1// Copyright 2013 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package tls 6 7import ( 8 "bufio" 9 "bytes" 10 "crypto/ed25519" 11 "crypto/x509" 12 "encoding/hex" 13 "errors" 14 "flag" 15 "fmt" 16 "io" 17 "net" 18 "os" 19 "os/exec" 20 "runtime" 21 "strconv" 22 "strings" 23 "sync" 24 "testing" 25 "time" 26) 27 28// TLS reference tests run a connection against a reference implementation 29// (OpenSSL) of TLS and record the bytes of the resulting connection. The Go 30// code, during a test, is configured with deterministic randomness and so the 31// reference test can be reproduced exactly in the future. 32// 33// In order to save everyone who wishes to run the tests from needing the 34// reference implementation installed, the reference connections are saved in 35// files in the testdata directory. Thus running the tests involves nothing 36// external, but creating and updating them requires the reference 37// implementation. 38// 39// Tests can be updated by running them with the -update flag. This will cause 40// the test files for failing tests to be regenerated. Since the reference 41// implementation will always generate fresh random numbers, large parts of the 42// reference connection will always change. 43 44var ( 45 update = flag.Bool("update", false, "update golden files on failure") 46 keyFile = flag.String("keylog", "", "destination file for KeyLogWriter") 47 bogoMode = flag.Bool("bogo-mode", false, "Enabled bogo shim mode, ignore everything else") 48 bogoFilter = flag.String("bogo-filter", "", "BoGo test filter") 49 bogoLocalDir = flag.String("bogo-local-dir", "", "Local BoGo to use, instead of fetching from source") 50) 51 52func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) { 53 success := t.Run(name, func(t *testing.T) { 54 if !*update && !wait { 55 t.Parallel() 56 } 57 run(t, false) 58 }) 59 60 if !success && *update { 61 t.Run(name+"#update", func(t *testing.T) { 62 run(t, true) 63 }) 64 } 65} 66 67// checkOpenSSLVersion ensures that the version of OpenSSL looks reasonable 68// before updating the test data. 69func checkOpenSSLVersion() error { 70 if !*update { 71 return nil 72 } 73 74 openssl := exec.Command("openssl", "version") 75 output, err := openssl.CombinedOutput() 76 if err != nil { 77 return err 78 } 79 80 version := string(output) 81 if strings.HasPrefix(version, "OpenSSL 1.1.1") { 82 return nil 83 } 84 85 println("***********************************************") 86 println("") 87 println("You need to build OpenSSL 1.1.1 from source in order") 88 println("to update the test data.") 89 println("") 90 println("Configure it with:") 91 println("./Configure enable-weak-ssl-ciphers no-shared") 92 println("and then add the apps/ directory at the front of your PATH.") 93 println("***********************************************") 94 95 return errors.New("version of OpenSSL does not appear to be suitable for updating test data") 96} 97 98// recordingConn is a net.Conn that records the traffic that passes through it. 99// WriteTo can be used to produce output that can be later be loaded with 100// ParseTestData. 101type recordingConn struct { 102 net.Conn 103 sync.Mutex 104 flows [][]byte 105 reading bool 106} 107 108func (r *recordingConn) Read(b []byte) (n int, err error) { 109 if n, err = r.Conn.Read(b); n == 0 { 110 return 111 } 112 b = b[:n] 113 114 r.Lock() 115 defer r.Unlock() 116 117 if l := len(r.flows); l == 0 || !r.reading { 118 buf := make([]byte, len(b)) 119 copy(buf, b) 120 r.flows = append(r.flows, buf) 121 } else { 122 r.flows[l-1] = append(r.flows[l-1], b[:n]...) 