Source file
src/crypto/tls/fips140_test.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto/ecdsa"
9 "crypto/elliptic"
10 "crypto/internal/boring"
11 "crypto/rand"
12 "crypto/rsa"
13 "crypto/x509"
14 "crypto/x509/pkix"
15 "encoding/pem"
16 "fmt"
17 "internal/obscuretestdata"
18 "internal/testenv"
19 "math/big"
20 "net"
21 "os"
22 "runtime"
23 "strings"
24 "testing"
25 "time"
26 )
27
28 func allCipherSuitesIncludingTLS13() []uint16 {
29 s := allCipherSuites()
30 for _, suite := range cipherSuitesTLS13 {
31 s = append(s, suite.id)
32 }
33 return s
34 }
35
36 func isTLS13CipherSuite(id uint16) bool {
37 for _, suite := range cipherSuitesTLS13 {
38 if id == suite.id {
39 return true
40 }
41 }
42 return false
43 }
44
45 func generateKeyShare(group CurveID) keyShare {
46 key, err := generateECDHEKey(rand.Reader, group)
47 if err != nil {
48 panic(err)
49 }
50 return keyShare{group: group, data: key.PublicKey().Bytes()}
51 }
52
53 func TestFIPSServerProtocolVersion(t *testing.T) {
54 test := func(t *testing.T, name string, v uint16, msg string) {
55 t.Run(name, func(t *testing.T) {
56 serverConfig := testConfig.Clone()
57 serverConfig.MinVersion = VersionSSL30
58 clientConfig := testConfig.Clone()
59 clientConfig.MinVersion = v
60 clientConfig.MaxVersion = v
61 _, _, err := testHandshake(t, clientConfig, serverConfig)
62 if msg == "" {
63 if err != nil {
64 t.Fatalf("got error: %v, expected success", err)
65 }
66 } else {
67 if err == nil {
68 t.Fatalf("got success, expected error")
69 }
70 if !strings.Contains(err.Error(), msg) {
71 t.Fatalf("got error %v, expected %q", err, msg)
72 }
73 }
74 })
75 }
76
77 runWithFIPSDisabled(t, func(t *testing.T) {
78 test(t, "VersionTLS10", VersionTLS10, "")
79 test(t, "VersionTLS11", VersionTLS11, "")
80 test(t, "VersionTLS12", VersionTLS12, "")
81 test(t, "VersionTLS13", VersionTLS13, "")
82 })
83
84 runWithFIPSEnabled(t, func(t *testing.T) {
85 test(t, "VersionTLS10", VersionTLS10, "supported versions")
86 test(t, "VersionTLS11", VersionTLS11, "supported versions")
87 test(t, "VersionTLS12", VersionTLS12, "")
88 test(t, "VersionTLS13", VersionTLS13, "")
89 })
90 }
91
92 func isFIPSVersion(v uint16) bool {
93 return v == VersionTLS12 || v == VersionTLS13
94 }
95
96 func isFIPSCipherSuite(id uint16) bool {
97 name := CipherSuiteName(id)
98 if isTLS13CipherSuite(id) {
99 switch id {
100 case TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384:
101 return true
102 case TLS_CHACHA20_POLY1305_SHA256:
103 return false
104 default:
105 panic("unknown TLS 1.3 cipher suite: " + name)
106 }
107 }
108 switch id {
109 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
110 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
111 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
112 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
113 return true
114 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
115 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
116
117 return !boring.Enabled
118 }
119 switch {
120 case strings.Contains(name, "CHACHA20"):
121 return false
122 case strings.HasSuffix(name, "_SHA"):
123 return false
124 case strings.HasPrefix(name, "TLS_RSA"):
125 return false
126 default:
127 panic("unknown cipher suite: " + name)
128 }
129 }
130
131 func isFIPSCurve(id CurveID) bool {
132 switch id {
133 case CurveP256, CurveP384, CurveP521:
134 return true
135 case X25519MLKEM768:
136
137 return !boring.Enabled
138 case X25519:
139 return false
140 default:
141 panic("unknown curve: " + id.String())
142 }
143 }
144
145 func isECDSA(id uint16) bool {
146 for _, suite := range cipherSuites {
147 if suite.id == id {
148 return suite.flags&suiteECSign == suiteECSign
149 }
150 }
151 return false
152 }
153
154 func isFIPSSignatureScheme(alg SignatureScheme) bool {
155 switch alg {
156 case PKCS1WithSHA256,
157 ECDSAWithP256AndSHA256,
158 PKCS1WithSHA384,
159 ECDSAWithP384AndSHA384,
160 PKCS1WithSHA512,
161 ECDSAWithP521AndSHA512,
162 PSSWithSHA256,
163 PSSWithSHA384,
164 PSSWithSHA512:
165 return true
166 case Ed25519:
167
168 return !boring.Enabled
169 case PKCS1WithSHA1, ECDSAWithSHA1:
170 return false
171 default:
172 panic("unknown signature scheme: " + alg.String())
