handshake_test.go

Documentation: crypto/tls

		 1  // Copyright 2013 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  package tls
		 6  
		 7  import (
		 8  	"bufio"
		 9  	"crypto/ed25519"
		10  	"crypto/x509"
		11  	"encoding/hex"
		12  	"errors"
		13  	"flag"
		14  	"fmt"
		15  	"io"
		16  	"net"
		17  	"os"
		18  	"os/exec"
		19  	"runtime"
		20  	"strconv"
		21  	"strings"
		22  	"sync"
		23  	"testing"
		24  	"time"
		25  )
		26  
		27  // TLS reference tests run a connection against a reference implementation
		28  // (OpenSSL) of TLS and record the bytes of the resulting connection. The Go
		29  // code, during a test, is configured with deterministic randomness and so the
		30  // reference test can be reproduced exactly in the future.
		31  //
		32  // In order to save everyone who wishes to run the tests from needing the
		33  // reference implementation installed, the reference connections are saved in
		34  // files in the testdata directory. Thus running the tests involves nothing
		35  // external, but creating and updating them requires the reference
		36  // implementation.
		37  //
		38  // Tests can be updated by running them with the -update flag. This will cause
		39  // the test files for failing tests to be regenerated. Since the reference
		40  // implementation will always generate fresh random numbers, large parts of the
		41  // reference connection will always change.
		42  
		43  var (
		44  	update	= flag.Bool("update", false, "update golden files on failure")
		45  	fast		= flag.Bool("fast", false, "impose a quick, possibly flaky timeout on recorded tests")
		46  	keyFile = flag.String("keylog", "", "destination file for KeyLogWriter")
		47  )
		48  
		49  func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) {
		50  	success := t.Run(name, func(t *testing.T) {
		51  		if !*update && !wait {
		52  			t.Parallel()
		53  		}
		54  		run(t, false)
		55  	})
		56  
		57  	if !success && *update {
		58  		t.Run(name+"#update", func(t *testing.T) {
		59  			run(t, true)
		60  		})
		61  	}
		62  }
		63  
		64  // checkOpenSSLVersion ensures that the version of OpenSSL looks reasonable
		65  // before updating the test data.
		66  func checkOpenSSLVersion() error {
		67  	if !*update {
		68  		return nil
		69  	}
		70  
		71  	openssl := exec.Command("openssl", "version")
		72  	output, err := openssl.CombinedOutput()
		73  	if err != nil {
		74  		return err
		75  	}
		76  
		77  	version := string(output)
		78  	if strings.HasPrefix(version, "OpenSSL 1.1.1") {
		79  		return nil
		80  	}
		81  
		82  	println("***********************************************")
		83  	println("")
		84  	println("You need to build OpenSSL 1.1.1 from source in order")
		85  	println("to update the test data.")
		86  	println("")
		87  	println("Configure it with:")
		88  	println("./Configure enable-weak-ssl-ciphers no-shared")
		89  	println("and then add the apps/ directory at the front of your PATH.")
		90  	println("***********************************************")
		91  
		92  	return errors.New("version of OpenSSL does not appear to be suitable for updating test data")
		93  }
		94  
		95  // recordingConn is a net.Conn that records the traffic that passes through it.
		96  // WriteTo can be used to produce output that can be later be loaded with
		97  // ParseTestData.
		98  type recordingConn struct {
		99  	net.Conn
	 100  	sync.Mutex
	 101  	flows	 [][]byte
	 102  	reading bool
	 103  }
	 104  
	 105  func (r *recordingConn) Read(b []byte) (n int, err error) {
	 106  	if n, err = r.Conn.Read(b); n == 0 {
	 107  		return
	 108  	}
	 109  	b = b[:n]
	 110  
	 111  	r.Lock()
	 112  	defer r.Unlock()
	 113  
	 114  	if l := len(r.flows); l == 0 || !r.reading {
	 115  		buf := make([]byte, len(b))
	 116  		copy(buf, b)
	 117  		r.flows = append(r.flows, buf)
	 118  	} else {
	 119  		r.flows[l-1] = append(r.flows[l-1], b[:n]...)
