diff options
-rw-r--r-- | x509util/README.md | 2 | ||||
-rw-r--r-- | x509util/testdata/README.md | 35 | ||||
-rw-r--r-- | x509util/testdata/anchors.pem | 26 | ||||
-rw-r--r-- | x509util/testdata/ca.conf | 59 | ||||
-rw-r--r-- | x509util/testdata/chain.pem | 23 | ||||
-rw-r--r-- | x509util/testdata/chain2.pem | 23 | ||||
-rw-r--r-- | x509util/testdata/data.go | 262 | ||||
-rw-r--r-- | x509util/testdata/end-entity.key | 3 | ||||
-rw-r--r-- | x509util/testdata/end-entity.pem | 10 | ||||
-rw-r--r-- | x509util/testdata/end-entity2.key | 3 | ||||
-rw-r--r-- | x509util/testdata/end-entity2.pem | 10 | ||||
-rw-r--r-- | x509util/testdata/intermediate.key | 3 | ||||
-rw-r--r-- | x509util/testdata/intermediate.pem | 13 | ||||
-rw-r--r-- | x509util/testdata/intermediate2.key | 3 | ||||
-rw-r--r-- | x509util/testdata/intermediate2.pem | 13 | ||||
-rw-r--r-- | x509util/testdata/log.key | 3 | ||||
-rw-r--r-- | x509util/testdata/root.key | 3 | ||||
-rw-r--r-- | x509util/testdata/root.pem | 13 | ||||
-rw-r--r-- | x509util/testdata/root2.key | 3 | ||||
-rw-r--r-- | x509util/testdata/root2.pem | 13 | ||||
-rw-r--r-- | x509util/x509util.go | 113 | ||||
-rw-r--r-- | x509util/x509util_test.go | 332 |
22 files changed, 0 insertions, 968 deletions
diff --git a/x509util/README.md b/x509util/README.md deleted file mode 100644 index 3eaecaa..0000000 --- a/x509util/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# x509util -TODO: remove package diff --git a/x509util/testdata/README.md b/x509util/testdata/README.md deleted file mode 100644 index c9f03de..0000000 --- a/x509util/testdata/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Create new certificate chains -## Initial setup -``` -$ touch index -$ echo 1000 > serial -``` - -## Root certificate -``` -$ openssl genpkey -algorithm ed25519 -out root.key -$ openssl req -new -x509 -config ca.conf -extensions v3_ca -days 4096 -key root.key -out root.pem -$ openssl x509 -in root.pem -text -noout -``` - -## Intermediate certificate -``` -$ openssl genpkey -algorithm ed25519 -out intermediate.key -$ openssl req -new -config ca.conf -extensions v3_intermediate_ca -key intermediate.key -out intermediate.csr -$ openssl ca -config ca.conf -extensions v3_intermediate_ca -days 4096 -in intermediate.csr -notext -out intermediate.pem -$ openssl x509 -in intermediate.pem -text -noout -``` - -## End-entity certificate -``` -$ openssl genpkey -algorithm ed25519 -out end-entity.key -$ openssl req -new -key end-entity.key -out end-entity.csr -$ openssl x509 -req -days 4096 -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -in end-entity.csr -out end-entity.pem -$ openssl x509 -in end-entity.pem -text -noout -``` - -## Make chain -``` -$ cat end-entity.pem > chain.pem -$ cat intermediate.pem >> chain.pem -``` diff --git a/x509util/testdata/anchors.pem b/x509util/testdata/anchors.pem deleted file mode 100644 index c71feaa..0000000 --- a/x509util/testdata/anchors.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB/TCCAa+gAwIBAgIUDYJzaC5VSkKwiLVAxO5MyphAkN8wBQYDK2VwMGwxCzAJ -BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B -MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3 -DQEJARYCTkEwHhcNMjAxMTAzMTgzMTMxWhcNMzIwMTIxMTgzMTMxWjBsMQswCQYD -VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL -MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B -CQEWAk5BMCowBQYDK2VwAyEAJ1IiXCB4YHwdWka9MM0bc7LvKAtksmtIo8IhkuEB -uzGjYzBhMB0GA1UdDgQWBBQBvsxROtKU6zmr/SxcfTMDsAQcMTAfBgNVHSMEGDAW -gBQBvsxROtKU6zmr/SxcfTMDsAQcMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIChDAFBgMrZXADQQCXh6kDnE5giTjcLET2S94qTwnHVAj57DJcR/rf9Jy8 -NMGbtzTL0/V0B8DHuJFA/islbZJbN7rSvqddEKL8N2gI ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB/TCCAa+gAwIBAgIUCFGFq5zAkH03LQ2fpAamPhGd8FgwBQYDK2VwMGwxCzAJ -BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B -MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3 -DQEJARYCTkEwHhcNMjAxMTE3MTgxNTQyWhcNMzIwMjA0MTgxNTQyWjBsMQswCQYD -VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL -MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B -CQEWAk5BMCowBQYDK2VwAyEAFOG1Lof1UiV2mYsM17EopyVCR87qRrNW9YHP0biu -pOyjYzBhMB0GA1UdDgQWBBQeeImH1qUrWk+pq3YOkwI8bWdEuTAfBgNVHSMEGDAW -gBQeeImH1qUrWk+pq3YOkwI8bWdEuTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIChDAFBgMrZXADQQDP4IQePN5Krr7jn+RM8AbF+c4fXgamA1XDHVIfXy/n -MexxZMsuSCSDq5XM5GMImffmBXA1dNJ6ytfJi668C+kF ------END CERTIFICATE----- diff --git a/x509util/testdata/ca.conf b/x509util/testdata/ca.conf deleted file mode 100644 index 7889331..0000000 --- a/x509util/testdata/ca.conf +++ /dev/null @@ -1,59 +0,0 @@ -[ca] -default_ca = ca_settings - -[ ca_settings ] -dir = . -certs = $dir -crl_dir = $dir -new_certs_dir = $dir -database = $dir/index -serial = $dir/serial - -private_key = $dir/root.key -certificate = $dir/root.pem - -policy = ca_policy - -[ ca_policy ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# Options for the `req` tool, `man req` -[ req ] -distinguished_name = req_distinguished_name - -# Extensions for a typical CA, see `man x509v3_config` -[ v3_ca ] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true -keyUsage = critical, digitalSignature, keyCertSign - -# Extensions for a typical intermediate CA, see `man x509v3_config` -[ v3_intermediate_ca ] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen:0 -keyUsage = critical, digitalSignature, keyCertSign - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -stateOrProvinceName = State or Province Name -localityName = Locality Name -0.organizationName = Organization Name -organizationalUnitName = Organizational Unit Name -commonName = Common Name -emailAddress = Email Address - -countryName_default = NA -stateOrProvinceName_default = NA -localityName_default = NA -0.organizationName_default = NA -organizationalUnitName_default = NA -emailAddress_default = NA -commonName_default = stfe testdata diff --git a/x509util/testdata/chain.pem b/x509util/testdata/chain.pem deleted file mode 100644 index 0ac66a0..0000000 --- a/x509util/testdata/chain.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20 -wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC -I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI -DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG -A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz -MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC -TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV -BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA -F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6 -P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD -sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD -QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES -Vc510vi4dM8I+e/vcoBsmMQP ------END CERTIFICATE----- diff --git a/x509util/testdata/chain2.pem b/x509util/testdata/chain2.pem deleted file mode 100644 index 6ca2131..0000000 --- a/x509util/testdata/chain2.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBbDCCAR4CFC4G5ep2NoHAmvFkmFID7y4U/BryMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTEyNTIxNTkwM1oXDTMyMDIxMjIxNTkwM1owRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAKwG0O/Ql+L6O8aq8BZ+KOdJmVLdcnOmMENR -H7O84kVFMAUGAytlcANBAJIUg3wQ5AvhOaITYB/9rT5cm5dcklOdEIwAqvmSOEXf -vgCpSAz29bnKYJmjwp6mkXx3f31h39G41zr2wRjKnw8= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI -DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG -A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTI1 -MjE1NzU1WhcNMzIwMjEyMjE1NzU1WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC -TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV -BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA -DD23ESkuIKaCkU6xCncIwvD12w4ETBgAiHAubr/wDwujZjBkMB0GA1UdDgQWBBSy -uua2yvX+VM9JBc19GQisnLnH5zAfBgNVHSMEGDAWgBQeeImH1qUrWk+pq3YOkwI8 -bWdEuTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD -QQCoQvs8gPHZOH6VIuUGCcXVzf8D5+F6GZSoxMF880yYbdbUBVwwbJLFazwEn0uC -PwMBM9nZj3g1ZSH8uP2sEo0F ------END CERTIFICATE----- diff --git a/x509util/testdata/data.go b/x509util/testdata/data.go deleted file mode 100644 index 67bb606..0000000 --- a/x509util/testdata/data.go +++ /dev/null @@ -1,262 +0,0 @@ -package testdata - -import ( - "bytes" -) - -var ( - // EndEntityCertificate is a PEM-encoded end-entity certificate that is - // signed by IntermediateCertificate - EndEntityCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20 -wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC -I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws= ------END CERTIFICATE-----`) - // EndEntityCertificateSerial is the serial number of EndEntityCertificate - EndEntityCertificateSerial = "318961541902906095038704399034602270237826065096" - // EndEntityPrivateKey is the PEM-encoded Ed25519 private key of EndEntityCertificate - EndEntityPrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIDme3WaCwW2/FX095yh02yIIsn0D3vbvN5NsJzcdUwq1 ------END PRIVATE KEY-----`) - - // EndEntityCertificate2 is a PEM-encoded end-entity certificate that - // is signed by IntermediateCertificate2 - EndEntityCertificate2 = []byte(`-----BEGIN CERTIFICATE----- -MIIBbDCCAR4CFC4G5ep2NoHAmvFkmFID7y4U/BryMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTEyNTIxNTkwM1oXDTMyMDIxMjIxNTkwM1owRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAKwG0O/Ql+L6O8aq8BZ+KOdJmVLdcnOmMENR -H7O84kVFMAUGAytlcANBAJIUg3wQ5AvhOaITYB/9rT5cm5dcklOdEIwAqvmSOEXf -vgCpSAz29bnKYJmjwp6mkXx3f31h39G41zr2wRjKnw8= ------END CERTIFICATE-----`) - // EndEntityCertificateSerial2 is the serial number of EndEntityCertificate2 - EndEntityCertificateSerial2 = "262767408425771953673235905171292083847897553650" - // EndEntityPrivateKey2 is the PEM-encoded Ed25519 private key of