173 }
174 }
175
176 func TestFIPSServerCipherSuites(t *testing.T) {
177 serverConfig := testConfig.Clone()
178 serverConfig.Certificates = make([]Certificate, 1)
179
180 for _, id := range allCipherSuitesIncludingTLS13() {
181 if isECDSA(id) {
182 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
183 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
184 } else {
185 serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
186 serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
187 }
188 serverConfig.BuildNameToCertificate()
189 t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) {
190 clientHello := &clientHelloMsg{
191 vers: VersionTLS12,
192 random: make([]byte, 32),
193 cipherSuites: []uint16{id},
194 compressionMethods: []uint8{compressionNone},
195 supportedCurves: defaultCurvePreferences(),
196 keyShares: []keyShare{generateKeyShare(CurveP256)},
197 supportedPoints: []uint8{pointFormatUncompressed},
198 supportedVersions: []uint16{VersionTLS12},
199 supportedSignatureAlgorithms: allowedSignatureAlgorithmsFIPS,
200 }
201 if isTLS13CipherSuite(id) {
202 clientHello.supportedVersions = []uint16{VersionTLS13}
203 }
204
205 runWithFIPSDisabled(t, func(t *testing.T) {
206 testClientHello(t, serverConfig, clientHello)
207 })
208
209 runWithFIPSEnabled(t, func(t *testing.T) {
210 msg := ""
211 if !isFIPSCipherSuite(id) {
212 msg = "no cipher suite supported by both client and server"
213 }
214 testClientHelloFailure(t, serverConfig, clientHello, msg)
215 })
216 })
217 }
218 }
219
220 func TestFIPSServerCurves(t *testing.T) {
221 serverConfig := testConfig.Clone()
222 serverConfig.CurvePreferences = nil
223 serverConfig.BuildNameToCertificate()
224
225 for _, curveid := range defaultCurvePreferences() {
226 t.Run(fmt.Sprintf("curve=%v", curveid), func(t *testing.T) {
227 clientConfig := testConfig.Clone()
228 clientConfig.CurvePreferences = []CurveID{curveid}
229
230 runWithFIPSDisabled(t, func(t *testing.T) {
231 if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
232 t.Fatalf("got error: %v, expected success", err)
233 }
234 })
235
236
237 runWithFIPSEnabled(t, func(t *testing.T) {
238 _, _, err := testHandshake(t, clientConfig, serverConfig)
239 if err != nil && isFIPSCurve(curveid) {
240 t.Fatalf("got error: %v, expected success", err)
241 } else if err == nil && !isFIPSCurve(curveid) {
242 t.Fatalf("got success, expected error")
243 }
244 })
245 })
246 }
247 }
248
249 func fipsHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
250 c, s := localPipe(t)
251 client := Client(c, clientConfig)
252 server := Server(s, serverConfig)
253 done := make(chan error, 1)
254 go func() {
255 done <- client.Handshake()
256 c.Close()
257 }()
258 serverErr = server.Handshake()
259 s.Close()
260 clientErr = <-done
261 return
262 }
263
264 func TestFIPSServerSignatureAndHash(t *testing.T) {
265 defer func() {
266 testingOnlySupportedSignatureAlgorithms = nil
267 }()
268 defer func(godebug string) {
269 os.Setenv("GODEBUG", godebug)
270 }(os.Getenv("GODEBUG"))
271 os.Setenv("GODEBUG", "tlssha1=1")
272
273 for _, sigHash := range defaultSupportedSignatureAlgorithms() {
274 t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) {
275 serverConfig := testConfig.Clone()
276 serverConfig.Certificates = make([]Certificate, 1)
277
278 testingOnlySupportedSignatureAlgorithms = []SignatureScheme{sigHash}
279
280 sigType, _, _ := typeAndHashFromSignatureScheme(sigHash)
281 switch sigType {
282 case signaturePKCS1v15, signatureRSAPSS:
283 serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
284 serverConfig.Certificates[0].Certificate = [][]byte{testRSAPSS2048Certificate}
285 serverConfig.Certificates[0].PrivateKey = testRSAPSS2048PrivateKey
286 case signatureEd25519:
287 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
288 serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
289 serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey
290 case signatureECDSA:
291 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
292 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
293 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
294 }
295 serverConfig.BuildNameToCertificate()
296
297
