From 4ba83e83fbb4319c0b4cda82372caf042e9ccaa6 Mon Sep 17 00:00:00 2001 From: Masahiro Sakamoto Date: Thu, 19 Dec 2024 15:42:23 +0900 Subject: [PATCH] Fix issue where cert chain is not taken into account in mTLS authentication (#467) --- ...start-mim-test-service-inside-container.sh | 3 +- .../start-test-service-inside-container.sh | 3 +- lib/ClientConnection.cc | 4 +- test-conf/broker-cert.pem | 134 +++++-------- test-conf/cacert.pem | 177 +++++++----------- test-conf/cakey.pem | 27 +++ test-conf/chained-client-cert.pem | 51 +++++ test-conf/chained-client-key.pem | 27 +++ test-conf/client-cert.pem | 117 ++++++------ test-conf/intermediate-cacert.pem | 83 ++++++++ test-conf/intermediate-cakey.pem | 27 +++ tests/AuthPluginTest.cc | 17 ++ 12 files changed, 411 insertions(+), 259 deletions(-) create mode 100644 test-conf/cakey.pem create mode 100644 test-conf/chained-client-cert.pem create mode 100644 test-conf/chained-client-key.pem create mode 100644 test-conf/intermediate-cacert.pem create mode 100644 test-conf/intermediate-cakey.pem diff --git a/build-support/start-mim-test-service-inside-container.sh b/build-support/start-mim-test-service-inside-container.sh index e7b307d8..fdeb7879 100755 --- a/build-support/start-mim-test-service-inside-container.sh +++ b/build-support/start-mim-test-service-inside-container.sh @@ -76,7 +76,8 @@ put tenants/private '{ put namespaces/private/auth '{ "auth_policies": { "namespace_auth": { - "token-principal": ["produce", "consume"] + "token-principal": ["produce", "consume"], + "chained-client": ["produce", "consume"] } }, "replication_clusters": ["standalone"] diff --git a/build-support/start-test-service-inside-container.sh b/build-support/start-test-service-inside-container.sh index 678341a5..71b93061 100755 --- a/build-support/start-test-service-inside-container.sh +++ b/build-support/start-test-service-inside-container.sh @@ -134,7 +134,8 @@ put tenants/private '{ put namespaces/private/auth '{ "auth_policies": { "namespace_auth": { - "token-principal": ["produce", "consume"] + "token-principal": ["produce", "consume"], + "chained-client": ["produce", "consume"] } }, "replication_clusters": ["standalone"] diff --git a/lib/ClientConnection.cc b/lib/ClientConnection.cc index 5b2b2ca2..2037722f 100644 --- a/lib/ClientConnection.cc +++ b/lib/ClientConnection.cc @@ -253,11 +253,11 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std: throw ResultAuthenticationError; } ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem); - ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem); + ctx.use_certificate_chain_file(tlsCertificates); } else { if (file_exists(tlsPrivateKey) && file_exists(tlsCertificates)) { ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem); - ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem); + ctx.use_certificate_chain_file(tlsCertificates); } } diff --git a/test-conf/broker-cert.pem b/test-conf/broker-cert.pem index 8d0a02f2..f4e7a561 100644 --- a/test-conf/broker-cert.pem +++ b/test-conf/broker-cert.pem @@ -1,16 +1,17 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 4098 (0x1002) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org + Serial Number: + 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:32 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org Validity - Not Before: Feb 17 17:00:44 2021 GMT - Not After : Feb 12 17:00:44 2041 GMT + Not Before: Dec 18 06:29:25 2024 GMT + Not After : Dec 13 06:29:25 2044 GMT Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=localhost/emailAddress=dev@pulsar.apache.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) + RSA Public-Key: (2048 bit) Modulus: 00:9b:2a:6f:24:02:23:f7:ff:e6:75:61:ca:07:a8: c0:ab:e9:8d:eb:51:2e:64:f7:9e:9b:d4:b4:be:3a: @@ -32,86 +33,53 @@ Certificate: 5e:cd Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - Netscape Cert Type: - SSL Server - Netscape Comment: - OpenSSL Generated Server Certificate - X509v3 Subject Key Identifier: + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: 49:3C:B2:98:30:CE:7F:79:7A:C6:8B:57:CA:24:9F:12:82:1E:5D:EF - X509v3 Authority Key Identifier: - keyid:D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71 - DirName:/C=US/ST=California/L=Palo Alto/O=Apache Software Foundation/OU=Pulsar/CN=Pulsar CA/emailAddress=dev@pulsar.apache.org - serial:52:7B:B4:00:96:60:B4:26:85:BE:01:82:B8:B8:E2:8C:72:EF:5B:90 + X509v3 Authority Key Identifier: + keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption - 0f:bd:af:39:0c:2c:dc:8f:7e:06:0d:27:df:35:c7:8d:5a:03: - 68:97:f6:dc:d6:d3:39:0e:b4:76:48:7d:e1:1c:a9:4b:83:fa: - 52:00:ab:28:93:2d:06:76:0c:14:35:3c:f1:8e:3b:af:c8:d0: - 27:1f:58:d4:71:22:5f:05:a6:9e:73:c6:a5:5e:2a:e6:fb:eb: - fc:73:52:87:ca:8a:2a:f9:1e:5f:e2:b9:bd:01:27:9f:7c:61: - a6:97:ad:a0:ab:4e:fb:cc:fa:c8:77:6a:65:1b:ae:60:5e:fb: - 97:14:8c:40:d7:96:c6:2c:64:59:c0:52:52:7c:2d:98:4b:f4: - 72:da:83:f7:c6:4f:32:42:ce:df:02:dd:5f:eb:58:42:f9:62: - a1:9a:05:ef:13:48:27:af:a3:7f:23:eb:e0:dc:1d:8f:96:2a: - 88:47:f7:e4:75:6f:a9:15:f6:44:f1:6d:39:3a:2c:df:a7:82: - cc:7e:aa:9c:1c:c0:a7:7d:68:31:4a:4e:21:b8:9f:17:90:4b: - f1:68:23:ef:a7:53:fc:a9:a8:35:6b:8f:4c:5e:d4:ea:b0:8a: - 