Source file
src/crypto/tls/fips_test.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto/ecdsa"
9 "crypto/elliptic"
10 "crypto/rand"
11 "crypto/rsa"
12 "crypto/x509"
13 "crypto/x509/pkix"
14 "encoding/pem"
15 "fmt"
16 "internal/obscuretestdata"
17 "internal/testenv"
18 "math/big"
19 "net"
20 "runtime"
21 "strings"
22 "testing"
23 "time"
24 )
25
26 func allCipherSuitesIncludingTLS13() []uint16 {
27 s := allCipherSuites()
28 for _, suite := range cipherSuitesTLS13 {
29 s = append(s, suite.id)
30 }
31 return s
32 }
33
34 func isTLS13CipherSuite(id uint16) bool {
35 for _, suite := range cipherSuitesTLS13 {
36 if id == suite.id {
37 return true
38 }
39 }
40 return false
41 }
42
43 func generateKeyShare(group CurveID) keyShare {
44 key, err := generateECDHEKey(rand.Reader, group)
45 if err != nil {
46 panic(err)
47 }
48 return keyShare{group: group, data: key.PublicKey().Bytes()}
49 }
50
51 func TestFIPSServerProtocolVersion(t *testing.T) {
52 test := func(t *testing.T, name string, v uint16, msg string) {
53 t.Run(name, func(t *testing.T) {
54 serverConfig := testConfig.Clone()
55 serverConfig.MinVersion = VersionSSL30
56 clientConfig := testConfig.Clone()
57 clientConfig.MinVersion = v
58 clientConfig.MaxVersion = v
59 _, _, err := testHandshake(t, clientConfig, serverConfig)
60 if msg == "" {
61 if err != nil {
62 t.Fatalf("got error: %v, expected success", err)
63 }
64 } else {
65 if err == nil {
66 t.Fatalf("got success, expected error")
67 }
68 if !strings.Contains(err.Error(), msg) {
69 t.Fatalf("got error %v, expected %q", err, msg)
70 }
71 }
72 })
73 }
74
75 runWithFIPSDisabled(t, func(t *testing.T) {
76 test(t, "VersionTLS10", VersionTLS10, "")
77 test(t, "VersionTLS11", VersionTLS11, "")
78 test(t, "VersionTLS12", VersionTLS12, "")
79 test(t, "VersionTLS13", VersionTLS13, "")
80 })
81
82 runWithFIPSEnabled(t, func(t *testing.T) {
83 test(t, "VersionTLS10", VersionTLS10, "supported versions")
84 test(t, "VersionTLS11", VersionTLS11, "supported versions")
85 test(t, "VersionTLS12", VersionTLS12, "")
86 test(t, "VersionTLS13", VersionTLS13, "")
87 })
88 }
89
90 func isFIPSVersion(v uint16) bool {
91 return v == VersionTLS12 || v == VersionTLS13
92 }
93
94 func isFIPSCipherSuite(id uint16) bool {
95 switch id {
96 case TLS_AES_128_GCM_SHA256,
97 TLS_AES_256_GCM_SHA384,
98 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
99 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
100 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
101 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
102 return true
103 }
104 return false
105 }
106
107 func isFIPSCurve(id CurveID) bool {
108 switch id {
109 case CurveP256, CurveP384, CurveP521:
110 return true
111 }
112 return false
113 }
114
115 func isECDSA(id uint16) bool {
116 for _, suite := range cipherSuites {
117 if suite.id == id {
118 return suite.flags&suiteECSign == suiteECSign
119 }
120 }
121 return false
122 }
123
124 func isFIPSSignatureScheme(alg SignatureScheme) bool {
125 switch alg {
126 default:
127 return false
128 case PKCS1WithSHA256,
129 ECDSAWithP256AndSHA256,
130 PKCS1WithSHA384,
131 ECDSAWithP384AndSHA384,
132 PKCS1WithSHA512,
133 ECDSAWithP521AndSHA512,
134 PSSWithSHA256,
135 PSSWithSHA384,
136 PSSWithSHA512:
137
138 }
139 return true
140 }
141
142 func TestFIPSServerCipherSuites(t *testing.T) {
143 serverConfig := testConfig.Clone()
144 serverConfig.Certificates = make([]Certificate, 1)
145
146 for _, id := range allCipherSuitesIncludingTLS13() {
147 if isECDSA(id) {
148 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
149 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
150 } else {
151 serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
152 serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
153 }
154 serverConfig.BuildNameToCertificate()
155 t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) {
156 clientHello := &clientHelloMsg{
157 vers: VersionTLS12,
158 random: make([]byte, 32),
