Source file
src/crypto/tls/fips140_test.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto/ecdsa"
9 "crypto/elliptic"
10 "crypto/internal/boring"
11 "crypto/rand"
12 "crypto/rsa"
13 "crypto/x509"
14 "crypto/x509/pkix"
15 "encoding/pem"
16 "fmt"
17 "internal/obscuretestdata"
18 "internal/testenv"
19 "math/big"
20 "net"
21 "runtime"
22 "strings"
23 "testing"
24 "time"
25 )
26
27 func allCipherSuitesIncludingTLS13() []uint16 {
28 s := allCipherSuites()
29 for _, suite := range cipherSuitesTLS13 {
30 s = append(s, suite.id)
31 }
32 return s
33 }
34
35 func isTLS13CipherSuite(id uint16) bool {
36 for _, suite := range cipherSuitesTLS13 {
37 if id == suite.id {
38 return true
39 }
40 }
41 return false
42 }
43
44 func generateKeyShare(group CurveID) keyShare {
45 key, err := generateECDHEKey(rand.Reader, group)
46 if err != nil {
47 panic(err)
48 }
49 return keyShare{group: group, data: key.PublicKey().Bytes()}
50 }
51
52 func TestFIPSServerProtocolVersion(t *testing.T) {
53 test := func(t *testing.T, name string, v uint16, msg string) {
54 t.Run(name, func(t *testing.T) {
55 serverConfig := testConfig.Clone()
56 serverConfig.MinVersion = VersionSSL30
57 clientConfig := testConfig.Clone()
58 clientConfig.MinVersion = v
59 clientConfig.MaxVersion = v
60 _, _, err := testHandshake(t, clientConfig, serverConfig)
61 if msg == "" {
62 if err != nil {
63 t.Fatalf("got error: %v, expected success", err)
64 }
65 } else {
66 if err == nil {
67 t.Fatalf("got success, expected error")
68 }
69 if !strings.Contains(err.Error(), msg) {
70 t.Fatalf("got error %v, expected %q", err, msg)
71 }
72 }
73 })
74 }
75
76 runWithFIPSDisabled(t, func(t *testing.T) {
77 test(t, "VersionTLS10", VersionTLS10, "")
78 test(t, "VersionTLS11", VersionTLS11, "")
79 test(t, "VersionTLS12", VersionTLS12, "")
80 test(t, "VersionTLS13", VersionTLS13, "")
81 })
82
83 runWithFIPSEnabled(t, func(t *testing.T) {
84 test(t, "VersionTLS10", VersionTLS10, "supported versions")
85 test(t, "VersionTLS11", VersionTLS11, "supported versions")
86 test(t, "VersionTLS12", VersionTLS12, "")
87 test(t, "VersionTLS13", VersionTLS13, "")
88 })
89 }
90
91 func isFIPSVersion(v uint16) bool {
92 return v == VersionTLS12 || v == VersionTLS13
93 }
94
95 func isFIPSCipherSuite(id uint16) bool {
96 name := CipherSuiteName(id)
97 if isTLS13CipherSuite(id) {
98 switch id {
99 case TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384:
100 return true
101 case TLS_CHACHA20_POLY1305_SHA256:
102 return false
103 default:
104 panic("unknown TLS 1.3 cipher suite: " + name)
105 }
106 }
107 switch id {
108 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
109 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
110 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
111 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
112 return true
113 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
114 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
115
116 return !boring.Enabled
117 }
118 switch {
119 case strings.Contains(name, "CHACHA20"):
120 return false
121 case strings.HasSuffix(name, "_SHA"):
122 return false
123 case strings.HasPrefix(name, "TLS_RSA"):
124 return false
125 default:
126 panic("unknown cipher suite: " + name)
127 }
128 }
129
130 func isFIPSCurve(id CurveID) bool {
131 switch id {
132 case CurveP256, CurveP384, CurveP521:
133 return true
134 case X25519MLKEM768:
135
136 return !boring.Enabled
137 case X25519:
138 return false
139 default:
140 panic("unknown curve: " + id.String())
141 }
142 }
143
144 func isECDSA(id uint16) bool {
145 for _, suite := range cipherSuites {
146 if suite.id == id {
147 return suite.flags&suiteECSign == suiteECSign
148 }
149 }
150 return false
151 }
152
153 func isFIPSSignatureScheme(alg SignatureScheme) bool {
154 switch alg {
155 case PKCS1WithSHA256,
156 ECDSAWithP256AndSHA256,
157 PKCS1WithSHA384,
158 ECDSAWithP384AndSHA384,
159 PKCS1WithSHA512,
160 ECDSAWithP521AndSHA512,
161 PSSWithSHA256,
162 PSSWithSHA384,
163 PSSWithSHA512:
164 return true
165 case Ed25519:
166
167 return !boring.Enabled
168 case PKCS1WithSHA1, ECDSAWithSHA1:
169 return false
170 default:
171 panic("unknown signature scheme: " + alg.String())
172 }
173 }
174
175 func TestFIPSServerCipherSuites(t *testing.T) {
176 serverConfig := testConfig.Clone()
177 serverConfig.Certificates = make([]Certificate, 1)
178
179 for _, id := range allCipherSuitesIncludingTLS13() {
180 if isECDSA(id) {
181 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
182 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
183 } else {
184 serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
185 serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
186 }
187 serverConfig.BuildNameToCertificate()
188 t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) {
189 clientHello := &clientHelloMsg{
190 vers: VersionTLS12,
191 random: make([]byte, 32),
192 cipherSuites: []uint16{id},
193 compressionMethods: []uint8{compressionNone},
194 supportedCurves: defaultCurvePreferences(),
195 keyShares: []keyShare{generateKeyShare(CurveP256)},
196 supportedPoints: []uint8{pointFormatUncompressed},
197 supportedVersions: []uint16{VersionTLS12},
198 supportedSignatureAlgorithms: allowedSupportedSignatureAlgorithmsFIPS,
199 }
200 if isTLS13CipherSuite(id) {
201 clientHello.supportedVersions = []uint16{VersionTLS13}
202 }
203
204 runWithFIPSDisabled(t, func(t *testing.T) {
205 testClientHello(t, serverConfig, clientHello)
206 })
207
208 runWithFIPSEnabled(t, func(t *testing.T) {
209 msg := ""
210 if !isFIPSCipherSuite(id) {
211 msg = "no cipher suite supported by both client and server"
212 }
213 testClientHelloFailure(t, serverConfig, clientHello, msg)
214 })
215 })
216 }
217 }
218
219 func TestFIPSServerCurves(t *testing.T) {
220 serverConfig := testConfig.Clone()
221 serverConfig.CurvePreferences = nil
222 serverConfig.BuildNameToCertificate()
223
224 for _, curveid := range defaultCurvePreferences() {
225 t.Run(fmt.Sprintf("curve=%v", curveid), func(t *testing.T) {
226 clientConfig := testConfig.Clone()
227 clientConfig.CurvePreferences = []CurveID{curveid}
228
229 runWithFIPSDisabled(t, func(t *testing.T) {
230 if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
231 t.Fatalf("got error: %v, expected success", err)
232 }
233 })
234
235
236 runWithFIPSEnabled(t, func(t *testing.T) {
237 _, _, err := testHandshake(t, clientConfig, serverConfig)
238 if err != nil && isFIPSCurve(curveid) {
239 t.Fatalf("got error: %v, expected success", err)
240 } else if err == nil && !isFIPSCurve(curveid) {
241 t.Fatalf("got success, expected error")
242 }
243 })
244 })
245 }
246 }
247
248 func fipsHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
249 c, s := localPipe(t)
250 client := Client(c, clientConfig)
251 server := Server(s, serverConfig)
252 done := make(chan error, 1)
253 go func() {
254 done <- client.Handshake()
255 c.Close()
256 }()
257 serverErr = server.Handshake()
258 s.Close()
259 clientErr = <-done
260 return
261 }
262
263 func TestFIPSServerSignatureAndHash(t *testing.T) {
264 defer func() {
265 testingOnlyForceClientHelloSignatureAlgorithms = nil
266 }()
267
268 for _, sigHash := range defaultSupportedSignatureAlgorithms {
269 t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) {
270 serverConfig := testConfig.Clone()
271 serverConfig.Certificates = make([]Certificate, 1)
272
273 testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
274
275 sigType, _, _ := typeAndHashFromSignatureScheme(sigHash)
276 switch sigType {
277 case signaturePKCS1v15, signatureRSAPSS:
278 serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
279 serverConfig.Certificates[0].Certificate = [][]byte{testRSAPSS2048Certificate}
280 serverConfig.Certificates[0].PrivateKey = testRSAPSS2048PrivateKey
281 case signatureEd25519:
282 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
283 serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
284 serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey
285 case signatureECDSA:
286 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
287 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
288 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
289 }
290 serverConfig.BuildNameToCertificate()
291
292
293 serverConfig.MaxVersion = VersionTLS12
294