123 } 124 r.reading = true 125 return 126} 127 128func (r *recordingConn) Write(b []byte) (n int, err error) { 129 if n, err = r.Conn.Write(b); n == 0 { 130 return 131 } 132 b = b[:n] 133 134 r.Lock() 135 defer r.Unlock() 136 137 if l := len(r.flows); l == 0 || r.reading { 138 buf := make([]byte, len(b)) 139 copy(buf, b) 140 r.flows = append(r.flows, buf) 141 } else { 142 r.flows[l-1] = append(r.flows[l-1], b[:n]...) 143 } 144 r.reading = false 145 return 146} 147 148// WriteTo writes Go source code to w that contains the recorded traffic. 149func (r *recordingConn) WriteTo(w io.Writer) (int64, error) { 150 // TLS always starts with a client to server flow. 151 clientToServer := true 152 var written int64 153 for i, flow := range r.flows { 154 source, dest := "client", "server" 155 if !clientToServer { 156 source, dest = dest, source 157 } 158 n, err := fmt.Fprintf(w, ">>> Flow %d (%s to %s)\n", i+1, source, dest) 159 written += int64(n) 160 if err != nil { 161 return written, err 162 } 163 dumper := hex.Dumper(w) 164 n, err = dumper.Write(flow) 165 written += int64(n) 166 if err != nil { 167 return written, err 168 } 169 err = dumper.Close() 170 if err != nil { 171 return written, err 172 } 173 clientToServer = !clientToServer 174 } 175 return written, nil 176} 177 178func parseTestData(r io.Reader) (flows [][]byte, err error) { 179 var currentFlow []byte 180 181 scanner := bufio.NewScanner(r) 182 for scanner.Scan() { 183 line := scanner.Text() 184 // If the line starts with ">>> " then it marks the beginning 185 // of a new flow. 186 if strings.HasPrefix(line, ">>> ") { 187 if len(currentFlow) > 0 || len(flows) > 0 { 188 flows = append(flows, currentFlow) 189 currentFlow = nil 190 } 191 continue 192 } 193 194 // Otherwise the line is a line of hex dump that looks like: 195 // 00000170 fc f5 06 bf (...) |.....X{&?......!| 196 // (Some bytes have been omitted from the middle section.) 197 _, after, ok := strings.Cut(line, " ") 198 if !ok { 199 return nil, errors.New("invalid test data") 200 } 201 line = after 202 203 before, _, ok := strings.Cut(line, "|") 204 if !ok { 205 return nil, errors.New("invalid test data") 206 } 207 line = before 208 209 hexBytes := strings.Fields(line) 210 for _, hexByte := range hexBytes { 211 val, err := strconv.ParseUint(hexByte, 16, 8) 212 if err != nil { 213 return nil, errors.New("invalid hex byte in test data: " + err.Error()) 214 } 215 currentFlow = append(currentFlow, byte(val)) 216 } 217 } 218 219 if len(currentFlow) > 0 { 220 flows = append(flows, currentFlow) 221 } 222 223 return flows, nil 224} 225 226// replayingConn is a net.Conn that replays flows recorded by recordingConn. 227type replayingConn struct { 228 t testing.TB 229 sync.Mutex 230 flows [][]byte 231 reading bool 232} 233 234var _ net.Conn = (*replayingConn)(nil) 235 236func (r *replayingConn) Read(b []byte) (n int, err error) { 237 r.Lock() 238 defer r.Unlock() 239 240 if !r.reading { 241 r.t.Errorf("expected write, got read") 242 return 0, fmt.Errorf("recording expected write, got read") 243 } 244 245 n = copy(b, r.flows[0]) 246 r.flows[0] = r.flows[0][n:] 247 if len(r.flows[0]) == 0 { 248 r.flows = r.flows[1:] 249 if len(r.flows) == 0 { 250 return n, io.EOF 251 } else { 252 r.reading = false 253 } 254 } 255 return n, nil 256} 257 258func (r *replayingConn) Write(b []byte) (n int, err error) { 259 r.Lock() 260 defer r.Unlock() 261 262 if r.reading { 263 r.t.Errorf("expected read, got write") 264 return 0, fmt.Errorf("recording expected read, got write") 265 } 266 267 if !bytes.HasPrefix(r.flows[0], b) { 268 r.t.Errorf("write mismatch: expected %x, got %x", r.flows[0], b) 269 return 0, fmt.Errorf("write mismatch") 270 } 271 r.flows[0] = r.flows[0][len(b):] 