159 cipherSuites: []uint16{id},
160 compressionMethods: []uint8{compressionNone},
161 supportedCurves: defaultCurvePreferences(),
162 keyShares: []keyShare{generateKeyShare(CurveP256)},
163 supportedPoints: []uint8{pointFormatUncompressed},
164 supportedVersions: []uint16{VersionTLS12},
165 supportedSignatureAlgorithms: defaultSupportedSignatureAlgorithmsFIPS,
166 }
167 if isTLS13CipherSuite(id) {
168 clientHello.supportedVersions = []uint16{VersionTLS13}
169 }
170
171 runWithFIPSDisabled(t, func(t *testing.T) {
172 testClientHello(t, serverConfig, clientHello)
173 })
174
175 runWithFIPSEnabled(t, func(t *testing.T) {
176 msg := ""
177 if !isFIPSCipherSuite(id) {
178 msg = "no cipher suite supported by both client and server"
179 }
180 testClientHelloFailure(t, serverConfig, clientHello, msg)
181 })
182 })
183 }
184 }
185
186 func TestFIPSServerCurves(t *testing.T) {
187 serverConfig := testConfig.Clone()
188 serverConfig.CurvePreferences = nil
189 serverConfig.BuildNameToCertificate()
190
191 for _, curveid := range defaultCurvePreferences() {
192 t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) {
193 clientConfig := testConfig.Clone()
194 clientConfig.CurvePreferences = []CurveID{curveid}
195
196 runWithFIPSDisabled(t, func(t *testing.T) {
197 if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
198 t.Fatalf("got error: %v, expected success", err)
199 }
200 })
201
202
203 runWithFIPSEnabled(t, func(t *testing.T) {
204 _, _, err := testHandshake(t, clientConfig, serverConfig)
205 if err != nil && isFIPSCurve(curveid) {
206 t.Fatalf("got error: %v, expected success", err)
207 } else if err == nil && !isFIPSCurve(curveid) {
208 t.Fatalf("got success, expected error")
209 }
210 })
211 })
212 }
213 }
214
215 func fipsHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
216 c, s := localPipe(t)
217 client := Client(c, clientConfig)
218 server := Server(s, serverConfig)
219 done := make(chan error, 1)
220 go func() {
221 done <- client.Handshake()
222 c.Close()
223 }()
224 serverErr = server.Handshake()
225 s.Close()
226 clientErr = <-done
227 return
228 }
229
230 func TestFIPSServerSignatureAndHash(t *testing.T) {
231 defer func() {
232 testingOnlyForceClientHelloSignatureAlgorithms = nil
233 }()
234
235 for _, sigHash := range defaultSupportedSignatureAlgorithms {
236 t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) {
237 serverConfig := testConfig.Clone()
238 serverConfig.Certificates = make([]Certificate, 1)
239
240 testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
241
242 sigType, _, _ := typeAndHashFromSignatureScheme(sigHash)
243 switch sigType {
244 case signaturePKCS1v15, signatureRSAPSS:
245 serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
246 serverConfig.Certificates[0].Certificate = [][]byte{testRSAPSS2048Certificate}
247 serverConfig.Certificates[0].PrivateKey = testRSAPSS2048PrivateKey
248 case signatureEd25519:
249 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
250 serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
251 serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey
252 case signatureECDSA:
253 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
254 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
255 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
256 }
257 serverConfig.BuildNameToCertificate()
258
259
260 serverConfig.MaxVersion = VersionTLS12
261
262 runWithFIPSDisabled(t, func(t *testing.T) {
263 clientErr, serverErr := fipsHandshake(t, testConfig, serverConfig)
264 if clientErr != nil {
265 t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
266 }
267 })
268
269
270 runWithFIPSEnabled(t, func(t *testing.T) {
271 clientErr, _ := fipsHandshake(t, testConfig, serverConfig)
272 if isFIPSSignatureScheme(sigHash) {
273 if clientErr != nil {
274 t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr)
275 }
276 } else {
277 if clientErr == nil {
278 t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash)