298 serverConfig.MaxVersion = VersionTLS12
299
300 runWithFIPSDisabled(t, func(t *testing.T) {
301 clientErr, serverErr := fipsHandshake(t, testConfig, serverConfig)
302 if clientErr != nil {
303 t.Fatalf("expected handshake with %v to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
304 }
305 })
306
307
308 runWithFIPSEnabled(t, func(t *testing.T) {
309 clientErr, _ := fipsHandshake(t, testConfig, serverConfig)
310 if isFIPSSignatureScheme(sigHash) {
311 if clientErr != nil {
312 t.Fatalf("expected handshake with %v to succeed; err=%v", sigHash, clientErr)
313 }
314 } else {
315 if clientErr == nil {
316 t.Fatalf("expected handshake with %v to fail, but it succeeded", sigHash)
317 }
318 }
319 })
320 })
321 }
322 }
323
324 func TestFIPSClientHello(t *testing.T) {
325 runWithFIPSEnabled(t, testFIPSClientHello)
326 }
327
328 func testFIPSClientHello(t *testing.T) {
329
330
331
332 c, s := net.Pipe()
333 defer c.Close()
334 defer s.Close()
335
336 clientConfig := testConfig.Clone()
337
338 clientConfig.MinVersion = VersionSSL30
339 clientConfig.MaxVersion = VersionTLS13
340 clientConfig.CipherSuites = allCipherSuites()
341 clientConfig.CurvePreferences = defaultCurvePreferences()
342
343 go Client(c, clientConfig).Handshake()
344 srv := Server(s, testConfig)
345 msg, err := srv.readHandshake(nil)
346 if err != nil {
347 t.Fatal(err)
348 }
349 hello, ok := msg.(*clientHelloMsg)
350 if !ok {
351 t.Fatalf("unexpected message type %T", msg)
352 }
353
354 if !isFIPSVersion(hello.vers) {
355 t.Errorf("client vers=%#x", hello.vers)
356 }
357 for _, v := range hello.supportedVersions {
358 if !isFIPSVersion(v) {
359 t.Errorf("client offered disallowed version %#x", v)
360 }
361 }
362 for _, id := range hello.cipherSuites {
363 if !isFIPSCipherSuite(id) {
364 t.Errorf("client offered disallowed suite %v", CipherSuiteName(id))
365 }
366 }
367 for _, id := range hello.supportedCurves {
368 if !isFIPSCurve(id) {
369 t.Errorf("client offered disallowed curve %v", id)
370 }
371 }
372 for _, sigHash := range hello.supportedSignatureAlgorithms {
373 if !isFIPSSignatureScheme(sigHash) {
374 t.Errorf("client offered disallowed signature-and-hash %v", sigHash)
375 }
376 }
377 }
378
379 func TestFIPSCertAlgs(t *testing.T) {
380
381
382 if testenv.CPUIsSlow() {
383 t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH)
384 }
385
386
387
388 R1 := fipsCert(t, "R1", fipsRSAKey(t, 2048), nil, fipsCertCA|fipsCertFIPSOK)
389 R2 := fipsCert(t, "R2", fipsRSAKey(t, 1024), nil, fipsCertCA)
390 R3 := fipsCert(t, "R3", fipsRSAKey(t, 4096), nil, fipsCertCA|fipsCertFIPSOK)
391
392 M1_R1 := fipsCert(t, "M1_R1", fipsECDSAKey(t, elliptic.P256()), R1, fipsCertCA|fipsCertFIPSOK)
393 M2_R1 := fipsCert(t, "M2_R1", fipsECDSAKey(t, elliptic.P224()), R1, fipsCertCA)
394
395 I_R1 := fipsCert(t, "I_R1", fipsRSAKey(t, 3072), R1, fipsCertCA|fipsCertFIPSOK)
396 I_R2 := fipsCert(t, "I_R2", I_R1.key, R2, fipsCertCA|fipsCertFIPSOK)
397 I_M1 := fipsCert(t, "I_M1", I_R1.key, M1_R1, fipsCertCA|fipsCertFIPSOK)
398 I_M2 := fipsCert(t, "I_M2", I_R1.key, M2_R1, fipsCertCA|fipsCertFIPSOK)
399
400 I_R3 := fipsCert(t, "I_R3", fipsRSAKey(t, 3072), R3, fipsCertCA|fipsCertFIPSOK)
401 fipsCert(t, "I_R3", I_R3.key, R3, fipsCertCA|fipsCertFIPSOK)
402
403 L1_I := fipsCert(t, "L1_I", fipsECDSAKey(t, elliptic.P384()), I_R1, fipsCertLeaf|fipsCertFIPSOK)
404 L2_I := fipsCert(t, "L2_I", fipsRSAKey(t, 1024), I_R1, fipsCertLeaf)
405
406
407 testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
408 clientConfig := testConfig.Clone()
409 clientConfig.RootCAs = pool
410 clientConfig.InsecureSkipVerify = false
411 clientConfig.ServerName = "example.com"
412
413 serverConfig := testConfig.Clone()
414 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
415 serverConfig.BuildNameToCertificate()
416
417 clientErr, _ := fipsHandshake(t, clientConfig, serverConfig)
418
419 if (clientErr == nil) == ok {
420 if ok {
421 t.Logf("%s: accept", desc)
422 } else {
423 t.Logf("%s: reject", desc)
424 }
425 } else {
426 if ok {
427 t.Errorf("%s: BAD reject (%v)", desc, clientErr)
428 } else {
429 t.Errorf("%s: BAD accept", desc)
430 }
431 }
432 }
433
434
435 testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
