotatedFatalf(t, "'kubectl apply' command failed", + "'kubectl apply' command failed\n%s", out) + } + + // Install control-plane with a RSA CA which has issued an ECDSA issuer certificate + cmd = []string{ + "install", + "--controller-log-level", "debug", + "--set", fmt.Sprintf("proxy.image.version=%s", TestHelper.GetVersion()), + "--identity-trust-anchors-file", "testdata/ca.crt", + "--identity-issuer-certificate-file", "testdata/issuer.crt", + "--identity-issuer-key-file", "testdata/issuer.key", + } + + // Pipe cmd & args to `linkerd` + out, err = TestHelper.LinkerdRun(cmd...) + if err != nil { + testutil.AnnotatedFatal(t, "'linkerd install' command failed", err) + } + + out, err = TestHelper.KubectlApplyWithArgs(out) + if err != nil { + testutil.AnnotatedFatalf(t, "'kubectl apply' command failed", + "'kubectl apply' command failed\n%s", out) + } + + TestHelper.WaitRollout(t, testutil.LinkerdDeployReplicasEdge) +} diff --git a/test/integration/rsa-ca/testdata/ca.crt b/test/integration/rsa-ca/testdata/ca.crt new file mode 100644 index 000000000..465d4773a --- /dev/null +++ b/test/integration/rsa-ca/testdata/ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGTCCAgGgAwIBAgIQWo14Dx0kQlRe11eECx1kLDANBgkqhkiG9w0BAQsFADAl +MSMwIQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yMjA3MTIy +MjM4NDhaFw0zMjA3MDkyMjM4NDhaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5j +bHVzdGVyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1cNW +64sk7nRqF5IZOv/FTzl1PE+4v09pbcIN/21NbEcd3aBPwlbMJHuUgAuxvw5Kq/g2 +iIIJTb9X1ohy19eiO32ZfinRKJYIL3vf79zKepANvvlWxR+u/H77KajVPj3mpql2 +BVzMWlmThIJBzc7Huch/hjhP+/hQ/7mE1G+dnxwGlMhsb4EvxRZzJnIXP0u0/Lpz +cK0dQ6iKX/l46s5Y0IJibiZ8GboZTrq9TOp+cN3jFrPO29F4tnjqF9cBgG1lO4b9 +/oCVPaJpIlrmqmqVKzS2S62lYxV9KvxPrUMWNW/xoej035hH74+dSJHZhn5HybxG +TsZ0ZV5w2vpWse9sNwIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/ +BAgwBgEB/wIBATAdBgNVHQ4EFgQU1YCd8Jwk+twWuamPccLOjX8zwZEwDQYJKoZI +hvcNAQELBQADggEBAAFJ1u8RPyaCDzIHZm7p9p2uGzw+yvVF6JkW+4ZXzSCennlm +YaT78pj9P2ZpE1s0i8UL8Qss/FKdaknFxkeMBWJKS21OdsQVJVy0zGBhbRwYWHWq +CsxBw/THB8EHYh92tpwb5SYTFBKEsFCnxDgql5JMdFLsuWSIKl9WXFluxUJPlJB/ +1NBheB1BPyHYQIPF6jl+d5DJx7WyS7Pa/rYTzdKsERM+cbtiZYWl3h84FGboXR1C +7pfsBxJGrO7+3IRFkUxKtZtkKY2ibJ0oJVgPRop610IAuwH/WdathNwQhuzdkMjB +0DHSkgBoskZlzniPcNl/wOBB+yvC9nlWRSXf2bQ= +-----END CERTIFICATE----- diff --git a/test/integration/rsa-ca/testdata/ca.key b/test/integration/rsa-ca/testdata/ca.key new file mode 100644 index 000000000..f7ad15715 --- /dev/null +++ b/test/integration/rsa-ca/testdata/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA1cNW64sk7nRqF5IZOv/FTzl1PE+4v09pbcIN/21NbEcd3aBP +wlbMJHuUgAuxvw5Kq/g2iIIJTb9X1ohy19eiO32ZfinRKJYIL3vf79zKepANvvlW +xR+u/H77KajVPj3mpql2BVzMWlmThIJBzc7Huch/hjhP+/hQ/7mE1G+dnxwGlMhs +b4EvxRZzJnIXP0u0/LpzcK0dQ6iKX/l46s5Y0IJibiZ8GboZTrq9TOp+cN3jFrPO +29F4tnjqF9cBgG1lO4b9/oCVPaJpIlrmqmqVKzS2S62lYxV9KvxPrUMWNW/xoej0 +35hH74+dSJHZhn5HybxGTsZ0ZV5w2vpWse9sNwIDAQABAoIBADkvNIV2h76yrd74 +Wn+KBMKY4F/uA8JKAC44h34ZQ2j/7WFojW2zwpDP7n4Cot41eIxgrlX+U3bVBS6C ++hX7vY6knvc9QJLW8AGj5dhI/HGlL8gy859wRmONpKsUW1d3P8i99LCijphs9iWw +ouHnu05b8KF7VwpU93YxrvMVmNkDLRy7l5AIfDNlJuhLBqabbxWtMAmIOJE+c4B4 +JnCZmzRrjRluN++O4VAJwMY138kYGGpzhD6oPWA/1q0IJDfNMS1Wl3eKkhXdORV4 +93VxbCUp6j4sKj+rX/S3CtQ56gzCgxyBCINrc8ZaXdklcGkuMJOYoQ4TdgGMIaOp +WKSJXsECgYEA5ECpMiH6jjMD9uKXnFxf7AfrjUoiAQ4Zp3HPx9m2mzTuxmuALllY +uq5zZpG0aMkOgh1m5Io5ysvfnuHI6OktG6by/5dJYVGywdwQVT8qpswxn/kEV5Fe +G2E293SWd465QFKu/6D0N71/qTGzfuHpqjleSKTwuIRNQ1674tysGpkCgYEA77/B +toqAq49dn0nXV2jCsydxifGfWNCWAFM2f7OU6SZt6hY54SViWY94kH8wKAKxoJnO +Ibc25c4i+dY5xEBR+HlOIGxxS2UkSz5RY1vROcu8mRiRs4JRHa8I7cFWQp7SB3mR +2K1D4L4Ipkw0e3zxOV54NNGpSNwwJUC91bJOT08CgYEA0rhbO1whKxwv4cHpA8JI +D+hz7tlssRqqVmp8z1zP91OTyHzANonnn1ikUyHasw5CpZ6tOfneRrmWteBuEZAL +Q8cJ+Spa5Ux+Qfh+36RUJO7INY64EnuyrIZAL41jx/ZsUdTDmF2oeLkqXTH0KwQ3 +Kx6RS3FyhnYlujeAL31YKakCgYBjvdIYYDyxox5fA3hcPBAsOm+o5OXXLEgLcJMO +w6Zi7QLzTTXdLhFhkyekbdWZ/6zoVLSGIFPtfTnd2LsFo4C2r7jKEnN722MjDpUL +kgpUUidvReJv3PpkMAq15yY85xgX1gLQMx03Jbgxfyiia1Nr+5pk1wjnb/tztCCG +A/1CTwKBgEXtlnAUDL23HlnBs7TzqkGuk03M+hubm83m4ZEFnnCMChWS+xl0bZ6O +lHMV/4tcMTNC/hA0agdyDWKkESTm1ve0zd7RSFOABsRtDhIWr3R7HARzf8t+VKPL +sg5lQZ+41hr4f3rg48fZz4xw66AbIfQktP4AnUH+V5zshzxqJlnn +-----END RSA PRIVATE KEY----- diff --git a/test/integration/rsa-ca/testdata/issuer.crt b/test/integration/rsa-ca/testdata/issuer.crt new file mode 100644 index 000000000..ca551dfc5 --- /dev/null +++ b/test/integration/rsa-ca/testdata/issuer.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICczCCAVugAwIBAgIQHI4iWZqqY9YGKn6LnMIMqzANBgkqhkiG9w0BAQsFADAl +MSMwIQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yMjA4MDEx +ODE5MzVaFw0zMjA3MjkxODE5MzVaMCkxJzAlBgNVBAMTHmlkZW50aXR5Lmxpbmtl +cmQuY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI8FK0Bc +b40+TKUIjLpr/k/AmBlp367W8xsW1TZ60TEO0OXBpGYLdNvuOh5vIOTG/Xn9OSmZ +iHXHZ7ikpeJzVNqjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ +AgEAMB0GA1UdDgQWBBSMHJIetxtiZ/yBCF9pDUOhZ+GbUjAfBgNVHSMEGDAWgBTV +gJ3wnCT63Ba5qY9xws6NfzPBkTANBgkqhkiG9w0BAQsFAAOCAQEAehCuAwQoZYek +bTvlJJICoWG99bg/bouZYpNHo3bSoLw4EmM0hTGPSIiajLv2kwnRQOWnQ/SgUvQM +w+EGFWtI7x8uRdYkX7go2hrt28Pr/aTYcKhnBoDl/4mo0341SFSG7FwpvoEqWulD +Z354tptDShoHXZAQciZDDr2cBtabszNn3aUXWuMsPXi/cSMgwErD3yalidAHVGMM +rq60AUhVgGgBED/yzbNzgaHqGbsLEDYgmn7SEWla5dalm/b+3UInm3VLucU0bAS0 +LE2O6P+vqMJZTwH0d7rfQYd5FpFlLR4UrsdjKTzVPV+rP1S0reEKctM+4exqM+Yr +omqyVHdmJA== +-----END CERTIFICATE----- diff --git a/test/integration/rsa-ca/testdata/issuer.key b/test/integration/rsa-ca/testdata/issuer.key new file mode 100644 index 000000000..ba1c7eafd --- /dev/null +++ b/test/integration/rsa-ca/testdata/issuer.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGbPfosDdsWQD5U/2SiIP46WEc1Z8YiW0gVIpf7fKvHJoAoGCCqGSM49 +AwEHoUQDQgAEjwUrQFxvjT5MpQiMumv+T8CYGWnfrtbzGxbVNnrRMQ7Q5cGkZgt0 +2+46Hm8g5Mb9ef05KZmIdcdnuKSl4nNU2g== +-----END EC PRIVATE KEY-----