27:9a:86:89:ce:f2:5d:03:35:80:fc:45:e8:87:66:0f:32:b5: - 2a:f5:1b:79:0e:09:8b:90:40:20:fb:e3:27:8a:c9:92:c1:53: - 97:10:5a:8c:50:ef:02:46:7e:ec:68:c8:1e:26:66:0e:1d:d6: - 6c:82:e7:38:14:e8:cb:45:77:29:5f:2c:1a:9d:d7:54:21:8a: - cf:0f:b7:0c:ae:fe:d6:fb:fb:c3:07:3e:33:df:59:25:1c:73: - d4:87:73:14:b4:76:16:8a:3f:82:05:7b:42:0a:55:0c:79:24: - 3c:58:31:3f:e0:3e:9f:4e:d0:0e:fd:77:b7:13:2c:d3:d0:46: - cc:80:09:0f:50:56:8b:6e:6e:91:b2:5b:c8:2f:4d:86:dc:72: - 00:de:08:0d:5e:3e:96:1f:12:7d:3b:0d:4d:71:d5:c8:a8:06: - ba:00:23:ec:10:4c:a4:c3:6f:bc:f0:d7:b1:cf:57:3f:3b:79: - db:80:87:35:c7:4e:7f:bb:38:30:0a:9f:fe:5a:86:f5:97:ce: - 24:38:79:fd:a0:dc:0b:82:11:a1:ea:0c:e9:16:65:e0:c0:54: - 80:ad:6e:55:18:ac:27:35:3a:b0:20:70:62:8e:5d:a2:33:53: - 8c:ce:f9:ee:a1:27:cb:db:e5:9a:5e:e6:f7:80:93:84:63:04: - 26:58:ab:23:bb:94:80:d0:a0:55:a2:8a:ed:bc:0f:c3:41:d2: - 26:a5:b9:8d:8a:45:e8:a1:fc:e8:ee:7a:64:93:ed:d6:ef:a2: - 51:d7:c9:0a:31:39:35:4a + 46:44:07:07:74:de:fa:e9:ad:ee:10:87:72:e4:06:81:e7:d9: + 9c:91:99:9e:fe:b2:fe:29:fc:58:12:38:7d:28:c1:3b:d6:ca: + 19:dd:06:6c:1e:95:17:58:fa:48:47:62:2b:4f:29:a2:39:3a: + 90:f4:37:5a:8c:75:4c:60:b3:61:50:94:5a:4d:70:6a:50:62: + c8:17:46:38:92:1a:02:4d:71:ad:ab:94:10:a3:91:b1:aa:18: + a9:00:88:b7:16:25:3c:aa:59:45:90:49:9a:9c:15:5e:d5:2f: + 2f:2a:9e:61:77:b8:59:b7:7e:30:c9:8e:89:2a:57:11:84:e2: + cd:a6:ba:78:73:05:a0:f0:aa:47:5b:8c:f2:a9:20:c6:f7:50: + 39:d7:07:bc:ef:7f:04:85:60:1b:c2:5e:53:dc:40:f9:22:f8: + 78:b6:be:d7:1b:84:51:45:f7:30:6c:15:fd:c4:07:83:cf:89: + f0:6f:f9:49:7a:cc:f3:17:00:ef:33:f5:0a:6a:79:75:e5:6f: + 2e:1f:ad:bf:7e:34:e8:1c:2e:08:de:1e:16:c0:ab:73:69:f9: + 2e:09:d1:7b:f4:f0:8c:59:b6:82:c3:1a:a3:8c:25:0f:78:bf: + 0b:b3:87:72:46:36:be:8e:4c:67:4c:ca:49:05:a0:2e:fd:3d: + a1:62:d6:01 -----BEGIN CERTIFICATE----- -MIIGPDCCBCSgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgaYxCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIzAhBgNV -BAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMQ8wDQYDVQQLDAZQdWxzYXIx -EjAQBgNVBAMMCVB1bHNhciBDQTEkMCIGCSqGSIb3DQEJARYVZGV2QHB1bHNhci5h -cGFjaGUub3JnMB4XDTIxMDIxNzE3MDA0NFoXDTQxMDIxMjE3MDA0NFowgZIxCzAJ -BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQKDBpBcGFjaGUg -U29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQDDAls -b2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsqbyQCI/f/5nVhygeowKvp -jetRLmT3npvUtL46+vRuxpKPOE0IzYkVPizEmW3LWID84E3WffaCqw2U8uJFydMV -lVcKbIbceGQ7NEsBfF3eT9QhGl0noKVwei4CUOEZtLkF35kNi8xi3BBz+nKLOH/T -VlRhULuS/wlxCce9BEM8jJyLMtEFBIrGidh4Vk3aL/TsNDcmtYfkPybJQWC6MRAZ -vvgMpAqFGVniAF23wL3RLvymNIuFKswF9vvkAOZ0lf8Cb0N/OafCg45bOEDJQsi8 -JnI2NWTCVCIRh+hljz3pQadtGYiaIJuaUufSy7PgLo/BVlS8bRQwc8XXjtBaXs0C -AwEAAaOCAYQwggGAMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG -SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw -HQYDVR0OBBYEFEk8spgwzn95esaLV8oknxKCHl3vMIHmBgNVHSMEgd4wgduAFNKy -PbGkfEhLNuGn3tj8upK6p8RxoYGspIGpMIGmMQswCQYDVQQGEwJVUzETMBEGA1UE -CAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMSMwIQYDVQQKDBpBcGFj -aGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQD -DAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9y -Z4IUUnu0AJZgtCaFvgGCuLjijHLvW5AwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM -MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAPva85DCzcj34GDSffNceN -WgNol/bc1tM5DrR2SH3hHKlLg/pSAKsoky0GdgwUNTzxjjuvyNAnH1jUcSJfBaae -c8alXirm++v8c1KHyooq+R5f4rm9ASeffGGml62gq077zPrId2plG65gXvuXFIxA -15bGLGRZwFJSfC2YS/Ry2oP3xk8yQs7fAt1f61hC+WKhmgXvE0gnr6N/I+vg3B2P -liqIR/fkdW+pFfZE8W05Oizfp4LMfqqcHMCnfWgxSk4huJ8XkEvxaCPvp1P8qag1 -a49MXtTqsIonmoaJzvJdAzWA/EXoh2YPMrUq9Rt5DgmLkEAg++MnismSwVOXEFqM -UO8CRn7saMgeJmYOHdZsguc4FOjLRXcpXywanddUIYrPD7cMrv7W+/vDBz4z31kl -HHPUh3MUtHYWij+CBXtCClUMeSQ8WDE/4D6fTtAO/Xe3EyzT0EbMgAkPUFaLbm6R -slvIL02G3HIA3ggNXj6WHxJ9Ow1NcdXIqAa6ACPsEEykw2+88Nexz1c/O3nbgIc1 -x05/uzgwCp/+Wob1l84kOHn9oNwLghGh6gzpFmXgwFSArW5VGKwnNTqwIHBijl2i -M1OMzvnuoSfL2+WaXub3gJOEYwQmWKsju5SA0KBVoortvA/DQdImpbmNikXoofzo -7npkk+3W76JR18kKMTk1Sg== +MIIELzCCAxegAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DIwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK +DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw +EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh +Y2hlLm9yZzAeFw0yNDEyMTgwNjI5MjVaFw00NDEyMTMwNjI5MjVaMIGSMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv +ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjESMBAGA1UEAwwJbG9j +YWxob3N0MSQwIgYJKoZIhvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbKm8kAiP3/+Z1YcoHqMCr6Y3r +US5k956b1LS+Ovr0bsaSjzhNCM2JFT4sxJlty1iA/OBN1n32gqsNlPLiRcnTFZVX +CmyG3HhkOzRLAXxd3k/UIRpdJ6ClcHouAlDhGbS5Bd+ZDYvMYtwQc/pyizh/01ZU +YVC7kv8JcQnHvQRDPIycizLRBQSKxonYeFZN2i/07DQ3JrWH5D8myUFgujEQGb74 +DKQKhRlZ4gBdt8C90S78pjSLhSrMBfb75ADmdJX/Am9DfzmnwoOOWzhAyULIvCZy +NjVkwlQiEYfoZY896UGnbRmImiCbmlLn0suz4C6PwVZUvG0UMHPF147QWl7NAgMB +AAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh +dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJPLKYMM5/eXrGi1fKJJ8Sgh5d7zAf +BgNVHSMEGDAWgBScZqZelaXXcm4RdkRDNbRh+3AnbzANBgkqhkiG9w0BAQsFAAOC +AQEARkQHB3Te+umt7hCHcuQGgefZnJGZnv6y/in8WBI4fSjBO9bKGd0GbB6VF1j6 +SEdiK08pojk6kPQ3Wox1TGCzYVCUWk1walBiyBdGOJIaAk1xrauUEKORsaoYqQCI +txYlPKpZRZBJmpwVXtUvLyqeYXe4Wbd+MMmOiSpXEYTizaa6eHMFoPCqR1uM8qkg +xvdQOdcHvO9/BIVgG8JeU9xA+SL4eLa+1xuEUUX3MGwV/cQHg8+J8G/5SXrM8xcA +7zP1Cmp5deVvLh+tv3406BwuCN4eFsCrc2n5LgnRe/TwjFm2gsMao4wlD3i/C7OH +ckY2vo5MZ0zKSQWgLv09oWLWAQ== -----END CERTIFICATE----- diff --git a/test-conf/cacert.pem b/test-conf/cacert.pem index 6abfc2d8..4cf868f0 100644 --- a/test-conf/cacert.pem +++ b/test-conf/cacert.pem @@ -2,126 +2,81 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 52:7b:b4:00:96:60:b4:26:85:be:01:82:b8:b8:e2:8c:72:ef:5b:90 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org + 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:30 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org Validity - Not Before: Feb 17 16:43:44 2021 GMT - Not After : Feb 12 16:43:44 2041 GMT - Subject: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org + Not Before: Dec 18 05:14:53 2024 GMT + Not After : Dec 13 05:14:53 2044 GMT + Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + RSA Public-Key: (2048 bit) Modulus: - 00:b1:3c:7d:ab:4a:54:72:37:2a:92:94:0a:66:46: - af:8c:ed:f4:2e:f3:87:1a:d0:c7:9d:23:35:1b:61: - 74:69:ca:f7:f5:3e:95:9c:86:f2:21:34:f8:0b:ed: - 45:76:22:ec:75:52:c0:67:db:2f:ba:da:25:3f:e1: - 5b:ac:da:15:dd:a5:75:24:b2:12:f0:b0:ce:fd:ab: - 44:06:a9:09:f6:b0:8e:8f:83:53:16:69:fa:9c:cc: - 00:fa:dd:13:f3:da:fd:f2:bf:88:8e:c4:f8:1a:6f: - ab:4d:f8:32:81:80:7e:51:7a:99:2d:94:cd:f3:5d: - 1c:58:b2:44:f1:96:12:46:56:bd:60:8f:65:32:b7: - d4:4b:7b:f3:23:88:2d:9b:a4:c4:c9:52:ea:9f:66: - c1:74:be:4b:91:c6:b9:57:ec:c1:cc:81:bb:03:d5: - fa:a0:46:4f:9a:a7:3e:3c:27:26:2b:97:eb:69:53: - 04:75:50:97:d6:0d:90:b1:37:9f:64:df:70:4d:d9: - b3:e3:b7:cc:76:50:d9:3c:9b:4c:ac:e9:26:2e:cf: - ac:47:42:14:b7:60:00:0a:de:42:47:66:0c:c7:7a: - b9:4d:f4:fb:c2:6a:45:78:ec:b0:b4:ce:b3:1f:50: - 25:96:13:0c:55:0a:e0:d6:76:f7:1f:e1:16:e6:41: - d6:72:6a:49:17:12:d9:05:8f:dc:56:b6:31:b3:b7: - 9c:e3:d8:a9:99:8a:1d:3b:9d:d9:59:44:ee:46:88: - 11:5f:ab:fa:38:a9:8b:d2:23:15:8b:af:1a:de:66: - ba:7d:51:95:37:94:91:aa:01:01:d7:83:19:4b:5d: - 8d:f4:18:39:ef:e3:32:d0:62:c8:12:50:4e:91:c2: - ac:58:73:68:bb:92:20:fc:14:e5:1a:86:bd:40:4c: - 94:e0:7d:0d:9c:08:57:ae:00:44:38:94:a3:3d:64: - 99:43:f8:e3:12:90:14:0f:5d:63:e2:c6:07:ea:d0: - 4c:8e:cf:e0:ae:34:be:86:4f:fc:58:e2:ea:f5:23: - 82:37:96:02:57:1b:b4:29:ca:fd:68:a0:48:79:e8: - 31:97:9a:5a:0e:2b:b4:b0:84:bb:57:4e:5f:4f:a7: - 43:45:97:d7:de:05:fc:2f:6c:3e:f5:53:26:56:a3: - a5:da:52:69:57:8e:a0:4b:27:50:f9:ad:6e:76:a6: - 29:cc:06:94:dd:d0:ac:c6:18:22:a0:e2:bb:ed:d5: - e4:97:f7:ac:23:df:75:30:41:97:07:3f:d3:12:8e: - c5:a4:ef:ce:40:e8:3b:57:24:19:33:1b:ee:8a:0e: - dd:0c:70:f2:1a:87:35:d9:71:d8:18:a7:9c:47:db: - 93:51:c3 + 00:d5:72:38:a5:5c:cb:a7:2b:f7:a7:ed:34:59:69: + 9f:9d:f6:5c:a2:91:c1:4c:41:15:3f:13:6d:4a:3b: + 5a:25:1c:5e:c5:8c:d9:7e:44:19:be:49:f4:3b:fb: + fb:85:0d:04:29:1c:31:65:4f:fa:2c:ac:8f:90:e2: + c4:d1:9d:1d:bd:60:24:d3:b4:50:cc:6c:42:e0:9c: + a3:ef:ee:44:b8:51:b8:64:a2:77:03:16:fd:b7:17: + ed:d6:28:5f:c0:71:3a:c3:87:55:a5:2c:07:16:f1: + c8:79:07:3f:69:de:cd:b3:1d:35:2f:0b:e9:e3:8e: + 9b:a8:47:ee:fe:b4:9b:12:78:01:cb:45:90:52:18: + 0c:ec:3e:db:fd:1e:38:3b:f4:e0:01:f6:8d:e7:fe: + bc:b4:89:f4:cc:64:6e:65:66:c3:2b:6f:3c:04:b4: + 3e:52:18:b8:27:f8:87:6d:87:41:d5:a8:61:20:d2: + 50:75:ee:af:6f:08:2d:9e:d5:d0:57:92:0a:d1:06: + 9a:f6:c0:c2:c8:38:c3:0a:93:ea:be:7d:25:32:75: + eb:dd:d2:30:a7:07:f1:b7:88:b7:60:1c:32:a3:45: + e7:73:38:a8:35:b3:d3:cd:0e:bc:bd:f7:57:03:aa: + d7:e1:dc:2a:0a:41:69:eb:35:df:8c:c0:ec:e8:2d: + 9a:77 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: - D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71 - X509v3 Authority Key Identifier: - keyid:D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71 + X509v3 Subject Key Identifier: + 9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F + X509v3 Authority Key Identifier: + keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F X509v3 Basic Constraints: critical CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption - 14:3d:7c:15:86:de:aa:5a:30:5d:d4:f2:bc:5f:10:d2:af:fe: - 91:d7:ee:f3:b8:5f:ce:e4:c9:b2:01:c3:16:da:66:8e:7e:b1: - c1:e3:30:ff:1d:73:d0:9c:20:3d:54:32:57:ae:07:80:4a:24: - 6e:7e:32:a3:e7:23:4d:5c:31:54:8b:c1:1b:c5:bc:20:5d:43: - 62:93:e0:2e:a7:01:77:39:cf:fd:ec:4c:57:09:4f:2b:ad:ac: - b6:c0:be:5a:a3:ea:12:ac:5a:7f:60:23:81:bb:9a:fa:5f:7a: - 67:a9:31:c3:34:af:db:ff:32:22:83:40:c2:7d:2f:39:5e:8a: - 29:44:73:5f:6e:b4:f4:a2:ae:60:1f:8e:ef:91:9a:49:bb:a6: - 90:2b:e0:44:95:24:8b:37:90:18:2d:41:32:8a:8e:07:8d:ea: - 75:62:b8:9c:ec:73:6f:12:54:23:6d:40:00:74:c7:d3:fb:b7: - 95:06:7d:cc:6d:8e:2c:d0:8b:11:06:8a:b7:43:1a:d7:e9:98: - f4:c6:ef:ad:2a:75:08:fb:07:8f:20:36:7a:86:1a:cf:f7:d6: - 96:ad:ed:71:59:d1:81:56:18:8d:98:c2:c0:44:e5:29:7a:7c: - c0:e3:d7:fb:b8:f5:b2:50:53:8a:cf:38:ff:99:aa:bb:28:51: - 60:e8:05:91:e1:ee:86:90:90:9b:87:60:63:38:cf:54:a5:82: - 74:0f:40:b5:d2:6a:c5:a9:98:22:59:4e:fb:a5:81:e2:7b:0e: - 3f:71:f3:24:17:1e:c5:89:fc:ae:ed:f3:69:65:02:b8:1e:98: - bc:37:c6:25:36:f8:ca:99:60:8e:13:3b:33:ec:91:b3:eb:04: - 6d:41:97:3e:35:c0:97:ed:66:12:25:44:23:f3:2e:fa:9c:2e: - c2:ba:dd:f3:63:d7:5b:b2:72:03:4d:3b:fb:5e:29:d6:5c:02: - 32:93:47:d1:4c:77:4a:58:c5:aa:81:ab:67:84:80:81:14:28: - e1:db:11:16:6d:31:50:7a:47:b2:a8:2d:15:a1:c4:63:1b:ce: - d5:e1:d7:57:dc:1a:71:e0:55:9f:6d:fb:be:e6:99:e8:89:be: - 2c:e0:19:5e:cd:02:79:52:ee:93:56:9f:dc:d7:de:31:9b:2a: - c8:91:48:a0:c7:44:7d:72:32:27:c3:2b:d8:e8:6b:94:67:b5: - 1d:9d:99:25:23:d9:24:b5:ed:4b:f2:18:2d:88:f5:d4:36:bb: - 53:8c:a8:b1:7f:05:13:d7:8d:89:9d:55:33:90:bc:60:99:cf: - 05:ba:bd:cb:c5:61:f9:c5:1a:f7:46:9c:40:90:dd:83:aa:7a: - 1f:ab:5c:10:8d:26:27:1e + c4:99:05:f8:fd:0e:45:f5:01:3d:58:dd:11:77:da:e3:49:cc: + 7c:1c:56:16:51:5a:b7:ad:9f:ab:95:5b:55:9c:2f:f5:11:62: + a4:6b:df:3e:6f:a5:30:80:34:57:c4:cb:00:35:41:14:ba:09: + b8:20:0a:c1:0f:5b:e8:51:40:83:be:72:14:84:9f:26:47:3e: + 5d:20:73:47:b9:f9:8c:13:d2:a3:ec:ce:a8:57:d4:f6:e8:3c: + 55:5c:d9:cb:00:c8:e3:20:5c:78:d3:06:fb:16:cb:15:e7:52: + c8:c5:16:20:26:ee:9c:8f:ed:ba:7a:f2:07:a9:13:6b:44:83: + 03:18:5e:67:c3:61:5d:85:17:d9:f8:60:a9:84:f0:37:ce:23: + 83:ba:a4:00:b4:18:ce:df:d5:21:53:5c:7f:5c:55:33:49:f3: + 28:5f:39:14:bb:05:6b:6b:ea:da:e4:7a:3a:ef:e6:05:4b:ae: + d1:ad:f3:84:d3:18:ba:23:ff:04:2e:62:b6:9f:b3:dd:0b:2b: + e3:6a:89:8c:ff:11:8b:5c:63:5d:39:05:56:c3:ea:3a:fd:6b: + 87:06:74:ad:cc:0c:10:70:ec:53:49:eb:42:d8:30:45:80:0a: + 8c:6a:51:d2:1c:65:74:c8:46:4e:1d:7f:c3:b1:b2:5b:f9:2c: + 85:e3:8d:f6 -----BEGIN CERTIFICATE----- -MIIGPzCCBCegAwIBAgIUUnu0AJZgtCaFvgGCuLjijHLvW5AwDQYJKoZIhvcNAQEL -BQAwgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH -DAlQYWxvIEFsdG8xIzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9u -MQ8wDQYDVQQLDAZQdWxzYXIxEjAQBgNVBAMMCVB1bHNhciBDQTEkMCIGCSqGSIb3 -DQEJARYVZGV2QHB1bHNhci5hcGFjaGUub3JnMB4XDTIxMDIxNzE2NDM0NFoXDTQx -MDIxMjE2NDM0NFowgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh -MRIwEAYDVQQHDAlQYWxvIEFsdG8xIzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBG -b3VuZGF0aW9uMQ8wDQYDVQQLDAZQdWxzYXIxEjAQBgNVBAMMCVB1bHNhciBDQTEk -MCIGCSqGSIb3DQEJARYVZGV2QHB1bHNhci5hcGFjaGUub3JnMIICIjANBgkqhkiG -9w0BAQEFAAOCAg8AMIICCgKCAgEAsTx9q0pUcjcqkpQKZkavjO30LvOHGtDHnSM1 -G2F0acr39T6VnIbyITT4C+1FdiLsdVLAZ9svutolP+FbrNoV3aV1JLIS8LDO/atE -BqkJ9rCOj4NTFmn6nMwA+t0T89r98r+IjsT4Gm+rTfgygYB+UXqZLZTN810cWLJE -8ZYSRla9YI9lMrfUS3vzI4gtm6TEyVLqn2bBdL5Lkca5V+zBzIG7A9X6oEZPmqc+ -PCcmK5fraVMEdVCX1g2QsTefZN9wTdmz47fMdlDZPJtMrOkmLs+sR0IUt2AACt5C -R2YMx3q5TfT7wmpFeOywtM6zH1AllhMMVQrg1nb3H+EW5kHWcmpJFxLZBY/cVrYx -s7ec49ipmYodO53ZWUTuRogRX6v6OKmL0iMVi68a3ma6fVGVN5SRqgEB14MZS12N -9Bg57+My0GLIElBOkcKsWHNou5Ig/BTlGoa9QEyU4H0NnAhXrgBEOJSjPWSZQ/jj -EpAUD11j4sYH6tBMjs/grjS+hk/8WOLq9SOCN5YCVxu0Kcr9aKBIeegxl5paDiu0 -sIS7V05fT6dDRZfX3gX8L2w+9VMmVqOl2lJpV46gSydQ+a1udqYpzAaU3dCsxhgi -oOK77dXkl/esI991MEGXBz/TEo7FpO/OQOg7VyQZMxvuig7dDHDyGoc12XHYGKec -R9uTUcMCAwEAAaNjMGEwHQYDVR0OBBYEFNKyPbGkfEhLNuGn3tj8upK6p8RxMB8G -A1UdIwQYMBaAFNKyPbGkfEhLNuGn3tj8upK6p8RxMA8GA1UdEwEB/wQFMAMBAf8w -DgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAUPXwVht6qWjBd1PK8 -XxDSr/6R1+7zuF/O5MmyAcMW2maOfrHB4zD/HXPQnCA9VDJXrgeASiRufjKj5yNN -XDFUi8EbxbwgXUNik+AupwF3Oc/97ExXCU8rray2wL5ao+oSrFp/YCOBu5r6X3pn -qTHDNK/b/zIig0DCfS85XoopRHNfbrT0oq5gH47vkZpJu6aQK+BElSSLN5AYLUEy -io4Hjep1Yric7HNvElQjbUAAdMfT+7eVBn3MbY4s0IsRBoq3QxrX6Zj0xu+tKnUI -+wePIDZ6hhrP99aWre1xWdGBVhiNmMLAROUpenzA49f7uPWyUFOKzzj/maq7KFFg -6AWR4e6GkJCbh2BjOM9UpYJ0D0C10mrFqZgiWU77pYHiew4/cfMkFx7Fifyu7fNp -ZQK4Hpi8N8YlNvjKmWCOEzsz7JGz6wRtQZc+NcCX7WYSJUQj8y76nC7Cut3zY9db -snIDTTv7XinWXAIyk0fRTHdKWMWqgatnhICBFCjh2xEWbTFQekeyqC0VocRjG87V -4ddX3Bpx4FWfbfu+5pnoib4s4BlezQJ5Uu6TVp/c194xmyrIkUigx0R9cjInwyvY -6GuUZ7UdnZklI9kkte1L8hgtiPXUNrtTjKixfwUT142JnVUzkLxgmc8Fur3LxWH5 -xRr3RpxAkN2Dqnofq1wQjSYnHg== +MIIEBzCCAu+gAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DAwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK +DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw +EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh +Y2hlLm9yZzAeFw0yNDEyMTgwNTE0NTNaFw00NDEyMTMwNTE0NTNaMIGSMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv +ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjESMBAGA1UEAwwJUHVs +c2FyIENBMSQwIgYJKoZIhvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVcjilXMunK/en7TRZaZ+d9lyi +kcFMQRU/E21KO1olHF7FjNl+RBm+SfQ7+/uFDQQpHDFlT/osrI+Q4sTRnR29YCTT +tFDMbELgnKPv7kS4UbhkoncDFv23F+3WKF/AcTrDh1WlLAcW8ch5Bz9p3s2zHTUv +C+njjpuoR+7+tJsSeAHLRZBSGAzsPtv9Hjg79OAB9o3n/ry0ifTMZG5lZsMrbzwE +tD5SGLgn+Idth0HVqGEg0lB17q9vCC2e1dBXkgrRBpr2wMLIOMMKk+q+fSUydevd +0jCnB/G3iLdgHDKjRedzOKg1s9PNDry991cDqtfh3CoKQWnrNd+MwOzoLZp3AgMB +AAGjUzBRMB0GA1UdDgQWBBScZqZelaXXcm4RdkRDNbRh+3AnbzAfBgNVHSMEGDAW +gBScZqZelaXXcm4RdkRDNbRh+3AnbzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQDEmQX4/Q5F9QE9WN0Rd9rjScx8HFYWUVq3rZ+rlVtVnC/1EWKk +a98+b6UwgDRXxMsANUEUugm4IArBD1voUUCDvnIUhJ8mRz5dIHNHufmME9Kj7M6o +V9T26DxVXNnLAMjjIFx40wb7FssV51LIxRYgJu6cj+26evIHqRNrRIMDGF5nw2Fd +hRfZ+GCphPA3ziODuqQAtBjO39UhU1x/XFUzSfMoXzkUuwVra+ra5Ho67+YFS67R +rfOE0xi6I/8ELmK2n7PdCyvjaomM/xGLXGNdOQVWw+o6/WuHBnStzAwQcOxTSetC +2DBFgAqMalHSHGV0yEZOHX/DsbJb+SyF4432 -----END CERTIFICATE----- diff --git a/test-conf/cakey.pem b/test-conf/cakey.pem new file mode 100644 index 00000000..cda12022 --- /dev/null +++ b/test-conf/cakey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1XI4pVzLpyv3p+00WWmfnfZcopHBTEEVPxNtSjtaJRxexYzZ +fkQZvkn0O/v7hQ0EKRwxZU/6LKyPkOLE0Z0dvWAk07RQzGxC4Jyj7+5EuFG4ZKJ3 +Axb9txft1ihfwHE6w4dVpSwHFvHIeQc/ad7Nsx01Lwvp446bqEfu/rSbEngBy0WQ +UhgM7D7b/R44O/TgAfaN5/68tIn0zGRuZWbDK288BLQ+Uhi4J/iHbYdB1ahhINJQ +de6vbwgtntXQV5IK0Qaa9sDCyDjDCpPqvn0lMnXr3dIwpwfxt4i3YBwyo0Xnczio +NbPTzQ68vfdXA6rX4dwqCkFp6zXfjMDs6C2adwIDAQABAoIBAQCZe9cL4dx3y3/8 +eu+H1BH5LqySIilTQgGbJ8cQ9/jscqgbehrzVtkEIn3DnIDSvfdd8G38ojQNZ9Cc +qNRKvqYiBT62FRV8yeSVS03/O+CigfEMPF9EE4ZB4K0fsEyaP1G4RFrruOsoLpiv +nuyUnqhfwgL6X6DCB0wbCA7tjMVt0xlkZrm+eVu3spihjXCf49R4nRU5IEIzrZP/ +efjcxmylbr9xOqSYAb5Dj3qk4DEEROmgQMVpMuoPNJ9wZOzoUPyHrLuMUb5pBStB +25tsGea2/4haTxgKIc9nksanVS6OauYA07UkE/5iDp11cT2h1t/HvdA95d205Y72 +g0FgpguhAoGBAPIIV7p6mqFTs97JTG8qniUcdJ5elfn5OAOMkrDfhwWb3tPTCkSo +rpJ+cEb/8s+VNSsaLAUDHOqPCUHeKF9vuAOvPlz5VjAoeibO+kDNnBSxgqofMkBh +sdm6LrWiDgLlKoPqmNuaFvd2G2kFWORnlIBafVqvo1/7rTMOyZs2/am/AoGBAOHD +jvzOYSZckbkoRSeMiiZVQxtzLCP1WTktZ3ZHyYwmXdP7EcaKcvIlh7JL/kGTisQN +Fw8hB54TxbGyubuJuOiF6dFRS0SoAP2mLRwYgXEP+trIX4r2sy7lNa+CK9YXS+sP +ECCc/0pdM/kv4rFNhfzLzBA6OAX825TchMDvJo1JAoGBAL09fKqXtlOxiJAHQLYi +0mgd6ajyN72t+Pf9b6zP+ViPWRiyh/LLGUP9jHhXI1jfRyUeX5DDsFZN5GUV+Oc2 +COEIonA7nAIng+rYJp+IpCMh8BJoNfhU6qRciK0HuoDVAfsG8OGzh4WRWTkyLyDX +RCtflWfUsJ8Zv4CObV/pDUktAoGADNXfdUQOhe3RYyOE+wCkghVq4U6k/c5fKj8I +mNLwBIXR49Fsa0tHybiUhHCJnhTTWN4dp4CLPFOHc9jjcmQcHSwv5PSoQNkEZWdj +PSuvgEwWSQYHWJE6Erp5WOcfsuZULKMImbITWZj+8XXlf4sWyQ6VJX8J3F1J5qa6 +7XUrTfECgYBDB2qSarK3gsmYEZLSBExEV+jo4XXR4uwkOztRbjE2WNePNu59d8fE +urOifLXJFGikzz5PD078wOQBitmkuRi3wx8YNjj/sUAUR5qdvJ/tlsoFGmsq79BL +GMPCuslHXqXGSiixPdtFbO3GxOt6j7fu+oSyIacXLUJI+lsiSQnpwg== +-----END RSA PRIVATE KEY----- diff --git a/test-conf/chained-client-cert.pem b/test-conf/chained-client-cert.pem new file mode 100644 index 00000000..03472afe --- /dev/null +++ b/test-conf/chained-client-cert.pem @@ -0,0 +1,51 @@ +-----BEGIN CERTIFICATE----- +MIIEVTCCAz2gAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DIwDQYJKoZIhvcNAQEL +BQAwgbMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH +DAlQYWxvIEFsdG8xIzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9u +MQ8wDQYDVQQLDAZQdWxzYXIxHzAdBgNVBAMMFlB1bHNhciBJbnRlcm1lZGlhdGUg +Q0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzAeFw0yNDEy +MTgwNjAxNDFaFw00NDEyMTMwNjAxNDFaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRp +b24xDzANBgNVBAsMBlB1bHNhcjEXMBUGA1UEAwwOY2hhaW5lZC1jbGllbnQxJDAi +BgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALn/EH4ihlV4O8axycQ1VOlSf9WpG3iCWfsvDUlB +ouCcCwPZfImFrYLsf8+wYTHizh+tjdKvQwZ2XFNuij4niwxcSjWgM7zQ+Q3BSnLJ +DtXVso7xEdGcb5MEnSXWfkXUcqy50AZgPj8jEXVjGRjBqPjc+eHJVLzMDyQDihPk +tqQ6FKlGCF2XRKz2P3TTV3x41NX5qoEkJxb5ZNwj/DCjg4D0CLgfkJ2q9cDp/KmK +G9+bLBQn73BT+RYZrkz+2e3rGv6SWVyn9h2ZsCr25CPKDPkbjCve+6Lg96y709lQ +yuZODrT+s1zlb5WMVRUDVxY+pR5YVwmrjnTBx3dX2/EmInECAwEAAaN7MHkwCQYD +VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm +aWNhdGUwHQYDVR0OBBYEFOhd7zi3lFlVk4oVFHAxCVcomX6eMB8GA1UdIwQYMBaA +FGx2pSK1bA7OpssHo0XAJ2D/pCiUMA0GCSqGSIb3DQEBCwUAA4IBAQANVrrKIfy/ +ZCf9ISmZZXXxodRSCN5F/2CpuGhiSD28iJzNR0iYTlyiKqE+2hdTAJw2PJxb4kEa +fUcndt8vgn0deZxztCBNFJiZK8jH1FPehT48di1o+ilIHK9t1WRAs2+Pac8D5CBK +sESrvPsk61TDZ0wsFaN5jTi5a2aMbK8wnNJZfZQNanHFjZV4CwnKS6w9KIs4Q3Sq +KbReOlLmYvpaioD9BhiemLLUm/sPknTqdRRy+JtlNDhiehum/FMO5p3bDUJ+yk6R +YT4oYvNiMNzGu/i2dlplvIugmXDa9o2s1lX6fFrwdV0nE5CT8U7CRZ61mJazCjMd +qZnN3ZyOqAa9 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DEwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK +DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw +EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh +Y2hlLm9yZzAeFw0yNDEyMTgwNTM3MzBaFw00NDEyMTMwNTM3MzBaMIGzMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv +MSMwIQYDVQQKDBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwG +UHVsc2FyMR8wHQYDVQQDDBZQdWxzYXIgSW50ZXJtZWRpYXRlIENBMSQwIgYJKoZI +hvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6otQU0UdAX3Ja50bBqS95cdausctcsx6zbWA7YA4cW8O4 +fGuvSUGtdqDIxCCtVPkxq+gduUWCvmEl65CFwex6+HMi3WXbm+QS+B6TTM3RQoam +SDgmmQDcgp/HseWJpqU+Z3C0yxFa604VKxGszqYP0nnSgXjt9sV6I1p6BEHb/tWN +5t1us7nhGve34Hn1HRt9BTv3GPmcp1vPdb0FrDDx2basfPAtG4IODsJixv1SKjfD +PRB1QTyw5jgPnaljv7WiMr70nRjtSaRxoHYU+2TZtT04uahxzKGRV+o3u4t3x+lr ++VuXIAal4jwOi6ShJFvn8JOJy8UKhhYKR7UhXGNVAgMBAAGjUzBRMB0GA1UdDgQW +BBRsdqUitWwOzqbLB6NFwCdg/6QolDAfBgNVHSMEGDAWgBScZqZelaXXcm4RdkRD +NbRh+3AnbzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCAUlpI +awp3XeKGW90jCoqFKeJx1Fu6xRW8VoJ/zQFygSnvHgspZzvzxLovXAdU7gpzUvKb +kXG2el4jkKefeS/31RIw4YMMQMEzM2o/uNa8OTtaIum86yM4UgvyeH98/Lh6oqbD +LUOSpMsfvrYDtGGpz7OjmaczqsfgpwS4MN+tYd57F8klcZ941g+iT18h6B26AuxN +X0tAhz3/gQ4cEfuYE4GbR9POcn/pqwW8PNJ9cUEMHFjccBYnn/yMpnvH/OUoU9Z5 +nRdoF0QktKUIazvFwoTdWM99Wss79ddcZc1DUbXL+mRtob9Mou60xPlSnIUQ9FkS +q6k0NpG8iP0IcDuJ +-----END CERTIFICATE----- diff --git a/test-conf/chained-client-key.pem b/test-conf/chained-client-key.pem new file mode 100644 index 00000000..e1c27042 --- /dev/null +++ b/test-conf/chained-client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAuf8QfiKGVXg7xrHJxDVU6VJ/1akbeIJZ+y8NSUGi4JwLA9l8 +iYWtgux/z7BhMeLOH62N0q9DBnZcU26KPieLDFxKNaAzvND5DcFKcskO1dWyjvER +0ZxvkwSdJdZ+RdRyrLnQBmA+PyMRdWMZGMGo+Nz54clUvMwPJAOKE+S2pDoUqUYI +XZdErPY/dNNXfHjU1fmqgSQnFvlk3CP8MKODgPQIuB+Qnar1wOn8qYob35ssFCfv +cFP5FhmuTP7Z7esa/pJZXKf2HZmwKvbkI8oM+RuMK977ouD3rLvT2VDK5k4OtP6z +XOVvlYxVFQNXFj6lHlhXCauOdMHHd1fb8SYicQIDAQABAoIBAG+OuMmu03u4HcJT +KH1yr3cycFIql7t0E5xA4Gsr3xFxBnpMnBGwCB4a054yYFmXe6IsaoAPdtgNbdrs +1iXpedD0Gd6IM//wJzFE2e53AVroTazGkrVyasl3Xvou6JXhktZerJLmbu9XjUUn +JwpePYbmo0n1g8mpavti1BKSf6mH1nlbrGpyKi4UwJVtLmz3z03nba1EmMJOwEJH +F+CL29AB5D7UpcKEnE+qoR5T3SzvMCq8X3bQAsyCfxZu8gGviyj5EHs6Ymm/L/yJ +f5l469JVTli1Qu2jkiAzNBFf6GeSV6gOpD0YEC6UPG7WvKYiwwHEqNdEFkEawqy3 +4fsRHUECgYEA5brvQY7El4YSp6cHIOfZ9enlPgecpse39U65cL5BEBEkYPmZwibK +5yj/Q4or6EAW3EpdbTGDXIEHtD6eQCkZwzDPDJRqrsueOS4zwJpDYQPpf+pp3xNS +hnpsI21K0Q5njPUSA0eogX7w8PusRBM8EJ7d5Xr4QKBRo7SScpXI1K0CgYEAz0Pg +Gq1iFM5S3Tb6lZlzkqJ4BKiCidNB8Kch5sG8lXxh7ZuBN72WXgUnfodAbdCsDs4p +/wiOBAAGnw4ahX9N8Be4JAl6R1HDcc4YiDQnlAxSN03piM75ObXHx/EkeD6gW33f +AmD3IcgdE+UdKrz9XMxUeINwwrzNsGltPQ0xOVUCgYBAEFVQTuP77WOeZTHTt1RN +A6DuH2lMCT3/pqiIDEZQmLcwY+rA/dhvhjtJNmrwJY86d3J+VORxE3p2hU/UTKHm +kOHsfCcT/6xr/bpo55wKnfCrv08u6lCFN/aYGo5WplGyOVWAnKcdFa1TRpvPkB2b +9PGkYRqByzN5F44Pbj3HMQKBgEzt749XTXFVh3IuRuIh+8CwZwWrmhAYBoCROEcT +H7EIYryznEmZJ+er2BXhk6tu6X3xTasofLXFYK/Gp1dnggEcfK97iRRRp85k5bwg +R5Ru4lE+rPCnid++tfFjctriu9hZpt2WKgQy54AL6UCEtzGrcartdnwBYgMZjn87 +l0qlAoGAFfUzYYCJ2BixDbmeR1ZutPYlrxOTofQG8gIb3ihUx3YBXg5ZKMJySAXL +DH55/VZmppXMX5LLL/p3aiZU30L6j4G7X5OFLH7S/UDTUgc2qtmk1Hwz+oGW5HhU +5SD52RzjzisfLye6VeOEQw6Oj5DrYkRAXg9dAMbib5Y34sJGYQk= +-----END RSA PRIVATE KEY----- diff --git a/test-conf/client-cert.pem b/test-conf/client-cert.pem index 45f3cde2..b4d9237d 100644 --- a/test-conf/client-cert.pem +++ b/test-conf/client-cert.pem @@ -1,16 +1,17 @@ Certificate: Data: - Version: 1 (0x0) - Serial Number: 4097 (0x1001) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org + Version: 3 (0x2) + Serial Number: + 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:33 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org Validity - Not Before: Feb 17 16:56:55 2021 GMT - Not After : Feb 12 16:56:55 2041 GMT + Not Before: Dec 18 06:42:06 2024 GMT + Not After : Dec 13 06:42:06 2044 GMT Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=admin/emailAddress=dev@pulsar.apache.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) + RSA Public-Key: (2048 bit) Modulus: 00:ab:61:f5:12:b1:e1:ae:19:01:3e:59:4a:c6:ca: 00:0c:96:e8:76:3a:83:20:d9:af:3a:e1:11:20:12: @@ -31,60 +32,54 @@ Certificate: 70:43:2f:64:bf:d2:0f:20:25:f7:c7:7d:70:05:b8: 2e:bf Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 3C:01:00:F0:C7:91:EF:2A:3F:76:F0:A1:75:83:FF:AD:F9:8B:4C:BF + X509v3 Authority Key Identifier: + keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F + Signature Algorithm: sha256WithRSAEncryption - 1c:31:b8:0f:a1:03:28:a0:da:31:ec:34:ce:e0:fd:01:99:9d: - 9b:ad:f8:03:5d:20:85:18:de:ca:b5:ea:61:c9:3b:65:42:9c: - e5:21:73:d2:06:41:4b:a9:3a:fb:7f:ff:45:f3:5a:4a:ab:5a: - 86:cd:57:6a:5f:13:c0:ae:7e:ad:5c:6e:c3:c4:e7:b7:d3:14: - bf:86:fe:f2:d1:70:0e:fc:98:50:a7:fe:53:62:5a:2d:f5:63: - 2c:ee:4a:7c:dd:32:3e:d1:52:3a:1f:15:38:4b:2a:4a:ee:27: - a9:d8:92:a8:33:92:83:c9:3a:09:5a:01:66:0e:68:da:8f:82: - c0:18:cc:78:ea:c5:db:09:7c:2f:61:c3:51:f8:58:7a:27:d7: - 92:c0:ff:f8:29:d7:a0:e9:54:17:8d:48:a8:ff:5e:92:ee:81: - 6c:37:90:1c:93:28:8c:d2:f5:b1:20:96:d3:1d:0f:c0:7f:db: - 0c:6d:65:7f:3a:55:e5:c9:9a:ad:09:91:a5:57:cb:fc:bf:df: - 69:bd:6b:87:94:5b:d0:cf:3b:8b:48:41:3d:56:b6:1d:3f:e7: - f6:b6:58:f7:54:2a:dd:da:60:68:db:9b:70:04:8b:19:c3:44: - bf:1d:b4:28:b9:f8:ea:ad:d3:1a:6e:64:72:b1:61:6a:f3:e1: - d4:68:56:7b:0e:ad:4c:53:1e:d2:2e:1c:bc:b7:82:59:af:65: - d2:fd:ef:89:7c:34:8f:51:a1:4e:9d:7e:dc:c7:97:68:ea:aa: - e5:67:ed:be:dc:38:74:0e:c3:6f:fd:08:62:54:d8:1f:15:d1: - 25:fc:21:f6:8c:f9:2f:65:5e:07:b9:e9:56:ba:48:14:5c:0d: - 18:ba:f8:83:54:5b:b6:27:0c:36:2c:20:29:9c:c2:68:c5:3a: - 0f:a5:d6:5f:7c:aa:f9:a6:2a:2b:69:c5:b1:39:e7:1c:02:31: - 5b:f5:82:de:c9:4e:8d:33:dc:94:02:44:0a:44:95:75:7b:a1: - e7:ee:92:fc:35:93:73:8c:22:c1:32:ea:39:17:ca:d0:87:fc: - 4d:8e:04:f8:59:66:d3:14:3f:59:ad:76:14:20:16:7b:77:4f: - 94:58:f8:85:5c:ba:b3:69:ed:7f:75:54:9a:1a:88:21:5d:04: - 57:87:85:e2:d4:0e:1b:61:7f:5d:36:dc:72:a1:9d:0b:c8:ce: - 19:69:49:fa:1b:bb:3f:3d:1b:4d:81:42:95:4e:d8:0b:04:d1: - 08:6d:15:b3:ae:52:41:12:ff:e1:90:c4:7d:52:88:55:8b:87: - 83:06:48:8b:fc:3a:a7:47:0e:6c:a8:4c:9e:b0:aa:da:50:f5: - 97:97:98:3e:9d:18:ef:43 + c7:d2:cd:c4:f0:29:47:b6:41:94:56:85:15:39:6f:c4:ca:b1: + ac:d3:e8:ef:62:b1:03:e4:5f:19:f4:f2:aa:e8:6f:47:61:1d: + 9d:8d:38:03:a2:d0:a6:66:cd:9d:86:15:95:48:d4:00:b2:2b: + 99:20:7b:26:1a:8d:a1:95:8b:8d:ea:cd:7a:a1:4b:80:3c:0f: + 14:1c:14:94:c4:aa:94:ea:79:df:39:57:46:e1:2f:26:c8:ac: + f6:42:e3:81:af:30:4a:58:91:88:9a:82:8f:08:c9:b2:6f:18: + 4e:d0:32:12:ed:f6:7e:70:bb:50:f8:44:ed:5f:f5:39:26:91: + 7e:7d:e6:81:48:0e:ef:d3:db:c4:d3:85:90:c7:ef:1f:52:8f: + 59:bb:8e:c0:bb:29:49:d2:2b:54:9b:1e:34:3f:90:6e:b3:bc: + 16:1a:52:87:a4:17:fc:73:2b:da:ec:1d:a7:15:9e:65:b7:4f: + 23:9c:4e:f7:55:7d:31:95:6a:b8:dc:12:9a:0d:e1:de:5b:e8: + 79:e8:f2:37:12:72:df:94:bd:dd:aa:83:f7:d4:30:d0:6e:bf: + 8d:57:83:da:9f:33:2b:6d:98:44:1a:f7:3d:26:c8:d2:9f:c4: + 66:c1:94:f7:84:89:39:9e:ca:d9:e3:46:fd:30:9a:09:76:46: + 30:09:00:22 -----BEGIN CERTIFICATE----- -MIIEqzCCApMCAhABMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJVUzETMBEG -A1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMSMwIQYDVQQKDBpB -cGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYD -VQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hl -Lm9yZzAeFw0yMTAyMTcxNjU2NTVaFw00MTAyMTIxNjU2NTVaMIGOMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNvZnR3 -YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjEOMAwGA1UEAwwFYWRtaW4x -JDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAKth9RKx4a4ZAT5ZSsbKAAyW6HY6gyDZrzrh -ESAS4OTQcI9Le6/hie+bxanC7a4kjbtCbuxZET/1Y1lhGJ9wtnaI4sp5Fcz7nF5c -u6HX8NgR1Bc0HoF+Cw4Fvl361kav4ZXYoF3FL9mpj2lkSZX3QhZqhCsur5FzPbbU -RFaaYUNJFSKukF0EKZBOskE0cz6iSAUcvI4bC8HV31YyQOmRonveMStn8Y7WxcCH -V3Ap+a/bV6AujDAKp0c5M0zXLTKqSCm9xEjFWFIHxJmxzGbarChNwbwfRD+jY2G9 -/0hhdgSyfRxunO6Cu/dgHHqgmL4tcEMvZL/SDyAl98d9cAW4Lr8CAwEAATANBgkq -hkiG9w0BAQsFAAOCAgEAHDG4D6EDKKDaMew0zuD9AZmdm634A10ghRjeyrXqYck7 -ZUKc5SFz0gZBS6k6+3//RfNaSqtahs1Xal8TwK5+rVxuw8Tnt9MUv4b+8tFwDvyY -UKf+U2JaLfVjLO5KfN0yPtFSOh8VOEsqSu4nqdiSqDOSg8k6CVoBZg5o2o+CwBjM -eOrF2wl8L2HDUfhYeifXksD/+CnXoOlUF41IqP9eku6BbDeQHJMojNL1sSCW0x0P -wH/bDG1lfzpV5cmarQmRpVfL/L/fab1rh5Rb0M87i0hBPVa2HT/n9rZY91Qq3dpg -aNubcASLGcNEvx20KLn46q3TGm5kcrFhavPh1GhWew6tTFMe0i4cvLeCWa9l0v3v -iXw0j1GhTp1+3MeXaOqq5Wftvtw4dA7Db/0IYlTYHxXRJfwh9oz5L2VeB7npVrpI -FFwNGLr4g1RbticMNiwgKZzCaMU6D6XWX3yq+aYqK2nFsTnnHAIxW/WC3slOjTPc -lAJECkSVdXuh5+6S/DWTc4wiwTLqORfK0If8TY4E+Flm0xQ/Wa12FCAWe3dPlFj4 -hVy6s2ntf3VUmhqIIV0EV4eF4tQOG2F/XTbccqGdC8jOGWlJ+hu7Pz0bTYFClU7Y -CwTRCG0Vs65SQRL/4ZDEfVKIVYuHgwZIi/w6p0cObKhMnrCq2lD1l5eYPp0Y70M= +MIIEKzCCAxOgAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DMwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK +DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw +EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh +Y2hlLm9yZzAeFw0yNDEyMTgwNjQyMDZaFw00NDEyMTMwNjQyMDZaMIGOMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv +ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjEOMAwGA1UEAwwFYWRt +aW4xJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKth9RKx4a4ZAT5ZSsbKAAyW6HY6gyDZ +rzrhESAS4OTQcI9Le6/hie+bxanC7a4kjbtCbuxZET/1Y1lhGJ9wtnaI4sp5Fcz7 +nF5cu6HX8NgR1Bc0HoF+Cw4Fvl361kav4ZXYoF3FL9mpj2lkSZX3QhZqhCsur5Fz +PbbURFaaYUNJFSKukF0EKZBOskE0cz6iSAUcvI4bC8HV31YyQOmRonveMStn8Y7W +xcCHV3Ap+a/bV6AujDAKp0c5M0zXLTKqSCm9xEjFWFIHxJmxzGbarChNwbwfRD+j +Y2G9/0hhdgSyfRxunO6Cu/dgHHqgmL4tcEMvZL/SDyAl98d9cAW4Lr8CAwEAAaN7 +MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg +Q2VydGlmaWNhdGUwHQYDVR0OBBYEFDwBAPDHke8qP3bwoXWD/635i0y/MB8GA1Ud +IwQYMBaAFJxmpl6VpddybhF2REM1tGH7cCdvMA0GCSqGSIb3DQEBCwUAA4IBAQDH +0s3E8ClHtkGUVoUVOW/EyrGs0+jvYrED5F8Z9PKq6G9HYR2djTgDotCmZs2dhhWV +SNQAsiuZIHsmGo2hlYuN6s16oUuAPA8UHBSUxKqU6nnfOVdG4S8myKz2QuOBrzBK +WJGImoKPCMmybxhO0DIS7fZ+cLtQ+ETtX/U5JpF+feaBSA7v09vE04WQx+8fUo9Z +u47AuylJ0itUmx40P5Bus7wWGlKHpBf8cyva7B2nFZ5lt08jnE73VX0xlWq43BKa +DeHeW+h56PI3EnLflL3dqoP31DDQbr+NV4PanzMrbZhEGvc9JsjSn8RmwZT3hIk5 +nsrZ40b9MJoJdkYwCQAi -----END CERTIFICATE----- diff --git a/test-conf/intermediate-cacert.pem b/test-conf/intermediate-cacert.pem new file mode 100644 index 00000000..f9711fa5 --- /dev/null +++ b/test-conf/intermediate-cacert.pem @@ -0,0 +1,83 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:31 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/emailAddress=dev@pulsar.apache.org + Validity + Not Before: Dec 18 05:37:30 2024 GMT + Not After : Dec 13 05:37:30 2044 GMT + Subject: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar Intermediate CA/emailAddress=dev@pulsar.apache.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ba:a2:d4:14:d1:47:40:5f:72:5a:e7:46:c1:a9: + 2f:79:71:d6:ae:b1:cb:5c:b3:1e:b3:6d:60:3b:60: + 0e:1c:5b:c3:b8:7c:6b:af:49:41:ad:76:a0:c8:c4: + 20:ad:54:f9:31:ab:e8:1d:b9:45:82:be:61:25:eb: + 90:85:c1:ec:7a:f8:73:22:dd:65:db:9b:e4:12:f8: + 1e:93:4c:cd:d1:42:86:a6:48:38:26:99:00:dc:82: + 9f:c7:b1:e5:89:a6:a5:3e:67:70:b4:cb:11:5a:eb: + 4e:15:2b:11:ac:ce:a6:0f:d2:79:d2:81:78:ed:f6: + c5:7a:23:5a:7a:04:41:db:fe:d5:8d:e6:dd:6e:b3: + b9:e1:1a:f7:b7:e0:79:f5:1d:1b:7d:05:3b:f7:18: + f9:9c:a7:5b:cf:75:bd:05:ac:30:f1:d9:b6:ac:7c: + f0:2d:1b:82:0e:0e:c2:62:c6:fd:52:2a:37:c3:3d: + 10:75:41:3c:b0:e6:38:0f:9d:a9:63:bf:b5:a2:32: + be:f4:9d:18:ed:49:a4:71:a0:76:14:fb:64:d9:b5: + 3d:38:b9:a8:71:cc:a1:91:57:ea:37:bb:8b:77:c7: + e9:6b:f9:5b:97:20:06:a5:e2:3c:0e:8b:a4:a1:24: + 5b:e7:f0:93:89:cb:c5:0a:86:16:0a:47:b5:21:5c: + 63:55 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 6C:76:A5:22:B5:6C:0E:CE:A6:CB:07:A3:45:C0:27:60:FF:A4:28:94 + X509v3 Authority Key Identifier: + keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 80:52:5a:48:6b:0a:77:5d:e2:86:5b:dd:23:0a:8a:85:29:e2: + 71:d4:5b:ba:c5:15:bc:56:82:7f:cd:01:72:81:29:ef:1e:0b: + 29:67:3b:f3:c4:ba:2f:5c:07:54:ee:0a:73:52:f2:9b:91:71: + b6:7a:5e:23:90:a7:9f:79:2f:f7:d5:12:30:e1:83:0c:40:c1: + 33:33:6a:3f:b8:d6:bc:39:3b:5a:22:e9:bc:eb:23:38:52:0b: + f2:78:7f:7c:fc:b8:7a:a2:a6:c3:2d:43:92:a4:cb:1f:be:b6: + 03:b4:61:a9:cf:b3:a3:99:a7:33:aa:c7:e0:a7:04:b8:30:df: + ad:61:de:7b:17:c9:25:71:9f:78:d6:0f:a2:4f:5f:21:e8:1d: + ba:02:ec:4d:5f:4b:40:87:3d:ff:81:0e:1c:11:fb:98:13:81: + 9b:47:d3:ce:72:7f:e9:ab:05:bc:3c:d2:7d:71:41:0c:1c:58: + dc:70:16:27:9f:fc:8c:a6:7b:c7:fc:e5:28:53:d6:79:9d:17: + 68:17:44:24:b4:a5:08:6b:3b:c5:c2:84:dd:58:cf:7d:5a:cb: + 3b:f5:d7:5c:65:cd:43:51:b5:cb:fa:64:6d:a1:bf:4c:a2:ee: + b4:c4:f9:52:9c:85:10:f4:59:12:ab:a9:34:36:91:bc:88:fd: + 08:70:3b:89 +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DEwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK +DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw +EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh +Y2hlLm9yZzAeFw0yNDEyMTgwNTM3MzBaFw00NDEyMTMwNTM3MzBaMIGzMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv +MSMwIQYDVQQKDBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwG +UHVsc2FyMR8wHQYDVQQDDBZQdWxzYXIgSW50ZXJtZWRpYXRlIENBMSQwIgYJKoZI +hvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6otQU0UdAX3Ja50bBqS95cdausctcsx6zbWA7YA4cW8O4 +fGuvSUGtdqDIxCCtVPkxq+gduUWCvmEl65CFwex6+HMi3WXbm+QS+B6TTM3RQoam +SDgmmQDcgp/HseWJpqU+Z3C0yxFa604VKxGszqYP0nnSgXjt9sV6I1p6BEHb/tWN +5t1us7nhGve34Hn1HRt9BTv3GPmcp1vPdb0FrDDx2basfPAtG4IODsJixv1SKjfD +PRB1QTyw5jgPnaljv7WiMr70nRjtSaRxoHYU+2TZtT04uahxzKGRV+o3u4t3x+lr ++VuXIAal4jwOi6ShJFvn8JOJy8UKhhYKR7UhXGNVAgMBAAGjUzBRMB0GA1UdDgQW +BBRsdqUitWwOzqbLB6NFwCdg/6QolDAfBgNVHSMEGDAWgBScZqZelaXXcm4RdkRD +NbRh+3AnbzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCAUlpI +awp3XeKGW90jCoqFKeJx1Fu6xRW8VoJ/zQFygSnvHgspZzvzxLovXAdU7gpzUvKb +kXG2el4jkKefeS/31RIw4YMMQMEzM2o/uNa8OTtaIum86yM4UgvyeH98/Lh6oqbD +LUOSpMsfvrYDtGGpz7OjmaczqsfgpwS4MN+tYd57F8klcZ941g+iT18h6B26AuxN +X0tAhz3/gQ4cEfuYE4GbR9POcn/pqwW8PNJ9cUEMHFjccBYnn/yMpnvH/OUoU9Z5 +nRdoF0QktKUIazvFwoTdWM99Wss79ddcZc1DUbXL+mRtob9Mou60xPlSnIUQ9FkS +q6k0NpG8iP0IcDuJ +-----END CERTIFICATE----- diff --git a/test-conf/intermediate-cakey.pem b/test-conf/intermediate-cakey.pem new file mode 100644 index 00000000..c30c8030 --- /dev/null +++ b/test-conf/intermediate-cakey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAuqLUFNFHQF9yWudGwakveXHWrrHLXLMes21gO2AOHFvDuHxr +r0lBrXagyMQgrVT5MavoHblFgr5hJeuQhcHsevhzIt1l25vkEvgek0zN0UKGpkg4 +JpkA3IKfx7HliaalPmdwtMsRWutOFSsRrM6mD9J50oF47fbFeiNaegRB2/7Vjebd +brO54Rr3t+B59R0bfQU79xj5nKdbz3W9Baww8dm2rHzwLRuCDg7CYsb9Uio3wz0Q +dUE8sOY4D52pY7+1ojK+9J0Y7UmkcaB2FPtk2bU9OLmoccyhkVfqN7uLd8fpa/lb +lyAGpeI8DoukoSRb5/CTicvFCoYWCke1IVxjVQIDAQABAoIBAQC6nERh7D7J5qV4 +rvbYfEmzrFdzpOIpdg+kaCBoPcreIAK6W+1v/ldlEdAB7diedvAS8kfMMIuIBsMs +HzUKCLRi4Dh/C8/knSKWtPAdaBYCvfnUGTHLpgBue003ZnCUCcP/eX3/x2s69TvF +fqLVnmn8N/8Gs94uUSdy0BaPGeKgC6Acfu/3O01TLxOCiEm7ihMZY8NfhAWfMEqC +DvB9CWjftFsr5j3P6JIY/ouiMb9JL+NigP7C/WiaBqdzhEAyDIL0MJx1ghzIGrMB +Sa5NJdGbD9iJqbYsHxBiEYj79wLCxNzzWLJB75Y/YDqz8W/IHReVtVtlUtWkYqxN +6RpiFpKhAoGBAOMb8+pOF97XUjZSDNUd+pTnYl/U9WI5iBYnrxuk8ArtmTK225Yx +6HAbJGj2CBM8ae0oao0VmCqo4+NUtVQg9L/aRQPzwdaV3WtT4mSixbcvH4pjWh0q +xYRDhDGHM+etgBd38sILc6Cs1IYA0QP1yM3FaxtmLKvHFiuBmB0aCCa/AoGBANJg +012txP/Eci//rKdbYtn0xvh/vx8cJyQ0YZOsVJze2h3iL1S04n1stYMlT00d6V9R +E9QmMxrA2Nn05nF9YBVwN2yoSeuCfhaQrPlSoJJA2PFV0U7/T6MQ3+YEckRlhQwl +ooDQRLKMe9dqmWPn6JLX3jHOvjdFJ6eWAppUNa7rAoGAYAWIim88PnaxhtAIJu9G +7EAsYrJKkZ4bgKqEqd6Bs00j8cJIc2dkjEmdildDsMZhTulAq6gOrzK7L3m4NPq+ +IIOrnHEqaozwkhlkZgJAMCRXZI5/IkfcPQDC2qH8ex7rQoDvfcWTvMJ2FLYxqUf4 +/69RisMXbgV9xSVE6EECY0cCgYAvltmZYlqi5ORTuUlsHj8RQM7Vncg1GGA+T18X +Ua9eQQckJWtBhR2K89FnlkQHFNIazrNmlTGQRrmHLGAIoizfDKBtAvCdxsoQ/q8y +Qx+xldu9VAViEl0IbSPI246hrDlZkxXcf8Bah27oPuPt9qLkvNI1gCgFRq5+uW9j +S9NM+wKBgQCHQba07zjY0FMEIHd06V1fFZMJqC2VPR7SC10+G5jEFJJtHLlml0IK +m8hPYMmqkTYLNUAwlBrRP5GX13p0CDV8UJ12X1oqGtgPEKN00t4O9KZmWMypToJ5 +gIAnG3hMNKCHlch2w5TSvwiFTwH5Ft+gHQ0+D71Z09Gug13/VQSb/Q== +-----END RSA PRIVATE KEY----- diff --git a/tests/AuthPluginTest.cc b/tests/AuthPluginTest.cc index b091f973..24549d7f 100644 --- a/tests/AuthPluginTest.cc +++ b/tests/AuthPluginTest.cc @@ -49,6 +49,8 @@ static const std::string serviceUrlHttps = "https://localhost:8443"; static const std::string caPath = TEST_CONF_DIR "/cacert.pem"; static const std::string clientPublicKeyPath = TEST_CONF_DIR "/client-cert.pem"; static const std::string clientPrivateKeyPath = TEST_CONF_DIR "/client-key.pem"; +static const std::string chainedClientPublicKeyPath = TEST_CONF_DIR "/chained-client-cert.pem"; +static const std::string chainedClientPrivateKeyPath = TEST_CONF_DIR "/chained-client-key.pem"; // Man in middle certificate which tries to act as a broker by sending its own valid certificate static const std::string mimServiceUrlTls = "pulsar+ssl://localhost:6653"; @@ -288,6 +290,21 @@ TEST(AuthPluginTest, testTlsDetectHttpsWithInvalidBroker) { ASSERT_EQ(ResultOk, res); } +TEST(AuthPluginTest, testTlsDetectClientCertSignedByICA) { + ClientConfiguration config = ClientConfiguration(); + config.setTlsTrustCertsFilePath(caPath); + config.setTlsAllowInsecureConnection(false); + config.setValidateHostName(true); + config.setAuth(pulsar::AuthTls::create(chainedClientPublicKeyPath, chainedClientPrivateKeyPath)); + + Client client(serviceUrlTls, config); + std::string topicName = "persistent://private/auth/testTlsDetectClientCertSignedByICA"; + + Producer producer; + Result res = client.createProducer(topicName, producer); + ASSERT_EQ(ResultOk, res); +} + namespace testAthenz { std::string principalToken; void mockZTS(Latch& latch, int port) {