436 clientConfig := testConfig.Clone()
437 clientConfig.ServerName = "example.com"
438 clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
439
440 serverConfig := testConfig.Clone()
441 serverConfig.ClientCAs = pool
442 serverConfig.ClientAuth = RequireAndVerifyClientCert
443
444 _, serverErr := fipsHandshake(t, clientConfig, serverConfig)
445
446 if (serverErr == nil) == ok {
447 if ok {
448 t.Logf("%s: accept", desc)
449 } else {
450 t.Logf("%s: reject", desc)
451 }
452 } else {
453 if ok {
454 t.Errorf("%s: BAD reject (%v)", desc, serverErr)
455 } else {
456 t.Errorf("%s: BAD accept", desc)
457 }
458 }
459 }
460
461
462
463 r1pool := x509.NewCertPool()
464 r1pool.AddCert(R1.cert)
465
466 runWithFIPSDisabled(t, func(t *testing.T) {
467 testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
468 testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
469 })
470
471 runWithFIPSEnabled(t, func(t *testing.T) {
472 testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
473 testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
474 })
475
476 if t.Failed() {
477 t.Fatal("basic test failed, skipping exhaustive test")
478 }
479
480 if testing.Short() {
481 t.Logf("basic test passed; skipping exhaustive test in -short mode")
482 return
483 }
484
485 for l := 1; l <= 2; l++ {
486 leaf := L1_I
487 if l == 2 {
488 leaf = L2_I
489 }
490 for i := 0; i < 64; i++ {
491 reachable := map[string]bool{leaf.parentOrg: true}
492 reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK}
493 list := [][]byte{leaf.der}
494 listName := leaf.name
495 addList := func(cond int, c *fipsCertificate) {
496 if cond != 0 {
497 list = append(list, c.der)
498 listName += "," + c.name
499 if reachable[c.org] {
500 reachable[c.parentOrg] = true
501 }
502 if reachableFIPS[c.org] && c.fipsOK {
503 reachableFIPS[c.parentOrg] = true
504 }
505 }
506 }
507 addList(i&1, I_R1)
508 addList(i&2, I_R2)
509 addList(i&4, I_M1)
510 addList(i&8, I_M2)
511 addList(i&16, M1_R1)
512 addList(i&32, M2_R1)
513
514 for r := 1; r <= 3; r++ {
515 pool := x509.NewCertPool()
516 rootName := ","
517 shouldVerify := false
518 shouldVerifyFIPS := false
519 addRoot := func(cond int, c *fipsCertificate) {
520 if cond != 0 {
521 rootName += "," + c.name
522 pool.AddCert(c.cert)
523 if reachable[c.org] {
524 shouldVerify = true
525 }
526 if reachableFIPS[c.org] && c.fipsOK {
527 shouldVerifyFIPS = true
528 }
529 }
530 }
531 addRoot(r&1, R1)
532 addRoot(r&2, R2)
533 rootName = rootName[1:]
534
535 runWithFIPSDisabled(t, func(t *testing.T) {
536 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
537 testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
538 })
539
540 runWithFIPSEnabled(t, func(t *testing.T) {
541 testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS)
542 testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS)
543 })
544 }
545 }
546 }
547 }
548
549 const (
550 fipsCertCA = iota
551 fipsCertLeaf
552 fipsCertFIPSOK = 0x80
553 )
554
555 func fipsRSAKey(t *testing.T, size int) *rsa.PrivateKey {
556 k, err := rsa.GenerateKey(rand.Reader, size)
557 if err != nil {
558 t.Fatal(err)
559 }
560 return k
561 }
562
563 func fipsECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey {
564 k, err := ecdsa.GenerateKey(curve, rand.Reader)
565 if err != nil {
566 t.Fatal(err)
567 }
568 return k
569 }
570
571 type fipsCertificate struct {
572 name string
573 org string
574 parentOrg string
575 der []byte
576 cert *x509.Certificate
577 key interface{}
578 fipsOK bool
579 }
580
581 func fipsCert(t *testing.T, name string, key interface{}, parent *fipsCertificate, mode int) *fipsCertificate {
582 org := name
583 parentOrg := ""
584 if i := strings.Index(org, "_"); i >= 0 {
585 org = org[:i]
586 parentOrg = name[i+1:]
587 }
588 tmpl := &x509.Certificate{
589 SerialNumber: big.NewInt(1),
590 Subject: pkix.Name{
591 Organization: []string{org},
592 },
593 NotBefore: time.Unix(0, 0),
594 NotAfter: time.Unix(0, 0),
595
596 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
597 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
598 BasicConstraintsValid: true,
599 }
600 if mode&^fipsCertFIPSOK == fipsCertLeaf {
601 tmpl.DNSNames = []string{"example.com"}