EndEntityCertificate2 - EndEntityPrivateKey2 = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIH65lXoCT4N9q4mPmDcsmAqIqG9CrqrB4KV2nqBC9JlZ ------END PRIVATE KEY-----`) - - // IntermediateCertificate is a PEM-encoded intermediate certificate that is - // signed by RootCertificate - IntermediateCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI -DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG -A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz -MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC -TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV -BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA -F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6 -P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD -sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD -QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES -Vc510vi4dM8I+e/vcoBsmMQP ------END CERTIFICATE-----`) - // IntermediateCertificateSerial is the serial number of IntermediateCertificate - IntermediateCertificateSerial = "4096" - // IntermediatePrivateKey is the PEM-encoded Ed25519 private key of IntermediateCertificate - IntermediatePrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIEiZEO5PnjkbN4A+5r9LVTIZeVdPq/on5AzwnetZjszE ------END PRIVATE KEY-----`) - // IntermediateChain is a PEM-encoded certificate chain that is composed - // of an end-entity certificate and an intermediate certificate - IntermediateChain = bytes.Join([][]byte{ - EndEntityCertificate, - IntermediateCertificate, - }, []byte("\n")) - - // IntermediateCertificate2 is a PEM-encoded intermediate certificate that - // is signed by RootCertificate2 - IntermediateCertificate2 = []byte(`-----BEGIN CERTIFICATE----- -MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI -DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG -A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTI1 -MjE1NzU1WhcNMzIwMjEyMjE1NzU1WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC -TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV -BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA -DD23ESkuIKaCkU6xCncIwvD12w4ETBgAiHAubr/wDwujZjBkMB0GA1UdDgQWBBSy -uua2yvX+VM9JBc19GQisnLnH5zAfBgNVHSMEGDAWgBQeeImH1qUrWk+pq3YOkwI8 -bWdEuTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD -QQCoQvs8gPHZOH6VIuUGCcXVzf8D5+F6GZSoxMF880yYbdbUBVwwbJLFazwEn0uC -PwMBM9nZj3g1ZSH8uP2sEo0F ------END CERTIFICATE-----`) - // IntermediateCertificateSerial2 is the serial number of IntermediateCertificate2 - IntermediateCertificateSerial2 = "4096" - // IntermediatePrivateKey2 is the PEM-encoded Ed25519 private key of IntermediateCertificate2 - IntermediatePrivateKey2 = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIOo+qcT2GoWoAp0079ecz/ZyrCZ78Zqznv1xEoN96vT7 ------END PRIVATE KEY-----`) - // IntermediateChain2 is a PEM-encoded certificate chain that is composed - // of an end-entity certificate and an intermediate certificate - IntermediateChain2 = bytes.Join([][]byte{ - EndEntityCertificate2, - IntermediateCertificate2, - }, []byte("\n")) - - // RootCertificate is a PEM-encoded root certificate - RootCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIB/TCCAa+gAwIBAgIUDYJzaC5VSkKwiLVAxO5MyphAkN8wBQYDK2VwMGwxCzAJ -BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B -MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3 -DQEJARYCTkEwHhcNMjAxMTAzMTgzMTMxWhcNMzIwMTIxMTgzMTMxWjBsMQswCQYD -VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL -MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B -CQEWAk5BMCowBQYDK2VwAyEAJ1IiXCB4YHwdWka9MM0bc7LvKAtksmtIo8IhkuEB -uzGjYzBhMB0GA1UdDgQWBBQBvsxROtKU6zmr/SxcfTMDsAQcMTAfBgNVHSMEGDAW -gBQBvsxROtKU6zmr/SxcfTMDsAQcMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIChDAFBgMrZXADQQCXh6kDnE5giTjcLET2S94qTwnHVAj57DJcR/rf9Jy8 -NMGbtzTL0/V0B8DHuJFA/islbZJbN7rSvqddEKL8N2gI ------END CERTIFICATE-----`) - // RootCertificateSerial is the serial number of RootCertificate - RootCertificateSerial = "77126030260354546250480693976417574174523953375" - // RootPrivateKey is the PEM-encoded Ed25519 private key of RootCertificate - RootPrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIPJGy4Tf9SwDv44lLCmVyEjsbUmwfTg+j/Xoyaunf1rx ------END PRIVATE KEY-----`) - // RootChain is a PEM-encoded certificate chain that contains an end-entity - // certificate, an intermediate certificate, and a root certificate. - RootChain = bytes.Join([][]byte{ - EndEntityCertificate, - IntermediateCertificate, - RootCertificate, - }, []byte("\n")) - - // RootCertificate2 is a PEM-encoded root certificate - RootCertificate2 = []byte(`-----BEGIN CERTIFICATE----- -MIIB/TCCAa+gAwIBAgIUCFGFq5zAkH03LQ2fpAamPhGd8FgwBQYDK2VwMGwxCzAJ -BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B -MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3 -DQEJARYCTkEwHhcNMjAxMTE3MTgxNTQyWhcNMzIwMjA0MTgxNTQyWjBsMQswCQYD -VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL -MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B -CQEWAk5BMCowBQYDK2VwAyEAFOG1Lof1UiV2mYsM17EopyVCR87qRrNW9YHP0biu -pOyjYzBhMB0GA1UdDgQWBBQeeImH1qUrWk+pq3YOkwI8bWdEuTAfBgNVHSMEGDAW -gBQeeImH1qUrWk+pq3YOkwI8bWdEuTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIChDAFBgMrZXADQQDP4IQePN5Krr7jn+RM8AbF+c4fXgamA1XDHVIfXy/n -MexxZMsuSCSDq5XM5GMImffmBXA1dNJ6ytfJi668C+kF ------END CERTIFICATE-----`) - // RootCertificateSerial2 is the serial number of RootCertificate2 - RootCertificateSerial2 = "47489930858344783188475742157087612794308522072" - // RootPrivateKey2 is the PEM-encoded Ed25519 private key of RootCertificate2 - RootPrivateKey2 = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIKQd3B84w9pB6zJLGljuDyGKfz9uPP6QBeLiFcw0EME4 ------END PRIVATE KEY-----`) - // RootChain2 is a PEM-encoded certificate chain that contains an end-entity - // certificate, an intermediate certificate, and a root certificate. - RootChain2 = bytes.Join([][]byte{ - EndEntityCertificate2, - IntermediateCertificate2, - RootCertificate2, - }, []byte("\n")) - - // TrustAnchors is composed of two PEM-encoded trust anchors, namely, - // RootCertificate and RootCertificate2. - TrustAnchors = bytes.Join([][]byte{ - RootCertificate, - RootCertificate2, - }, []byte("\n")) - // NumTrustAnchors is the number of test trust anchors - NumTrustAnchors = 2 - - // LogPrivateKey is an Ed25519 signing key - LogPrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIAhqlhKgY/TiEyTIe5BcZKLELGa2kODtJ3S+oMP4JwsA ------END PRIVATE KEY-----`) - - // ExpiredCertificate is a PEM-encoded certificate that is always expired, - // i.e., `Not Before`=`Not After`. It is signed by IntermediateCertificate. - ExpiredCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIBbDCCAR4CFFO1655aK8KvWIacn4KVPCo+3rgmMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTIwMjE2MzI0MloXDTIwMTIwMjE2MzI0MlowRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAFkRtny1XBNw3E7Bk8yE/dp1NfysaK9wevma -UQUqtJrHMAUGAytlcANBABXlP0XMtPhBwbilzJ6riD2j49uXFUkdYxP8jTCXyHw7 -CrTlv9wj2MV3UJs7CQigEA21LJVENwYusMnGi2pTIQE= ------END CERTIFICATE-----`) - // ExpiredChain is an expired PEM-encoded certificate chain. It is composed - // of two certificates: ExpiredCertificate and IntermediateCertificate. - ExpiredChain = bytes.Join([][]byte{ - ExpiredCertificate, - IntermediateCertificate, - }, []byte("\n")) - - // ChainBadIntermediate is a PEM-encoded certificate chain that contains - // an end-entity certificate, an intermediate certificate, and a root - // certificate. However, the intermediate does not sign the end-entity. - ChainBadIntermediate = bytes.Join([][]byte{ - EndEntityCertificate, - IntermediateCertificate2, - RootCertificate2, - }, []byte("\n")) - - // ChainBadRoot is a PEM-encoded certificate chain that contains an - // end-entity certificate, an intermediate certificate, and a root - // certificate. However, the root does not sign the intermediate. - ChainBadRoot = bytes.Join([][]byte{ - EndEntityCertificate, - IntermediateCertificate, - RootCertificate2, - }, []byte("\n")) - - // TruncatedCertificate is a truncated PEM-encoded certificate - TruncatedCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG ------END CERTIFICATE-----`) - - // NotACertificate is a PEM-encoded certificate block that contains an - // Ed25519 private key - NotACertificate = []byte(`-----BEGIN CERTIFICATE----- -MC4CAQAwBQYDK2VwBCIEIH65lXoCT4N9q4mPmDcsmAqIqG9CrqrB4KV2nqBC9JlZ ------END CERTIFICATE-----`) - - // NotEd25519PrivateKey is a PEM-encoded ECDSA private key - NotEd25519PrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MIHcAgEBBEIAtxq7RExTFraqJYhyedPFppJiV05tXb1gxmn+9DGNsfmZ5aD2ZwDo -PoIVDYudwj7gDL4MXzJj7LUh6WW0qALm4MugBwYFK4EEACOhgYkDgYYABAAcg0Y3 -WTBxfVuw/OPdLf65N6hmBoCGgW8DOhfRXtZNzqkf3u1LnNpWrt/Xva7K6uthvLRr -A3djeuCmg8MlHdtFYQDa9QSsc0ZBhp6Lg7JSED8nopQIvKPocsUejqJVDqJ4ZK1E -+2qB5BQl9vGLUpZ5HKkWvKvo8jpNbstVyeOFtvLfGg== ------END PRIVATE KEY-----`) - - // TruncatedEd25519PrivateKey is a a PEM-encoded Ed25519 private key that - // has a truncated block - TruncatedEd25519PrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIH6 ------END PRIVATE KEY-----`) - - // DoubleEd25519PrivateKey is composed of two PEM-encoded Ed25519 private - // keys - DoubleEd25519PrivateKey = bytes.Join([][]byte{ - EndEntityPrivateKey, - EndEntityPrivateKey2, - }, []byte("\n")) - - // Ed25519PrivateKeyBadWhiteSpace is a PEM-encoded Ed25519 private key that - // contains unwanted white space - Ed25519PrivateKeyBadWhiteSpace = []byte(` - -----BEGIN PRIVATE KEY----- - MC4CAQAwBQYDK2VwBCIEIH65lXoCT4N9q4mPmDcsmAqIqG9CrqrB4KV2nqBC9JlZ - -----END PRIVATE KEY-----`) - - // CertificateBadWhiteSpace is a PEM-encoded certificate that contains - // unwanted white space - CertificateBadWhiteSpace = []byte(` - -----BEGIN CERTIFICATE----- - MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG - EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG - A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW - Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC - QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp - dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20 - wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC - I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws= - -----END CERTIFICATE-----`) -) diff --git a/x509util/testdata/end-entity.key b/x509util/testdata/end-entity.key deleted file mode 100644 index da83f09..0000000 --- a/x509util/testdata/end-entity.