	 120  	}
	 121  	r.reading = true
	 122  	return
	 123  }
	 124  
	 125  func (r *recordingConn) Write(b []byte) (n int, err error) {
	 126  	if n, err = r.Conn.Write(b); n == 0 {
	 127  		return
	 128  	}
	 129  	b = b[:n]
	 130  
	 131  	r.Lock()
	 132  	defer r.Unlock()
	 133  
	 134  	if l := len(r.flows); l == 0 || r.reading {
	 135  		buf := make([]byte, len(b))
	 136  		copy(buf, b)
	 137  		r.flows = append(r.flows, buf)
	 138  	} else {
	 139  		r.flows[l-1] = append(r.flows[l-1], b[:n]...)
	 140  	}
	 141  	r.reading = false
	 142  	return
	 143  }
	 144  
	 145  // WriteTo writes Go source code to w that contains the recorded traffic.
	 146  func (r *recordingConn) WriteTo(w io.Writer) (int64, error) {
	 147  	// TLS always starts with a client to server flow.
	 148  	clientToServer := true
	 149  	var written int64
	 150  	for i, flow := range r.flows {
	 151  		source, dest := "client", "server"
	 152  		if !clientToServer {
	 153  			source, dest = dest, source
	 154  		}
	 155  		n, err := fmt.Fprintf(w, ">>> Flow %d (%s to %s)\n", i+1, source, dest)
	 156  		written += int64(n)
	 157  		if err != nil {
	 158  			return written, err
	 159  		}
	 160  		dumper := hex.Dumper(w)
	 161  		n, err = dumper.Write(flow)
	 162  		written += int64(n)
	 163  		if err != nil {
	 164  			return written, err
	 165  		}
	 166  		err = dumper.Close()
	 167  		if err != nil {
	 168  			return written, err
	 169  		}
	 170  		clientToServer = !clientToServer
	 171  	}
	 172  	return written, nil
	 173  }
	 174  
	 175  func parseTestData(r io.Reader) (flows [][]byte, err error) {
	 176  	var currentFlow []byte
	 177  
	 178  	scanner := bufio.NewScanner(r)
	 179  	for scanner.Scan() {
	 180  		line := scanner.Text()
	 181  		// If the line starts with ">>> " then it marks the beginning
	 182  		// of a new flow.
	 183  		if strings.HasPrefix(line, ">>> ") {
	 184  			if len(currentFlow) > 0 || len(flows) > 0 {
	 185  				flows = append(flows, currentFlow)
	 186  				currentFlow = nil
	 187  			}
	 188  			continue
	 189  		}
	 190  
	 191  		// Otherwise the line is a line of hex dump that looks like:
	 192  		// 00000170	fc f5 06 bf (...)	|.....X{&?......!|
	 193  		// (Some bytes have been omitted from the middle section.)
	 194  
	 195  		if i := strings.IndexByte(line, ' '); i >= 0 {
	 196  			line = line[i:]
	 197  		} else {
	 198  			return nil, errors.New("invalid test data")
	 199  		}
	 200  
	 201  		if i := strings.IndexByte(line, '|'); i >= 0 {
	 202  			line = line[:i]
	 203  		} else {
	 204  			return nil, errors.New("invalid test data")
	 205  		}
	 206  
	 207  		hexBytes := strings.Fields(line)
	 208  		for _, hexByte := range hexBytes {
	 209  			val, err := strconv.ParseUint(hexByte, 16, 8)
	 210  			if err != nil {
	 211  				return nil, errors.New("invalid hex byte in test data: " + err.Error())
	 212  			}
	 213  			currentFlow = append(currentFlow, byte(val))
	 214  		}
	 215  	}
	 216  
	 217  	if len(currentFlow) > 0 {
	 218  		flows = append(flows, currentFlow)
	 219  	}
	 220  
	 221  	return flows, nil
	 222  }
	 223  
	 224  // tempFile creates a temp file containing contents and returns its path.
	 225  func tempFile(contents string) string {
	 226  	file, err := os.CreateTemp("", "go-tls-test")
	 227  	if err != nil {
	 228  		panic("failed to create temp file: " + err.Error())
	 229  	}
	 230  	path := file.Name()
	 231  	file.WriteString(contents)
	 232  	file.Close()
	 233  	return path
	 234  }
	 235  
	 236  // localListener is set up by TestMain and used by localPipe to create Conn
	 237  // pairs like net.Pipe, but connected by an actual buffered TCP connection.