602 } else {
603 tmpl.IsCA = true
604 tmpl.KeyUsage |= x509.KeyUsageCertSign
605 }
606
607 var pcert *x509.Certificate
608 var pkey interface{}
609 if parent != nil {
610 pcert = parent.cert
611 pkey = parent.key
612 } else {
613 pcert = tmpl
614 pkey = key
615 }
616
617 var pub interface{}
618 var desc string
619 switch k := key.(type) {
620 case *rsa.PrivateKey:
621 pub = &k.PublicKey
622 desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
623 case *ecdsa.PrivateKey:
624 pub = &k.PublicKey
625 desc = "ECDSA-" + k.Curve.Params().Name
626 default:
627 t.Fatalf("invalid key %T", key)
628 }
629
630 der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey)
631 if err != nil {
632 t.Fatal(err)
633 }
634 cert, err := x509.ParseCertificate(der)
635 if err != nil {
636 t.Fatal(err)
637 }
638
639 fipsOK := mode&fipsCertFIPSOK != 0
640 runWithFIPSEnabled(t, func(t *testing.T) {
641 if isCertificateAllowedFIPS(cert) != fipsOK {
642 t.Errorf("fipsAllowCert(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
643 }
644 })
645
646 return &fipsCertificate{name, org, parentOrg, der, cert, key, fipsOK}
647 }
648
649
650
651 var (
652 testRSAPSS2048Certificate []byte
653 testRSAPSS2048PrivateKey *rsa.PrivateKey
654 )
655
656 func init() {
657 block, _ := pem.Decode(obscuretestdata.Rot13([]byte(`
658 -----ORTVA PREGVSVPNGR-----
659 ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj
660 RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0
661 ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj
662 ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R
663 4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq
664 ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF
665 +RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P
666 vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS
667 MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS
668 bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP
669 QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU
670 qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e
671 I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe
672 7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt
673 aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f
674 m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju
675 TAnR
676 -----RAQ PREGVSVPNGR-----`)))
677 testRSAPSS2048Certificate = block.Bytes
678
679 block, _ = pem.Decode(obscuretestdata.Rot13([]byte(`
680 -----ORTVA EFN CEVINGR XRL-----
681 ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY
682 EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M
683 v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr
684 m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj
685 AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7
686 I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u
687 UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi
688 98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd
689 ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G
690 6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS
691 Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e
692 zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR
693 wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl
694 CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM
695 p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX
696 Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C
697 /5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu
698 hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB
699 38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe
700 pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm
701 8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut
702 Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS
703 HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc
704 bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE
705 9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD==
706 -----RAQ EFN CEVINGR XRL-----`)))
707 var err error
708 testRSAPSS2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
709 if err != nil {
710 panic(err)
711 }
712 }
713
View as plain text