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIDme3WaCwW2/FX095yh02yIIsn0D3vbvN5NsJzcdUwq1 ------END PRIVATE KEY----- diff --git a/x509util/testdata/end-entity.pem b/x509util/testdata/end-entity.pem deleted file mode 100644 index 52b99f6..0000000 --- a/x509util/testdata/end-entity.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20 -wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC -I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws= ------END CERTIFICATE----- diff --git a/x509util/testdata/end-entity2.key b/x509util/testdata/end-entity2.key deleted file mode 100644 index 4758b40..0000000 --- a/x509util/testdata/end-entity2.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIH65lXoCT4N9q4mPmDcsmAqIqG9CrqrB4KV2nqBC9JlZ ------END PRIVATE KEY----- diff --git a/x509util/testdata/end-entity2.pem b/x509util/testdata/end-entity2.pem deleted file mode 100644 index f1d41fc..0000000 --- a/x509util/testdata/end-entity2.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBbDCCAR4CFC4G5ep2NoHAmvFkmFID7y4U/BryMAUGAytlcDBsMQswCQYDVQQG -EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG -A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW -Ak5BMB4XDTIwMTEyNTIxNTkwM1oXDTMyMDIxMjIxNTkwM1owRTELMAkGA1UEBhMC -QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp -dHMgUHR5IEx0ZDAqMAUGAytlcAMhAKwG0O/Ql+L6O8aq8BZ+KOdJmVLdcnOmMENR -H7O84kVFMAUGAytlcANBAJIUg3wQ5AvhOaITYB/9rT5cm5dcklOdEIwAqvmSOEXf -vgCpSAz29bnKYJmjwp6mkXx3f31h39G41zr2wRjKnw8= ------END CERTIFICATE----- diff --git a/x509util/testdata/intermediate.key b/x509util/testdata/intermediate.key deleted file mode 100644 index 26721e4..0000000 --- a/x509util/testdata/intermediate.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIEiZEO5PnjkbN4A+5r9LVTIZeVdPq/on5AzwnetZjszE ------END PRIVATE KEY----- diff --git a/x509util/testdata/intermediate.pem b/x509util/testdata/intermediate.pem deleted file mode 100644 index 0f893b8..0000000 --- a/x509util/testdata/intermediate.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI -DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG -A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz -MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC -TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV -BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA -F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6 -P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD -sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD -QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES -Vc510vi4dM8I+e/vcoBsmMQP ------END CERTIFICATE----- diff --git a/x509util/testdata/intermediate2.key b/x509util/testdata/intermediate2.key deleted file mode 100644 index 487627e..0000000 --- a/x509util/testdata/intermediate2.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIOo+qcT2GoWoAp0079ecz/ZyrCZ78Zqznv1xEoN96vT7 ------END PRIVATE KEY----- diff --git a/x509util/testdata/intermediate2.pem b/x509util/testdata/intermediate2.pem deleted file mode 100644 index 854785c..0000000 --- a/x509util/testdata/intermediate2.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI -DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG -A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTI1 -MjE1NzU1WhcNMzIwMjEyMjE1NzU1WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC -TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV -BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA -DD23ESkuIKaCkU6xCncIwvD12w4ETBgAiHAubr/wDwujZjBkMB0GA1UdDgQWBBSy -uua2yvX+VM9JBc19GQisnLnH5zAfBgNVHSMEGDAWgBQeeImH1qUrWk+pq3YOkwI8 -bWdEuTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD -QQCoQvs8gPHZOH6VIuUGCcXVzf8D5+F6GZSoxMF880yYbdbUBVwwbJLFazwEn0uC -PwMBM9nZj3g1ZSH8uP2sEo0F ------END CERTIFICATE----- diff --git a/x509util/testdata/log.key b/x509util/testdata/log.key deleted file mode 100644 index ffc5df4..0000000 --- a/x509util/testdata/log.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIAhqlhKgY/TiEyTIe5BcZKLELGa2kODtJ3S+oMP4JwsA ------END PRIVATE KEY----- diff --git a/x509util/testdata/root.key b/x509util/testdata/root.key deleted file mode 100644 index c2dd558..0000000 --- a/x509util/testdata/root.