295 runWithFIPSDisabled(t, func(t *testing.T) {
296 clientErr, serverErr := fipsHandshake(t, testConfig, serverConfig)
297 if clientErr != nil {
298 t.Fatalf("expected handshake with %v to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
299 }
300 })
301
302
303 runWithFIPSEnabled(t, func(t *testing.T) {
304 clientErr, _ := fipsHandshake(t, testConfig, serverConfig)
305 if isFIPSSignatureScheme(sigHash) {
306 if clientErr != nil {
307 t.Fatalf("expected handshake with %v to succeed; err=%v", sigHash, clientErr)
308 }
309 } else {
310 if clientErr == nil {
311 t.Fatalf("expected handshake with %v to fail, but it succeeded", sigHash)
312 }
313 }
314 })
315 })
316 }
317 }
318
319 func TestFIPSClientHello(t *testing.T) {
320 runWithFIPSEnabled(t, testFIPSClientHello)
321 }
322
323 func testFIPSClientHello(t *testing.T) {
324
325
326
327 c, s := net.Pipe()
328 defer c.Close()
329 defer s.Close()
330
331 clientConfig := testConfig.Clone()
332
333 clientConfig.MinVersion = VersionSSL30
334 clientConfig.MaxVersion = VersionTLS13
335 clientConfig.CipherSuites = allCipherSuites()
336 clientConfig.CurvePreferences = defaultCurvePreferences()
337
338 go Client(c, clientConfig).Handshake()
339 srv := Server(s, testConfig)
340 msg, err := srv.readHandshake(nil)
341 if err != nil {
342 t.Fatal(err)
343 }
344 hello, ok := msg.(*clientHelloMsg)
345 if !ok {
346 t.Fatalf("unexpected message type %T", msg)
347 }
348
349 if !isFIPSVersion(hello.vers) {
350 t.Errorf("client vers=%#x", hello.vers)
351 }
352 for _, v := range hello.supportedVersions {
353 if !isFIPSVersion(v) {
354 t.Errorf("client offered disallowed version %#x", v)
355 }
356 }
357 for _, id := range hello.cipherSuites {
358 if !isFIPSCipherSuite(id) {
359 t.Errorf("client offered disallowed suite %v", CipherSuiteName(id))
360 }
361 }
362 for _, id := range hello.supportedCurves {
363 if !isFIPSCurve(id) {
364 t.Errorf("client offered disallowed curve %v", id)
365 }
366 }
367 for _, sigHash := range hello.supportedSignatureAlgorithms {
368 if !isFIPSSignatureScheme(sigHash) {
369 t.Errorf("client offered disallowed signature-and-hash %v", sigHash)
370 }
371 }
372 }
373
374 func TestFIPSCertAlgs(t *testing.T) {
375
376
377 if testenv.CPUIsSlow() {
378 t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH)
379 }
380
381
382
383 R1 := fipsCert(t, "R1", fipsRSAKey(t, 2048), nil, fipsCertCA|fipsCertFIPSOK)
384 R2 := fipsCert(t, "R2", fipsRSAKey(t, 1024), nil, fipsCertCA)
385 R3 := fipsCert(t, "R3", fipsRSAKey(t, 4096), nil, fipsCertCA|fipsCertFIPSOK)
386
387 M1_R1 := fipsCert(t, "M1_R1", fipsECDSAKey(t, elliptic.P256()), R1, fipsCertCA|fipsCertFIPSOK)
388 M2_R1 := fipsCert(t, "M2_R1", fipsECDSAKey(t, elliptic.P224()), R1, fipsCertCA)
389
390 I_R1 := fipsCert(t, "I_R1", fipsRSAKey(t, 3072), R1, fipsCertCA|fipsCertFIPSOK)
391 I_R2 := fipsCert(t, "I_R2", I_R1.key, R2, fipsCertCA|fipsCertFIPSOK)
392 I_M1 := fipsCert(t, "I_M1", I_R1.key, M1_R1, fipsCertCA|fipsCertFIPSOK)
393 I_M2 := fipsCert(t, "I_M2", I_R1.key, M2_R1, fipsCertCA|fipsCertFIPSOK)
394
395 I_R3 := fipsCert(t, "I_R3", fipsRSAKey(t, 3072), R3, fipsCertCA|fipsCertFIPSOK)
396 fipsCert(t, "I_R3", I_R3.key, R3, fipsCertCA|fipsCertFIPSOK)
397
398 L1_I := fipsCert(t, "L1_I", fipsECDSAKey(t, elliptic.P384()), I_R1, fipsCertLeaf|fipsCertFIPSOK)
399 L2_I := fipsCert(t, "L2_I", fipsRSAKey(t, 1024), I_R1, fipsCertLeaf)
400
401
402 testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
403 clientConfig := testConfig.Clone()
404 clientConfig.RootCAs = pool
405 clientConfig.InsecureSkipVerify = false
406 clientConfig.ServerName = "example.com"
407
408 serverConfig := testConfig.Clone()
409 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
410 serverConfig.BuildNameToCertificate()
411
412 clientErr, _ := fipsHandshake(t, clientConfig, serverConfig)
413
414 if (clientErr == nil) == ok {
415 if ok {
416 t.Logf("%s: accept", desc)
417 } else {
418 t.Logf("%s: reject", desc)
419 }
420 } else {
421 if ok {
422 t.Errorf("%s: BAD reject (%v)", desc, clientErr)
423 } else {
424 t.Errorf("%s: BAD accept", desc)
425 }
426 }
427 }
428
429
430 testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