272 if len(r.flows[0]) == 0 { 273 r.flows = r.flows[1:] 274 r.reading = true 275 } 276 return len(b), nil 277} 278 279func (r *replayingConn) Close() error { 280 r.Lock() 281 defer r.Unlock() 282 283 if len(r.flows) > 0 { 284 r.t.Errorf("closed with unfinished flows") 285 return fmt.Errorf("unexpected close") 286 } 287 return nil 288} 289 290func (r *replayingConn) LocalAddr() net.Addr { return nil } 291func (r *replayingConn) RemoteAddr() net.Addr { return nil } 292func (r *replayingConn) SetDeadline(t time.Time) error { return nil } 293func (r *replayingConn) SetReadDeadline(t time.Time) error { return nil } 294func (r *replayingConn) SetWriteDeadline(t time.Time) error { return nil } 295 296// tempFile creates a temp file containing contents and returns its path. 297func tempFile(contents string) string { 298 file, err := os.CreateTemp("", "go-tls-test") 299 if err != nil { 300 panic("failed to create temp file: " + err.Error()) 301 } 302 path := file.Name() 303 file.WriteString(contents) 304 file.Close() 305 return path 306} 307 308// localListener is set up by TestMain and used by localPipe to create Conn 309// pairs like net.Pipe, but connected by an actual buffered TCP connection. 310var localListener struct { 311 mu sync.Mutex 312 addr net.Addr 313 ch chan net.Conn 314} 315 316const localFlakes = 0 // change to 1 or 2 to exercise localServer/localPipe handling of mismatches 317 318func localServer(l net.Listener) { 319 for n := 0; ; n++ { 320 c, err := l.Accept() 321 if err != nil { 322 return 323 } 324 if localFlakes == 1 && n%2 == 0 { 325 c.Close() 326 continue 327 } 328 localListener.ch <- c 329 } 330} 331 332var isConnRefused = func(err error) bool { return false } 333 334func localPipe(t testing.TB) (net.Conn, net.Conn) { 335 localListener.mu.Lock() 336 defer localListener.mu.Unlock() 337 338 addr := localListener.addr 339 340 var err error 341Dialing: 342 // We expect a rare mismatch, but probably not 5 in a row. 343 for i := 0; i < 5; i++ { 344 tooSlow := time.NewTimer(1 * time.Second) 345 defer tooSlow.Stop() 346 var c1 net.Conn 347 c1, err = net.Dial(addr.Network(), addr.String()) 348 if err != nil { 349 if runtime.GOOS == "dragonfly" && (isConnRefused(err) || os.IsTimeout(err)) { 350 // golang.org/issue/29583: Dragonfly sometimes returns a spurious 351 // ECONNREFUSED or ETIMEDOUT. 352 <-tooSlow.C 353 continue 354 } 355 t.Fatalf("localPipe: %v", err) 356 } 357 if localFlakes == 2 && i == 0 { 358 c1.Close() 359 continue 360 } 361 for { 362 select { 363 case <-tooSlow.C: 364 t.Logf("localPipe: timeout waiting for %v", c1.LocalAddr()) 365 c1.Close() 366 continue Dialing 367 368 case c2 := <-localListener.ch: 369 if c2.RemoteAddr().String() == c1.LocalAddr().String() { 370 t.Cleanup(func() { c1.Close() }) 371 t.Cleanup(func() { c2.Close() }) 372 return c1, c2 373 } 374 t.Logf("localPipe: unexpected connection: %v != %v", c2.RemoteAddr(), c1.LocalAddr()) 375 c2.Close() 376 } 377 } 378 } 379 380 t.Fatalf("localPipe: failed to connect: %v", err) 381 panic("unreachable") 382} 383 384// zeroSource is an io.Reader that returns an unlimited number of zero bytes. 385type zeroSource struct{} 386 387func (zeroSource) Read(b []byte) (n int, err error) { 388 clear(b) 389 return len(b), nil 390} 391 392func allCipherSuites() []uint16 { 393 ids := make([]uint16, len(cipherSuites)) 394 for i, suite := range cipherSuites { 395 ids[i] = suite.id 396 } 397 398 return ids 399} 400 401var testConfig *Config 402 403func TestMain(m *testing.M) { 404 flag.Usage = func() { 405 fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s:\n", os.Args) 406 flag.PrintDefaults() 407 if *bogoMode { 408 os.Exit(89) 409 } 410 } 411 412 flag.Parse() 413 414 if *bogoMode { 415 bogoShim() 416 os.Exit(0) 417 } 418 419 os.Exit(runMain(m)) 420} 421 422func runMain(m *testing.M) int { 423 // Cipher suites preferences change based on the architecture. Force them to 424 // the version without AES acceleration for test consistency. 