279 }
280 }
281 })
282 })
283 }
284 }
285
286 func TestFIPSClientHello(t *testing.T) {
287 runWithFIPSEnabled(t, testFIPSClientHello)
288 }
289
290 func testFIPSClientHello(t *testing.T) {
291
292
293
294 c, s := net.Pipe()
295 defer c.Close()
296 defer s.Close()
297
298 clientConfig := testConfig.Clone()
299
300 clientConfig.MinVersion = VersionSSL30
301 clientConfig.MaxVersion = VersionTLS13
302 clientConfig.CipherSuites = allCipherSuites()
303 clientConfig.CurvePreferences = defaultCurvePreferences()
304
305 go Client(c, clientConfig).Handshake()
306 srv := Server(s, testConfig)
307 msg, err := srv.readHandshake(nil)
308 if err != nil {
309 t.Fatal(err)
310 }
311 hello, ok := msg.(*clientHelloMsg)
312 if !ok {
313 t.Fatalf("unexpected message type %T", msg)
314 }
315
316 if !isFIPSVersion(hello.vers) {
317 t.Errorf("client vers=%#x", hello.vers)
318 }
319 for _, v := range hello.supportedVersions {
320 if !isFIPSVersion(v) {
321 t.Errorf("client offered disallowed version %#x", v)
322 }
323 }
324 for _, id := range hello.cipherSuites {
325 if !isFIPSCipherSuite(id) {
326 t.Errorf("client offered disallowed suite %#x", id)
327 }
328 }
329 for _, id := range hello.supportedCurves {
330 if !isFIPSCurve(id) {
331 t.Errorf("client offered disallowed curve %d", id)
332 }
333 }
334 for _, sigHash := range hello.supportedSignatureAlgorithms {
335 if !isFIPSSignatureScheme(sigHash) {
336 t.Errorf("client offered disallowed signature-and-hash %v", sigHash)
337 }
338 }
339 }
340
341 func TestFIPSCertAlgs(t *testing.T) {
342
343
344 if testenv.CPUIsSlow() {
345 t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH)
346 }
347
348
349
350 R1 := fipsCert(t, "R1", fipsRSAKey(t, 2048), nil, fipsCertCA|fipsCertFIPSOK)
351 R2 := fipsCert(t, "R2", fipsRSAKey(t, 1024), nil, fipsCertCA)
352 R3 := fipsCert(t, "R3", fipsRSAKey(t, 4096), nil, fipsCertCA|fipsCertFIPSOK)
353
354 M1_R1 := fipsCert(t, "M1_R1", fipsECDSAKey(t, elliptic.P256()), R1, fipsCertCA|fipsCertFIPSOK)
355 M2_R1 := fipsCert(t, "M2_R1", fipsECDSAKey(t, elliptic.P224()), R1, fipsCertCA)
356
357 I_R1 := fipsCert(t, "I_R1", fipsRSAKey(t, 3072), R1, fipsCertCA|fipsCertFIPSOK)
358 I_R2 := fipsCert(t, "I_R2", I_R1.key, R2, fipsCertCA|fipsCertFIPSOK)
359 I_M1 := fipsCert(t, "I_M1", I_R1.key, M1_R1, fipsCertCA|fipsCertFIPSOK)
360 I_M2 := fipsCert(t, "I_M2", I_R1.key, M2_R1, fipsCertCA|fipsCertFIPSOK)
361
362 I_R3 := fipsCert(t, "I_R3", fipsRSAKey(t, 3072), R3, fipsCertCA|fipsCertFIPSOK)
363 fipsCert(t, "I_R3", I_R3.key, R3, fipsCertCA|fipsCertFIPSOK)
364
365 L1_I := fipsCert(t, "L1_I", fipsECDSAKey(t, elliptic.P384()), I_R1, fipsCertLeaf|fipsCertFIPSOK)
366 L2_I := fipsCert(t, "L2_I", fipsRSAKey(t, 1024), I_R1, fipsCertLeaf)
367
368
369 testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
370 clientConfig := testConfig.Clone()
371 clientConfig.RootCAs = pool
372 clientConfig.InsecureSkipVerify = false
373 clientConfig.ServerName = "example.com"
374
375 serverConfig := testConfig.Clone()
376 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
377 serverConfig.BuildNameToCertificate()
378
379 clientErr, _ := fipsHandshake(t, clientConfig, serverConfig)
380
381 if (clientErr == nil) == ok {
382 if ok {
383 t.Logf("%s: accept", desc)
384 } else {
385 t.Logf("%s: reject", desc)
386 }
387 } else {
388 if ok {
389 t.Errorf("%s: BAD reject (%v)", desc, clientErr)
390 } else {
391 t.Errorf("%s: BAD accept", desc)
392 }
393 }
394 }
395
396
397 testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
398 clientConfig := testConfig.Clone()
399 clientConfig.ServerName = "example.com"
400 clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
401
402 serverConfig := testConfig.Clone()
403 serverConfig.ClientCAs = pool
404 serverConfig.ClientAuth = RequireAndVerifyClientCert
405
406 _, serverErr := fipsHandshake(t, clientConfig, serverConfig)
407
408 if (serverErr == nil) == ok {
409 if ok {
410 t.Logf("%s: accept", desc)
411 } else {