	 238  var localListener struct {
	 239  	mu	 sync.Mutex
	 240  	addr net.Addr
	 241  	ch	 chan net.Conn
	 242  }
	 243  
	 244  const localFlakes = 0 // change to 1 or 2 to exercise localServer/localPipe handling of mismatches
	 245  
	 246  func localServer(l net.Listener) {
	 247  	for n := 0; ; n++ {
	 248  		c, err := l.Accept()
	 249  		if err != nil {
	 250  			return
	 251  		}
	 252  		if localFlakes == 1 && n%2 == 0 {
	 253  			c.Close()
	 254  			continue
	 255  		}
	 256  		localListener.ch <- c
	 257  	}
	 258  }
	 259  
	 260  var isConnRefused = func(err error) bool { return false }
	 261  
	 262  func localPipe(t testing.TB) (net.Conn, net.Conn) {
	 263  	localListener.mu.Lock()
	 264  	defer localListener.mu.Unlock()
	 265  
	 266  	addr := localListener.addr
	 267  
	 268  	var err error
	 269  Dialing:
	 270  	// We expect a rare mismatch, but probably not 5 in a row.
	 271  	for i := 0; i < 5; i++ {
	 272  		tooSlow := time.NewTimer(1 * time.Second)
	 273  		defer tooSlow.Stop()
	 274  		var c1 net.Conn
	 275  		c1, err = net.Dial(addr.Network(), addr.String())
	 276  		if err != nil {
	 277  			if runtime.GOOS == "dragonfly" && (isConnRefused(err) || os.IsTimeout(err)) {
	 278  				// golang.org/issue/29583: Dragonfly sometimes returns a spurious
	 279  				// ECONNREFUSED or ETIMEDOUT.
	 280  				<-tooSlow.C
	 281  				continue
	 282  			}
	 283  			t.Fatalf("localPipe: %v", err)
	 284  		}
	 285  		if localFlakes == 2 && i == 0 {
	 286  			c1.Close()
	 287  			continue
	 288  		}
	 289  		for {
	 290  			select {
	 291  			case <-tooSlow.C:
	 292  				t.Logf("localPipe: timeout waiting for %v", c1.LocalAddr())
	 293  				c1.Close()
	 294  				continue Dialing
	 295  
	 296  			case c2 := <-localListener.ch:
	 297  				if c2.RemoteAddr().String() == c1.LocalAddr().String() {
	 298  					return c1, c2
	 299  				}
	 300  				t.Logf("localPipe: unexpected connection: %v != %v", c2.RemoteAddr(), c1.LocalAddr())
	 301  				c2.Close()
	 302  			}
	 303  		}
	 304  	}
	 305  
	 306  	t.Fatalf("localPipe: failed to connect: %v", err)
	 307  	panic("unreachable")
	 308  }
	 309  
	 310  // zeroSource is an io.Reader that returns an unlimited number of zero bytes.
	 311  type zeroSource struct{}
	 312  
	 313  func (zeroSource) Read(b []byte) (n int, err error) {
	 314  	for i := range b {
	 315  		b[i] = 0
	 316  	}
	 317  
	 318  	return len(b), nil
	 319  }
	 320  
	 321  func allCipherSuites() []uint16 {
	 322  	ids := make([]uint16, len(cipherSuites))
	 323  	for i, suite := range cipherSuites {
	 324  		ids[i] = suite.id
	 325  	}
	 326  
	 327  	return ids
	 328  }
	 329  
	 330  var testConfig *Config
	 331  
	 332  func TestMain(m *testing.M) {
	 333  	flag.Parse()
	 334  	os.Exit(runMain(m))
	 335  }
	 336  
	 337  func runMain(m *testing.M) int {
	 338  	// Cipher suites preferences change based on the architecture. Force them to
	 339  	// the version without AES acceleration for test consistency.
	 340  	hasAESGCMHardwareSupport = false
	 341  
	 342  	// Set up localPipe.