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIPJGy4Tf9SwDv44lLCmVyEjsbUmwfTg+j/Xoyaunf1rx ------END PRIVATE KEY----- diff --git a/x509util/testdata/root.pem b/x509util/testdata/root.pem deleted file mode 100644 index 1fc802b..0000000 --- a/x509util/testdata/root.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB/TCCAa+gAwIBAgIUDYJzaC5VSkKwiLVAxO5MyphAkN8wBQYDK2VwMGwxCzAJ -BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B -MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3 -DQEJARYCTkEwHhcNMjAxMTAzMTgzMTMxWhcNMzIwMTIxMTgzMTMxWjBsMQswCQYD -VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL -MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B -CQEWAk5BMCowBQYDK2VwAyEAJ1IiXCB4YHwdWka9MM0bc7LvKAtksmtIo8IhkuEB -uzGjYzBhMB0GA1UdDgQWBBQBvsxROtKU6zmr/SxcfTMDsAQcMTAfBgNVHSMEGDAW -gBQBvsxROtKU6zmr/SxcfTMDsAQcMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIChDAFBgMrZXADQQCXh6kDnE5giTjcLET2S94qTwnHVAj57DJcR/rf9Jy8 -NMGbtzTL0/V0B8DHuJFA/islbZJbN7rSvqddEKL8N2gI ------END CERTIFICATE----- diff --git a/x509util/testdata/root2.key b/x509util/testdata/root2.key deleted file mode 100644 index df8b7af..0000000 --- a/x509util/testdata/root2.key +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIKQd3B84w9pB6zJLGljuDyGKfz9uPP6QBeLiFcw0EME4 ------END PRIVATE KEY----- diff --git a/x509util/testdata/root2.pem b/x509util/testdata/root2.pem deleted file mode 100644 index d0b131c..0000000 --- a/x509util/testdata/root2.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB/TCCAa+gAwIBAgIUCFGFq5zAkH03LQ2fpAamPhGd8FgwBQYDK2VwMGwxCzAJ -BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B -MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3 -DQEJARYCTkEwHhcNMjAxMTE3MTgxNTQyWhcNMzIwMjA0MTgxNTQyWjBsMQswCQYD -VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL -MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B -CQEWAk5BMCowBQYDK2VwAyEAFOG1Lof1UiV2mYsM17EopyVCR87qRrNW9YHP0biu -pOyjYzBhMB0GA1UdDgQWBBQeeImH1qUrWk+pq3YOkwI8bWdEuTAfBgNVHSMEGDAW -gBQeeImH1qUrWk+pq3YOkwI8bWdEuTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIChDAFBgMrZXADQQDP4IQePN5Krr7jn+RM8AbF+c4fXgamA1XDHVIfXy/n -MexxZMsuSCSDq5XM5GMImffmBXA1dNJ6ytfJi668C+kF ------END CERTIFICATE----- diff --git a/x509util/x509util.go b/x509util/x509util.go deleted file mode 100644 index 57d97ca..0000000 --- a/x509util/x509util.go +++ /dev/null @@ -1,113 +0,0 @@ -package x509util - -import ( - "fmt" - - "crypto/ed25519" - "crypto/x509" - "encoding/pem" -) - -// NewEd25519PrivateKey creates a new Ed25519 private-key from a PEM block -func NewEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) { - block, rest := pem.Decode(data) - if block == nil { - return nil, fmt.Errorf("pem block: is empty") - } - if block.Type != "PRIVATE KEY" { - return nil, fmt.Errorf("bad pem block type: %v", block.Type) - } - if len(rest) != 0 { - return nil, fmt.Errorf("pem block: trailing data") - } - - key, err := x509.ParsePKCS8PrivateKey(block.Bytes) - if err != nil { - fmt.Errorf("x509 parser failed: %v", err) - } - switch t := key.(type) { - case ed25519.PrivateKey: - return key.(ed25519.PrivateKey), nil - default: - return nil, fmt.Errorf("unexpected signing key type: %v", t) - } -} - -// NewCertificateList parses a block of PEM-encoded X.509 certificates -func NewCertificateList(rest []byte) ([]*x509.Certificate, error) { - var certificates []*x509.Certificate - for len(rest) > 0 { - var block *pem.Block - block, rest = pem.Decode(rest) - if block == nil { - return nil, fmt.Errorf("no block: probably caused by leading white space") - } - if block.Type != "CERTIFICATE" { - return nil, fmt.Errorf("unexpected pem block type: %v", block.Type) - } - - certificate, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return nil, fmt.Errorf("failed parsing x509 certificate: %v", err) - } - certificates = append(certificates, certificate) - } - return certificates, nil -} - -// NewCertPool returns a new cert pool from a list of certificates -func NewCertPool(certificates []*x509.Certificate) *x509.CertPool { - pool := x509.NewCertPool() - for _, certificate := range certificates { - pool.AddCert(certificate) - } - return pool -} - -// VerifyChain checks whether the listed certificates are chained such -// that the first is signed by the second, the second by the third, etc. -// -// Note: it is up to the caller to determine whether the final certificate -// is a valid trust anchor. -func VerifyChain(chain []*x509.Certificate) error { - for i := 0; i < len(chain)-1; i++ { - if err := chain[i].CheckSignatureFrom(chain[i+1]); err != nil { - return err - } - } - return nil -} - -// ParseDerChain parses a list of DER-encoded X.509 certificates, such that the -// first (zero-index) blob is interpretted as an end-entity certificate and -// the remaining ones as its intermediate CertPool. -// -// Note: these are the