412 t.Logf("%s: reject", desc)
413 }
414 } else {
415 if ok {
416 t.Errorf("%s: BAD reject (%v)", desc, serverErr)
417 } else {
418 t.Errorf("%s: BAD accept", desc)
419 }
420 }
421 }
422
423
424
425 r1pool := x509.NewCertPool()
426 r1pool.AddCert(R1.cert)
427
428 runWithFIPSDisabled(t, func(t *testing.T) {
429 testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
430 testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
431 })
432
433 runWithFIPSEnabled(t, func(t *testing.T) {
434 testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
435 testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
436 })
437
438 if t.Failed() {
439 t.Fatal("basic test failed, skipping exhaustive test")
440 }
441
442 if testing.Short() {
443 t.Logf("basic test passed; skipping exhaustive test in -short mode")
444 return
445 }
446
447 for l := 1; l <= 2; l++ {
448 leaf := L1_I
449 if l == 2 {
450 leaf = L2_I
451 }
452 for i := 0; i < 64; i++ {
453 reachable := map[string]bool{leaf.parentOrg: true}
454 reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK}
455 list := [][]byte{leaf.der}
456 listName := leaf.name
457 addList := func(cond int, c *fipsCertificate) {
458 if cond != 0 {
459 list = append(list, c.der)
460 listName += "," + c.name
461 if reachable[c.org] {
462 reachable[c.parentOrg] = true
463 }
464 if reachableFIPS[c.org] && c.fipsOK {
465 reachableFIPS[c.parentOrg] = true
466 }
467 }
468 }
469 addList(i&1, I_R1)
470 addList(i&2, I_R2)
471 addList(i&4, I_M1)
472 addList(i&8, I_M2)
473 addList(i&16, M1_R1)
474 addList(i&32, M2_R1)
475
476 for r := 1; r <= 3; r++ {
477 pool := x509.NewCertPool()
478 rootName := ","
479 shouldVerify := false
480 shouldVerifyFIPS := false
481 addRoot := func(cond int, c *fipsCertificate) {
482 if cond != 0 {
483 rootName += "," + c.name
484 pool.AddCert(c.cert)
485 if reachable[c.org] {
486 shouldVerify = true
487 }
488 if reachableFIPS[c.org] && c.fipsOK {
489 shouldVerifyFIPS = true
490 }
491 }
492 }
493 addRoot(r&1, R1)
494 addRoot(r&2, R2)
495 rootName = rootName[1:]
496
497 runWithFIPSDisabled(t, func(t *testing.T) {
498 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
499 testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
500 })
501
502 runWithFIPSEnabled(t, func(t *testing.T) {
503 testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS)
504 testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS)
505 })
506 }
507 }
508 }
509 }
510
511 const (
512 fipsCertCA = iota
513 fipsCertLeaf
514 fipsCertFIPSOK = 0x80
515 )
516
517 func fipsRSAKey(t *testing.T, size int) *rsa.PrivateKey {
518 k, err := rsa.GenerateKey(rand.Reader, size)
519 if err != nil {
520 t.Fatal(err)
521 }
522 return k
523 }
524
525 func fipsECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey {
526 k, err := ecdsa.GenerateKey(curve, rand.Reader)
527 if err != nil {
528 t.Fatal(err)
529 }
530 return k
531 }
532
533 type fipsCertificate struct {
534 name string
535 org string
536 parentOrg string
537 der []byte
538 cert *x509.Certificate
539 key interface{}
540 fipsOK bool
541 }
542
543 func fipsCert(t *testing.T, name string, key interface{}, parent *fipsCertificate, mode int) *fipsCertificate {
544 org := name
545 parentOrg := ""
546 if i := strings.Index(org, "_"); i >= 0 {
547 org = org[:i]
548 parentOrg = name[i+1:]
549 }
550 tmpl := &x509.Certificate{
551 SerialNumber: big.NewInt(1),
552 Subject: pkix.Name{
553 Organization: []string{org},
554 },
555 NotBefore: time.Unix(0, 0),
556 NotAfter: time.Unix(0, 0),
557
558 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
559 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
560 BasicConstraintsValid: true,
561 }
562 if mode&^fipsCertFIPSOK == fipsCertLeaf {
563 tmpl.DNSNames = []string{"example.com"}
564 } else {
565 tmpl.IsCA = true
566 tmpl.KeyUsage |= x509.KeyUsageCertSign
567 }
568
569 var pcert *x509.Certificate
570 var pkey interface{}
571 if parent != nil {
572 pcert = parent.cert
573 pkey = parent.key