	 343  	l, err := net.Listen("tcp", "127.0.0.1:0")
	 344  	if err != nil {
	 345  		l, err = net.Listen("tcp6", "[::1]:0")
	 346  	}
	 347  	if err != nil {
	 348  		fmt.Fprintf(os.Stderr, "Failed to open local listener: %v", err)
	 349  		os.Exit(1)
	 350  	}
	 351  	localListener.ch = make(chan net.Conn)
	 352  	localListener.addr = l.Addr()
	 353  	defer l.Close()
	 354  	go localServer(l)
	 355  
	 356  	if err := checkOpenSSLVersion(); err != nil {
	 357  		fmt.Fprintf(os.Stderr, "Error: %v", err)
	 358  		os.Exit(1)
	 359  	}
	 360  
	 361  	testConfig = &Config{
	 362  		Time:							 func() time.Time { return time.Unix(0, 0) },
	 363  		Rand:							 zeroSource{},
	 364  		Certificates:			 make([]Certificate, 2),
	 365  		InsecureSkipVerify: true,
	 366  		CipherSuites:			 allCipherSuites(),
	 367  	}
	 368  	testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
	 369  	testConfig.Certificates[0].PrivateKey = testRSAPrivateKey
	 370  	testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate}
	 371  	testConfig.Certificates[1].PrivateKey = testRSAPrivateKey
	 372  	testConfig.BuildNameToCertificate()
	 373  	if *keyFile != "" {
	 374  		f, err := os.OpenFile(*keyFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
	 375  		if err != nil {
	 376  			panic("failed to open -keylog file: " + err.Error())
	 377  		}
	 378  		testConfig.KeyLogWriter = f
	 379  		defer f.Close()
	 380  	}
	 381  
	 382  	return m.Run()
	 383  }
	 384  
	 385  func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) {
	 386  	const sentinel = "SENTINEL\n"
	 387  	c, s := localPipe(t)
	 388  	errChan := make(chan error)
	 389  	go func() {
	 390  		cli := Client(c, clientConfig)
	 391  		err := cli.Handshake()
	 392  		if err != nil {
	 393  			errChan <- fmt.Errorf("client: %v", err)
	 394  			c.Close()
	 395  			return
	 396  		}
	 397  		defer cli.Close()
	 398  		clientState = cli.ConnectionState()
	 399  		buf, err := io.ReadAll(cli)
	 400  		if err != nil {
	 401  			t.Errorf("failed to call cli.Read: %v", err)
	 402  		}
	 403  		if got := string(buf); got != sentinel {
	 404  			t.Errorf("read %q from TLS connection, but expected %q", got, sentinel)
	 405  		}
	 406  		errChan <- nil
	 407  	}()
	 408  	server := Server(s, serverConfig)
	 409  	err = server.Handshake()
	 410  	if err == nil {
	 411  		serverState = server.ConnectionState()
	 412  		if _, err := io.WriteString(server, sentinel); err != nil {
	 413  			t.Errorf("failed to call server.Write: %v", err)
	 414  		}
	 415  		if err := server.Close(); err != nil {
	 416  			t.Errorf("failed to call server.Close: %v", err)
	 417  		}
	 418  		err = <-errChan
	 419  	} else {
	 420  		s.Close()
	 421  		<-errChan
	 422  	}
	 423  	return
	 424  }
	 425  
	 426  func fromHex(s string) []byte {
	 427  	b, _ := hex.DecodeString(s)
	 428  	return b
	 429  }
	 430  
	 431  var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a38193308190300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b30190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b0500038181009d30cc402b5b50a061cbbae55358e1ed8328a9581aa938a495a1ac315a1a84663d43d32dd90bf297dfd320643892243a00bccf9c7db74020015faad3166109a276fd13c3cce10c5ceeb18782f16c04ed73bbb343778d0c1cf10fa1d8408361c94c722b9daedb4606064df4c1b33ec0d1bd42d4dbfe3d1360845c21d33be9fae7")
	 432  
	 433  var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76")
	 434  
	 435  // testRSAPSSCertificate has signatureAlgorithm rsassaPss, but subjectPublicKeyInfo
	 436  // algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes.
	 437  // See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed.