parameters you will need to use x509.Certificate.Verify() -// with x509.VerifyOptions that include both a pool of roots and intermediates. -func ParseDerChain(chain [][]byte) (*x509.Certificate, *x509.CertPool, error) { - certificates, err := ParseDerList(chain) - if err != nil { - return nil, nil, err - } - if len(certificates) == 0 { - return nil, nil, fmt.Errorf("empty certificate chain") - } - intermediatePool := x509.NewCertPool() - for _, certificate := range certificates[1:] { - intermediatePool.AddCert(certificate) - } - return certificates[0], intermediatePool, nil -} - -// ParseDerList parses a list of DER-encoded X.509 certificates -func ParseDerList(certificates [][]byte) ([]*x509.Certificate, error) { - ret := make([]*x509.Certificate, 0, len(certificates)) - for _, der := range certificates { - c, err := x509.ParseCertificate(der) - if err != nil { - return nil, fmt.Errorf("certificate decoding failed: %v", err) - } - ret = append(ret, c) - } - return ret, nil -} diff --git a/x509util/x509util_test.go b/x509util/x509util_test.go deleted file mode 100644 index 298293b..0000000 --- a/x509util/x509util_test.go +++ /dev/null @@ -1,332 +0,0 @@ -package x509util - -import ( - "bytes" - "fmt" - "testing" - - "crypto/x509" - - "github.com/system-transparency/stfe/x509util/testdata" -) - -func TestNewEd25519PrivateKey(t *testing.T) { - for _, table := range []struct { - description string - pem []byte - wantErr bool - }{ - { - description: "bad block: unwanted white space", - pem: testdata.Ed25519PrivateKeyBadWhiteSpace, - wantErr: true, - }, - { - description: "invalid block type", - pem: testdata.EndEntityCertificate, - wantErr: true, - }, - { - description: "bad block: trailing data", - pem: testdata.DoubleEd25519PrivateKey, - wantErr: true, - }, - { - description: "bad block bytes: truncated key", - pem: testdata.TruncatedEd25519PrivateKey, - wantErr: true, - }, - { - description: "bad block bytes: not an ed25519 private key", - pem: testdata.NotEd25519PrivateKey, - wantErr: true, - }, - { - description: "ok ed25519 private key", - pem: testdata.EndEntityPrivateKey, - }, - } { - _, err := NewEd25519PrivateKey(table.pem) - if got, want := err != nil, table.wantErr; got != want { - t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err) - } - } -} - -func TestNewCertificateList(t *testing.T) { - for _, table := range []struct { - description string - pem []byte - wantErr bool - wantSerial []string - }{ - { - description: "invalid block type", - pem: testdata.EndEntityPrivateKey, - wantErr: true, - }, - { - description: "bad block bytes: not a certificate", - pem: testdata.NotACertificate, - wantErr: true, - }, - { - description: "bad block bytes: truncated certificate", - pem: testdata.TruncatedCertificate, - wantErr: true, - }, - { - description: "bad block bytes: truncated certificate in list", - pem: append(testdata.TruncatedCertificate, testdata.IntermediateCertificate...), - wantErr: true, - }, - { - description: "bad block: unwanted white spaces", - pem: testdata.CertificateBadWhiteSpace, - wantErr: true, - }, - { - description: "ok certificate list: empty", - pem: []byte{}, - wantSerial: nil, - }, - { - description: "ok certificate list: size 1", - pem: testdata.EndEntityCertificate, - wantSerial: []string{testdata.EndEntityCertificateSerial}, - }, - { - description: "ok certificate list: size 2", - pem: testdata.IntermediateChain, - wantSerial: []string{testdata.EndEntityCertificateSerial, testdata.IntermediateCertificateSerial}, - }, - { - description: "ok certificate list: size 3", - pem: testdata.RootChain, - wantSerial: []string{ - testdata.EndEntityCertificateSerial, - testdata.IntermediateCertificateSerial, - testdata.RootCertificateSerial, - }, - }, - } { - list, err := NewCertificateList(table.pem) - if got, want := err != nil, table.wantErr; got != want { - t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err) - } - if err != nil { - continue - } - if got, want := len(list), len(table.wantSerial); got != want { - t.Errorf("got list of length %d but wanted %d in test %q", got, want, table.description) - continue - } - for i, certificate := range list { - if got, want := fmt.Sprintf("%v", certificate.SerialNumber), table.wantSerial[i]; got != want { - t.Errorf("Got serial number %s but wanted %s on index %d and test %q", got, want, i, table.description) - } - } - } -} - -func TestNewCertPool(t *testing.T) { - for i, pem := range [][]byte{ - testdata.EndEntityCertificate, - testdata.IntermediateChain, - testdata.RootChain, - } { - list, err := NewCertificateList(pem) - if err != nil { - t.Fatalf("must parse chain: %v", err) - } - pool := NewCertPool(list) - if got, want := len(pool.Subjects()), len(list); got != want { - t.Errorf("got pool of size %d but wanted %d in test %d", got, want, i) - continue - } - for j, got := range