425 hasAESGCMHardwareSupport = false 426 427 // Set up localPipe. 428 l, err := net.Listen("tcp", "127.0.0.1:0") 429 if err != nil { 430 l, err = net.Listen("tcp6", "[::1]:0") 431 } 432 if err != nil { 433 fmt.Fprintf(os.Stderr, "Failed to open local listener: %v", err) 434 os.Exit(1) 435 } 436 localListener.ch = make(chan net.Conn) 437 localListener.addr = l.Addr() 438 defer l.Close() 439 go localServer(l) 440 441 if err := checkOpenSSLVersion(); err != nil { 442 fmt.Fprintf(os.Stderr, "Error: %v", err) 443 os.Exit(1) 444 } 445 446 testConfig = &Config{ 447 Time: func() time.Time { return time.Unix(0, 0) }, 448 Rand: zeroSource{}, 449 Certificates: make([]Certificate, 2), 450 InsecureSkipVerify: true, 451 CipherSuites: allCipherSuites(), 452 CurvePreferences: []CurveID{X25519, CurveP256, CurveP384, CurveP521}, 453 MinVersion: VersionTLS10, 454 MaxVersion: VersionTLS13, 455 } 456 testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} 457 testConfig.Certificates[0].PrivateKey = testRSAPrivateKey 458 testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate} 459 testConfig.Certificates[1].PrivateKey = testRSAPrivateKey 460 testConfig.BuildNameToCertificate() 461 if *keyFile != "" { 462 f, err := os.OpenFile(*keyFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) 463 if err != nil { 464 panic("failed to open -keylog file: " + err.Error()) 465 } 466 testConfig.KeyLogWriter = f 467 defer f.Close() 468 } 469 470 return m.Run() 471} 472 473func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) { 474 const sentinel = "SENTINEL\n" 475 c, s := localPipe(t) 476 errChan := make(chan error, 1) 477 go func() { 478 cli := Client(c, clientConfig) 479 err := cli.Handshake() 480 if err != nil { 481 errChan <- fmt.Errorf("client: %v", err) 482 c.Close() 483 return 484 } 485 defer func() { errChan <- nil }() 486 clientState = cli.ConnectionState() 487 buf, err := io.ReadAll(cli) 488 if err != nil { 489 t.Errorf("failed to call cli.Read: %v", err) 490 } 491 if got := string(buf); got != sentinel { 492 t.Errorf("read %q from TLS connection, but expected %q", got, sentinel) 493 } 494 // We discard the error because after ReadAll returns the server must 495 // have already closed the connection. Sending data (the closeNotify 496 // alert) can cause a reset, that will make Close return an error. 497 cli.Close() 498 }() 499 server := Server(s, serverConfig) 500 err = server.Handshake() 501 if err == nil { 502 serverState = server.ConnectionState() 503 if _, err := io.WriteString(server, sentinel); err != nil { 504 t.Errorf("failed to call server.Write: %v", err) 505 } 506 if err := server.Close(); err != nil { 507 t.Errorf("failed to call server.Close: %v", err) 508 } 509 } else { 510 err = fmt.Errorf("server: %v", err) 511 s.Close() 512 } 513 err = errors.Join(err, <-errChan) 514 return 515} 516 517func fromHex(s string) []byte { 518 b, _ := hex.DecodeString(s) 519 return b 520} 521 522var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a38193308190300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b30190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b0500038181009d30cc402b5b50a061cbbae55358e1ed8328a9581aa938a495a1ac315a1a84663d43d32dd90bf297dfd320643892243a00bccf9c7db74020015faad3166109a276fd13c3cce10c5ceeb18782f16c04ed73bbb343778d0c1cf10fa1d8408361c94c722b9daedb4606064df4c1b33ec0d1bd42d4dbfe3d1360845c21d33be9fae7") 