574 } else {
575 pcert = tmpl
576 pkey = key
577 }
578
579 var pub interface{}
580 var desc string
581 switch k := key.(type) {
582 case *rsa.PrivateKey:
583 pub = &k.PublicKey
584 desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
585 case *ecdsa.PrivateKey:
586 pub = &k.PublicKey
587 desc = "ECDSA-" + k.Curve.Params().Name
588 default:
589 t.Fatalf("invalid key %T", key)
590 }
591
592 der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey)
593 if err != nil {
594 t.Fatal(err)
595 }
596 cert, err := x509.ParseCertificate(der)
597 if err != nil {
598 t.Fatal(err)
599 }
600
601 fipsOK := mode&fipsCertFIPSOK != 0
602 runWithFIPSEnabled(t, func(t *testing.T) {
603 if fipsAllowCert(cert) != fipsOK {
604 t.Errorf("fipsAllowCert(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
605 }
606 })
607
608 return &fipsCertificate{name, org, parentOrg, der, cert, key, fipsOK}
609 }
610
611
612
613 var (
614 testRSAPSS2048Certificate []byte
615 testRSAPSS2048PrivateKey *rsa.PrivateKey
616 )
617
618 func init() {
619 block, _ := pem.Decode(obscuretestdata.Rot13([]byte(`
620 -----ORTVA PREGVSVPNGR-----
621 ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj
622 RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0
623 ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj
624 ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R
625 4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq
626 ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF
627 +RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P
628 vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS
629 MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS
630 bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP
631 QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU
632 qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e
633 I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe
634 7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt
635 aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f
636 m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju
637 TAnR
638 -----RAQ PREGVSVPNGR-----`)))
639 testRSAPSS2048Certificate = block.Bytes
640
641 block, _ = pem.Decode(obscuretestdata.Rot13([]byte(`
642 -----ORTVA EFN CEVINGR XRL-----
643 ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY
644 EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M
645 v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr
646 m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj
647 AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7
648 I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u
649 UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi
650 98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd
651 ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G
652 6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS
653 Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e
654 zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR
655 wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl
656 CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM
657 p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX
658 Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C
659 /5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu
660 hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB
661 38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe
662 pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm
663 8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut
664 Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS
665 HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc
666 bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE
667 9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD==
668 -----RAQ EFN CEVINGR XRL-----`)))
669 var err error
670 testRSAPSS2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
671 if err != nil {
672 panic(err)
673 }
674 }
675
View as plain text