pool.Subjects() { - if want := list[j].RawSubject; !bytes.Equal(got, want) { - t.Errorf("got subject[%d]=%X but wanted %X in test %d", j, got, want, i) - } - } - } -} - -func TestParseDerChain(t *testing.T) { - for _, table := range []struct { - description string - chain [][]byte - wantErr bool - }{ - { - description: "invalid chain: empty", - wantErr: true, - }, - { - description: "invalid chain: first certificate: byte is missing", - chain: [][]byte{ - mustMakeDerList(t, testdata.IntermediateChain)[0][1:], - mustMakeDerList(t, testdata.IntermediateChain)[1], - }, - wantErr: true, - }, - { - description: "valid chain: size 1", - chain: mustMakeDerList(t, testdata.EndEntityCertificate), - }, - { - description: "valid chain: size 2", - chain: mustMakeDerList(t, testdata.IntermediateChain), - }, - { - description: "valid chain: size 3", - chain: mustMakeDerList(t, testdata.RootChain), - }, - } { - cert, pool, err := ParseDerChain(table.chain) - if got, want := err != nil, table.wantErr; got != want { - t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err) - } - if err != nil { - continue - } - - if got, want := cert.Raw, table.chain[0]; !bytes.Equal(got, want) { - t.Errorf("got end-entity certificate %X but wanted %X in test %q", got, want, table.description) - } - if got, want := len(pool.Subjects()), len(table.chain)-1; got != want { - t.Errorf("got %d intermediates but wanted %d in test %q", got, want, table.description) - continue - } - for _, der := range table.chain[1:] { - want := mustMakeCertificate(t, der).RawSubject - ok := false - for _, got := range pool.Subjects() { - if bytes.Equal(got, want) { - ok = true - break - } - } - if !ok { - t.Errorf("want subject %X but found no match in test %q", want, table.description) - } - } - } -} - -func TestParseDerList(t *testing.T) { - for _, table := range []struct { - description string - list [][]byte - wantErr bool - }{ - { - description: "invalid certificate: first certificate: byte is missing", - list: [][]byte{ - mustMakeDerList(t, testdata.IntermediateChain)[0][1:], - mustMakeDerList(t, testdata.IntermediateChain)[1], - }, - wantErr: true, - }, - { - description: "invalid certificate: second certificate: byte is missing", - list: [][]byte{ - mustMakeDerList(t, testdata.IntermediateChain)[0], - mustMakeDerList(t, testdata.IntermediateChain)[1][1:], - }, - wantErr: true, - }, - { - description: "valid certificate list: empty", - }, - { - description: "valid certificate list: size 1", - list: mustMakeDerList(t, testdata.EndEntityCertificate), - }, - { - description: "valid certificate list: size 2", - list: mustMakeDerList(t, testdata.IntermediateChain), - }, - { - description: "valid certificate list: size 3", - list: mustMakeDerList(t, testdata.RootChain), - }, - } { - list, err := ParseDerList(table.list) - if got, want := err != nil, table.wantErr; got != want { - t.Errorf("got error=%v but wanted %v in test %q: %v", got, want, table.description, err) - } - if err != nil { - continue - } - - if got, want := len(list), len(table.list); got != want { - t.Errorf("got %d certifictes but wanted %d in test %q", got, want, table.description) - continue - } - for i, cert := range list { - if got, want := cert.Raw, table.list[i]; !bytes.Equal(got, want) { - t.Errorf("got certificate bytes %X but wanted %X in test %q", got, want, table.description) - } - } - } -} - -func TestVerifyChain(t *testing.T) { - for _, table := range []struct { - description string - pem []byte - wantErr bool - }{ - { - description: "invalid chain: intermediate did not sign end-entity", - pem: testdata.ChainBadIntermediate, - wantErr: true, - }, - { - description: "invalid chain: root did not sign intermediate", - pem: testdata.ChainBadRoot, - wantErr: true, - }, - { - description: "valid chain", - pem: testdata.RootChain, - }, - { - description: "valid chain 2", - pem: testdata.RootChain2, - }, - } { - chain, err := NewCertificateList(table.pem) - if err != nil { - t.Fatalf("must parse chain: %v", err) - } - err = VerifyChain(chain) - if got, want := err != nil, table.wantErr; got != want { - t.Errorf("got error %v but wanted %v in test %q: %v", got, want, table.description, err) - } - } -} - -// mustMakeDerList must parse a PEM-encoded list of certificates to DER -func mustMakeDerList(t *testing.T, pem []byte) [][]byte { - certs, err := NewCertificateList(pem) - if err != nil { - t.Fatalf("must parse pem-encoded certificates: %v", err) - } - - list := make([][]byte, 0, len(certs)) - for _, cert := range certs { - list = append(list, cert.Raw) - } - return list -} - -// mustMakeCertificate must parse a DER-encoded certificate -func mustMakeCertificate(t *testing.T, der []byte) *x509.Certificate { - cert, err := x509.ParseCertificate(der) - if err != nil { - t.Fatalf("must parsse der-encoded certificate: %v", err) - } - return cert -} |