	 438  var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1")
	 439  
	 440  var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a")
	 441  
	 442  var testEd25519Certificate = fromHex("3082012e3081e1a00302010202100f431c425793941de987e4f1ad15005d300506032b657030123110300e060355040a130741636d6520436f301e170d3139303531363231333830315a170d3230303531353231333830315a30123110300e060355040a130741636d6520436f302a300506032b65700321003fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8fa34d304b300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff0402300030160603551d11040f300d820b6578616d706c652e636f6d300506032b65700341006344ed9cc4be5324539fd2108d9fe82108909539e50dc155ff2c16b71dfcab7d4dd4e09313d0a942e0b66bfe5d6748d79f50bc6ccd4b03837cf20858cdaccf0c")
	 443  
	 444  var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed")
	 445  
	 446  var testP256Certificate = fromHex("308201693082010ea00302010202105012dc24e1124ade4f3e153326ff27bf300a06082a8648ce3d04030230123110300e060355040a130741636d6520436f301e170d3137303533313232343934375a170d3138303533313232343934375a30123110300e060355040a130741636d6520436f3059301306072a8648ce3d020106082a8648ce3d03010703420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d1104083006820474657374300a06082a8648ce3d0403020349003046022100963712d6226c7b2bef41512d47e1434131aaca3ba585d666c924df71ac0448b3022100f4d05c725064741aef125f243cdbccaa2a5d485927831f221c43023bd5ae471a")
	 447  
	 448  var testRSAPrivateKey, _ = x509.ParsePKCS1PrivateKey(fromHex("3082025b02010002818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d702030100010281800b07fbcf48b50f1388db34b016298b8217f2092a7c9a04f77db6775a3d1279b62ee9951f7e371e9de33f015aea80660760b3951dc589a9f925ed7de13e8f520e1ccbc7498ce78e7fab6d59582c2386cc07ed688212a576ff37833bd5943483b5554d15a0b9b4010ed9bf09f207e7e9805f649240ed6c1256ed75ab7cd56d9671024100fded810da442775f5923debae4ac758390a032a16598d62f059bb2e781a9c2f41bfa015c209f966513fe3bf5a58717cbdb385100de914f88d649b7d15309fa49024100dd10978c623463a1802c52f012cfa72ff5d901f25a2292446552c2568b1840e49a312e127217c2186615aae4fb6602a4f6ebf3f3d160f3b3ad04c592f65ae41f02400c69062ca781841a09de41ed7a6d9f54adc5d693a2c6847949d9e1358555c9ac6a8d9e71653ac77beb2d3abaf7bb1183aa14278956575dbebf525d0482fd72d90240560fe1900ba36dae3022115fd952f2399fb28e2975a1c3e3d0b679660bdcb356cc189d611cfdd6d87cd5aea45aa30a2082e8b51e94c2f3dd5d5c6036a8a615ed0240143993d80ece56f877cb80048335701eb0e608cc0c1ca8c2227b52edf8f1ac99c562f2541b5ce81f0515af1c5b4770dba53383964b4b725ff46fdec3d08907df"))
	 449  
	 450  var testECDSAPrivateKey, _ = x509.ParseECPrivateKey(fromHex("3081dc0201010442019883e909ad0ac9ea3d33f9eae661f1785206970f8ca9a91672f1eedca7a8ef12bd6561bb246dda5df4b4d5e7e3a92649bc5d83a0bf92972e00e62067d0c7bd99d7a00706052b81040023a18189038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b"))
	 451  
	 452  var testP256PrivateKey, _ = x509.ParseECPrivateKey(fromHex("30770201010420012f3b52bc54c36ba3577ad45034e2e8efe1e6999851284cb848725cfe029991a00a06082a8648ce3d030107a14403420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75"))
	 453  
	 454  var testEd25519PrivateKey = ed25519.PrivateKey(fromHex("3a884965e76b3f55e5faf9615458a92354894234de3ec9f684d46d55cebf3dc63fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8f"))
	 455  
	 456  const clientCertificatePEM = `
	 457  -----BEGIN CERTIFICATE-----
	 458  MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS
	 459  MRAwDgYDVQQKEwdBY21lIENvMB4XDTE2MDgxNzIxNTIzMVoXDTE3MDgxNzIxNTIz
	 460  MVowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
	 461  gYEAum+qhr3Pv5/y71yUYHhv6BPy0ZZvzdkybiI3zkH5yl0prOEn2mGi7oHLEMff
	 462  NFiVhuk9GeZcJ3NgyI14AvQdpJgJoxlwaTwlYmYqqyIjxXuFOE8uCXMyp70+m63K