523 524var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76") 525 526// testRSAPSSCertificate has signatureAlgorithm rsassaPss, but subjectPublicKeyInfo 527// algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes. 528// See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed. 529var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1") 530 531var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a") 532 533var testEd25519Certificate = fromHex("3082012e3081e1a00302010202100f431c425793941de987e4f1ad15005d300506032b657030123110300e060355040a130741636d6520436f301e170d3139303531363231333830315a170d3230303531353231333830315a30123110300e060355040a130741636d6520436f302a300506032b65700321003fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8fa34d304b300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff0402300030160603551d11040f300d820b6578616d706c652e636f6d300506032b65700341006344ed9cc4be5324539fd2108d9fe82108909539e50dc155ff2c16b71dfcab7d4dd4e09313d0a942e0b66bfe5d6748d79f50bc6ccd4b03837cf20858cdaccf0c") 534 535var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed") 536 537var testP256Certificate = fromHex("308201693082010ea00302010202105012dc24e1124ade4f3e153326ff27bf300a06082a8648ce3d04030230123110300e060355040a130741636d6520436f301e170d3137303533313232343934375a170d3138303533313232343934375a30123110300e060355040a130741636d6520436f3059301306072a8648ce3d020106082a8648ce3d03010703420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d1104083006820474657374300a06082a8648ce3d0403020349003046022100963712d6226c7b2bef41512d47e1434131aaca3ba585d666c924df71ac0448b3022100f4d05c725064741aef125f243cdbccaa2a5d485927831f221c43023bd5ae471a") 538 539var testRSAPrivateKey, _ = x509.ParsePKCS1PrivateKey(fromHex("3082025b02010002818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d702030100010281800b07fbcf48b50f1388db34b016298b8217f2092a7c9a04f77db6775a3d1279b62ee9951f7e371e9de33f015aea80660760b3951dc589a9f925ed7de13e8f520e1ccbc7498ce78e7fab6d59582c2386cc07ed688212a576ff37833bd5943483b5554d15a0b9b4010ed9bf09f207e7e9805f649240ed6c1256ed75ab7cd56d9671024100fded810da442775f5923debae4ac758390a032a16598d62f059bb2e781a9c2f41bfa015c209f966513fe3bf5a58717cbdb385100de914f88d649b7d15309fa49024100dd10978c623463a1802c52f012cfa72ff5d901f25a2292446552c2568b1840e49a312e127217c2186615aae4fb6602a4f6ebf3f3d160f3b3ad04c592f65ae41f02400c69062ca781841a09de41ed7a6d9f54adc5d693a2c6847949d9e1358555c9ac6a8d9e71653ac77beb2d3abaf7bb1183aa14278956575dbebf525d0482fd72d90240560fe1900ba36dae3022115fd952f2399fb28e2975a1c3e3d0b679660bdcb356cc189d611cfdd6d87cd5aea45aa30a2082e8b51e94c2f3dd5d5c6036a8a615ed0240143993d80ece56f877cb80048335701eb0e608cc0c1ca8c2227b52edf8f1ac99c562f2541b5ce81f0515af1c5b4770dba53383964b4b725ff46fdec3d08907df")) 540 541var testECDSAPrivateKey, _ = x509.ParseECPrivateKey(fromHex("3081dc0201010442019883e909ad0ac9ea3d33f9eae661f1785206970f8ca9a91672f1eedca7a8ef12bd6561bb246dda5df4b4d5e7e3a92649bc5d83a0bf92972e00e62067d0c7bd99d7a00706052b81040023a18189038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b")) 542 543var testP256PrivateKey, _ = x509.ParseECPrivateKey(fromHex("30770201010420012f3b52bc54c36ba3577ad45034e2e8efe1e6999851284cb848725cfe029991a00a06082a8648ce3d030107a14403420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75")) 544 545var testEd25519PrivateKey = ed25519.PrivateKey(fromHex("3a884965e76b3f55e5faf9615458a92354894234de3ec9f684d46d55cebf3dc63fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8f")) 546 547const clientCertificatePEM = ` 548-----BEGIN CERTIFICATE----- 549MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS 550MRAwDgYDVQQKEwdBY21lIENvMB4XDTE2MDgxNzIxNTIzMVoXDTE3MDgxNzIxNTIz 551MVowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC 552gYEAum+qhr3Pv5/y71yUYHhv6BPy0ZZvzdkybiI3zkH5yl0prOEn2mGi7oHLEMff 553NFiVhuk9GeZcJ3NgyI14AvQdpJgJoxlwaTwlYmYqqyIjxXuFOE8uCXMyp70+m63K 554hAfmDzr/d8WdQYUAirab7rCkPy1MTOZCPrtRyN1IVPQMjkcCAwEAAaNGMEQwDgYD 555VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw 556DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOBgQBGq0Si+yhU+Fpn+GKU 5578ZqyGJ7ysd4dfm92lam6512oFmyc9wnTN+RLKzZ8Aa1B0jLYw9KT+RBrjpW5LBeK 558o0RIvFkTgxYEiKSBXCUNmAysEbEoVr4dzWFihAm/1oDGRY2CLLTYg5vbySK3KhIR 559e/oCO8HJ/+rJnahJ05XX1Q7lNQ== 560-----END CERTIFICATE-----` 561 562var clientKeyPEM = testingKey(` 563-----BEGIN RSA TESTING KEY----- 564MIICXQIBAAKBgQC6b6qGvc+/n/LvXJRgeG/oE/LRlm/N2TJuIjfOQfnKXSms4Sfa 565YaLugcsQx980WJWG6T0Z5lwnc2DIjXgC9B2kmAmjGXBpPCViZiqrIiPFe4U4Ty4J 566czKnvT6brcqEB+YPOv93xZ1BhQCKtpvusKQ/LUxM5kI+u1HI3UhU9AyORwIDAQAB 567AoGAEJZ03q4uuMb7b26WSQsOMeDsftdatT747LGgs3pNRkMJvTb/O7/qJjxoG+Mc 568qeSj0TAZXp+PXXc3ikCECAc+R8rVMfWdmp903XgO/qYtmZGCorxAHEmR80SrfMXv 569PJnznLQWc8U9nphQErR+tTESg7xWEzmFcPKwnZd1xg8ERYkCQQDTGtrFczlB2b/Z 5709TjNMqUlMnTLIk/a/rPE2fLLmAYhK5sHnJdvDURaH2mF4nso0EGtENnTsh6LATnY 571dkrxXGm9AkEA4hXHG2q3MnhgK1Z5hjv+Fnqd+8bcbII9WW4flFs15EKoMgS1w/PJ 572zbsySaSy5IVS8XeShmT9+3lrleed4sy+UwJBAJOOAbxhfXP5r4+5R6ql66jES75w 573jUCVJzJA5ORJrn8g64u2eGK28z/LFQbv9wXgCwfc72R468BdawFSLa/m2EECQGbZ 574rWiFla26IVXV0xcD98VWJsTBZMlgPnSOqoMdM1kSEd4fUmlAYI/dFzV1XYSkOmVr 575FhdZnklmpVDeu27P4c0CQQCuCOup0FlJSBpWY1TTfun/KMBkBatMz0VMA3d7FKIU 576csPezl677Yjo8u1r/KzeI6zLg87Z8E6r6ZWNc9wBSZK6 577-----END RSA TESTING KEY-----`) 578 579const clientECDSACertificatePEM = ` 580-----BEGIN CERTIFICATE----- 581MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw 582EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 583eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG 584EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK 585b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv 586ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs 587jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q 588ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg 589C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa 5902RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw 591jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes= 592-----END CERTIFICATE-----` 593 594var clientECDSAKeyPEM = testingKey(` 595-----BEGIN EC PARAMETERS----- 596BgUrgQQAIw== 597-----END EC PARAMETERS----- 598-----BEGIN EC TESTING KEY----- 599MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8 600k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1 601FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd 6023kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx 603+U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q== 604-----END EC TESTING KEY-----`) 605 606const clientEd25519CertificatePEM = ` 607-----BEGIN CERTIFICATE----- 608MIIBLjCB4aADAgECAhAX0YGTviqMISAQJRXoNCNPMAUGAytlcDASMRAwDgYDVQQK 609EwdBY21lIENvMB4XDTE5MDUxNjIxNTQyNloXDTIwMDUxNTIxNTQyNlowEjEQMA4G 610A1UEChMHQWNtZSBDbzAqMAUGAytlcAMhAAvgtWC14nkwPb7jHuBQsQTIbcd4bGkv 611xRStmmNveRKRo00wSzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH 612AwIwDAYDVR0TAQH/BAIwADAWBgNVHREEDzANggtleGFtcGxlLmNvbTAFBgMrZXAD 613QQD8GRcqlKUx+inILn9boF2KTjRAOdazENwZ/qAicbP1j6FYDc308YUkv+Y9FN/f 6147Q7hF9gRomDQijcjKsJGqjoI 615-----END CERTIFICATE-----` 616 617var clientEd25519KeyPEM = testingKey(` 618-----BEGIN TESTING KEY----- 619MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I 620-----END TESTING KEY-----`) 621