	 463  hAfmDzr/d8WdQYUAirab7rCkPy1MTOZCPrtRyN1IVPQMjkcCAwEAAaNGMEQwDgYD
	 464  VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw
	 465  DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOBgQBGq0Si+yhU+Fpn+GKU
	 466  8ZqyGJ7ysd4dfm92lam6512oFmyc9wnTN+RLKzZ8Aa1B0jLYw9KT+RBrjpW5LBeK
	 467  o0RIvFkTgxYEiKSBXCUNmAysEbEoVr4dzWFihAm/1oDGRY2CLLTYg5vbySK3KhIR
	 468  e/oCO8HJ/+rJnahJ05XX1Q7lNQ==
	 469  -----END CERTIFICATE-----`
	 470  
	 471  var clientKeyPEM = testingKey(`
	 472  -----BEGIN RSA TESTING KEY-----
	 473  MIICXQIBAAKBgQC6b6qGvc+/n/LvXJRgeG/oE/LRlm/N2TJuIjfOQfnKXSms4Sfa
	 474  YaLugcsQx980WJWG6T0Z5lwnc2DIjXgC9B2kmAmjGXBpPCViZiqrIiPFe4U4Ty4J
	 475  czKnvT6brcqEB+YPOv93xZ1BhQCKtpvusKQ/LUxM5kI+u1HI3UhU9AyORwIDAQAB
	 476  AoGAEJZ03q4uuMb7b26WSQsOMeDsftdatT747LGgs3pNRkMJvTb/O7/qJjxoG+Mc
	 477  qeSj0TAZXp+PXXc3ikCECAc+R8rVMfWdmp903XgO/qYtmZGCorxAHEmR80SrfMXv
	 478  PJnznLQWc8U9nphQErR+tTESg7xWEzmFcPKwnZd1xg8ERYkCQQDTGtrFczlB2b/Z
	 479  9TjNMqUlMnTLIk/a/rPE2fLLmAYhK5sHnJdvDURaH2mF4nso0EGtENnTsh6LATnY
	 480  dkrxXGm9AkEA4hXHG2q3MnhgK1Z5hjv+Fnqd+8bcbII9WW4flFs15EKoMgS1w/PJ
	 481  zbsySaSy5IVS8XeShmT9+3lrleed4sy+UwJBAJOOAbxhfXP5r4+5R6ql66jES75w
	 482  jUCVJzJA5ORJrn8g64u2eGK28z/LFQbv9wXgCwfc72R468BdawFSLa/m2EECQGbZ
	 483  rWiFla26IVXV0xcD98VWJsTBZMlgPnSOqoMdM1kSEd4fUmlAYI/dFzV1XYSkOmVr
	 484  FhdZnklmpVDeu27P4c0CQQCuCOup0FlJSBpWY1TTfun/KMBkBatMz0VMA3d7FKIU
	 485  csPezl677Yjo8u1r/KzeI6zLg87Z8E6r6ZWNc9wBSZK6
	 486  -----END RSA TESTING KEY-----`)
	 487  
	 488  const clientECDSACertificatePEM = `
	 489  -----BEGIN CERTIFICATE-----
	 490  MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
	 491  EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
	 492  eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG
	 493  EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK
	 494  b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv
	 495  ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs
	 496  jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q
	 497  ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg
	 498  C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa
	 499  2RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw
	 500  jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes=
	 501  -----END CERTIFICATE-----`
	 502  
	 503  var clientECDSAKeyPEM = testingKey(`
	 504  -----BEGIN EC PARAMETERS-----
	 505  BgUrgQQAIw==
	 506  -----END EC PARAMETERS-----
	 507  -----BEGIN EC TESTING KEY-----
	 508  MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8
	 509  k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1
	 510  FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd
	 511  3kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx
	 512  +U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q==
	 513  -----END EC TESTING KEY-----`)
	 514  
	 515  const clientEd25519CertificatePEM = `
	 516  -----BEGIN CERTIFICATE-----
	 517  MIIBLjCB4aADAgECAhAX0YGTviqMISAQJRXoNCNPMAUGAytlcDASMRAwDgYDVQQK
	 518  EwdBY21lIENvMB4XDTE5MDUxNjIxNTQyNloXDTIwMDUxNTIxNTQyNlowEjEQMA4G
	 519  A1UEChMHQWNtZSBDbzAqMAUGAytlcAMhAAvgtWC14nkwPb7jHuBQsQTIbcd4bGkv
	 520  xRStmmNveRKRo00wSzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
	 521  AwIwDAYDVR0TAQH/BAIwADAWBgNVHREEDzANggtleGFtcGxlLmNvbTAFBgMrZXAD
	 522  QQD8GRcqlKUx+inILn9boF2KTjRAOdazENwZ/qAicbP1j6FYDc308YUkv+Y9FN/f
	 523  7Q7hF9gRomDQijcjKsJGqjoI
	 524  -----END CERTIFICATE-----`
	 525  
	 526  var clientEd25519KeyPEM = testingKey(`
	 527  -----BEGIN TESTING KEY-----
	 528  MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I
	 529  -----END TESTING KEY-----`)
	 530
View as plain text