431 clientConfig := testConfig.Clone()
432 clientConfig.ServerName = "example.com"
433 clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
434
435 serverConfig := testConfig.Clone()
436 serverConfig.ClientCAs = pool
437 serverConfig.ClientAuth = RequireAndVerifyClientCert
438
439 _, serverErr := fipsHandshake(t, clientConfig, serverConfig)
440
441 if (serverErr == nil) == ok {
442 if ok {
443 t.Logf("%s: accept", desc)
444 } else {
445 t.Logf("%s: reject", desc)
446 }
447 } else {
448 if ok {
449 t.Errorf("%s: BAD reject (%v)", desc, serverErr)
450 } else {
451 t.Errorf("%s: BAD accept", desc)
452 }
453 }
454 }
455
456
457
458 r1pool := x509.NewCertPool()
459 r1pool.AddCert(R1.cert)
460
461 runWithFIPSDisabled(t, func(t *testing.T) {
462 testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
463 testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
464 })
465
466 runWithFIPSEnabled(t, func(t *testing.T) {
467 testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
468 testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
469 })
470
471 if t.Failed() {
472 t.Fatal("basic test failed, skipping exhaustive test")
473 }
474
475 if testing.Short() {
476 t.Logf("basic test passed; skipping exhaustive test in -short mode")
477 return
478 }
479
480 for l := 1; l <= 2; l++ {
481 leaf := L1_I
482 if l == 2 {
483 leaf = L2_I
484 }
485 for i := 0; i < 64; i++ {
486 reachable := map[string]bool{leaf.parentOrg: true}
487 reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK}
488 list := [][]byte{leaf.der}
489 listName := leaf.name
490 addList := func(cond int, c *fipsCertificate) {
491 if cond != 0 {
492 list = append(list, c.der)
493 listName += "," + c.name
494 if reachable[c.org] {
495 reachable[c.parentOrg] = true
496 }
497 if reachableFIPS[c.org] && c.fipsOK {
498 reachableFIPS[c.parentOrg] = true
499 }
500 }
501 }
502 addList(i&1, I_R1)
503 addList(i&2, I_R2)
504 addList(i&4, I_M1)
505 addList(i&8, I_M2)
506 addList(i&16, M1_R1)
507 addList(i&32, M2_R1)
508
509 for r := 1; r <= 3; r++ {
510 pool := x509.NewCertPool()
511 rootName := ","
512 shouldVerify := false
513 shouldVerifyFIPS := false
514 addRoot := func(cond int, c *fipsCertificate) {
515 if cond != 0 {
516 rootName += "," + c.name
517 pool.AddCert(c.cert)
518 if reachable[c.org] {
519 shouldVerify = true
520 }
521 if reachableFIPS[c.org] && c.fipsOK {
522 shouldVerifyFIPS = true
523 }
524 }
525 }
526 addRoot(r&1, R1)
527 addRoot(r&2, R2)
528 rootName = rootName[1:]
529
530 runWithFIPSDisabled(t, func(t *testing.T) {
531 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
532 testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
533 })
534
535 runWithFIPSEnabled(t, func(t *testing.T) {
536 testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS)
537 testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS)
538 })
539 }
540 }
541 }
542 }
543
544 const (
545 fipsCertCA = iota
546 fipsCertLeaf
547 fipsCertFIPSOK = 0x80
548 )
549
550 func fipsRSAKey(t *testing.T, size int) *rsa.PrivateKey {
551 k, err := rsa.GenerateKey(rand.Reader, size)
552 if err != nil {
553 t.Fatal(err)
554 }
555 return k
556 }
557
558 func fipsECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey {
559 k, err := ecdsa.GenerateKey(curve, rand.Reader)
560 if err != nil {
561 t.Fatal(err)
562 }
563 return k
564 }
565
566 type fipsCertificate struct {
567 name string
568 org string
569 parentOrg string
570 der []byte
571 cert *x509.Certificate
572 key interface{}
573 fipsOK bool
574 }
575
576 func fipsCert(t *testing.T, name string, key interface{}, parent *fipsCertificate, mode int) *fipsCertificate {
577 org := name
578 parentOrg := ""
579 if i := strings.Index(org, "_"); i >= 0 {
580 org = org[:i]
581 parentOrg = name[i+1:]
582 }
583 tmpl := &x509.Certificate{
584 SerialNumber: big.NewInt(1),
585 Subject: pkix.Name{
586 Organization: []string{org},
587 },
588 NotBefore: time.Unix(0, 0),
589 NotAfter: time.Unix(0, 0),
590
591 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
592 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
593 BasicConstraintsValid: true,
594 }
595 if mode&^fipsCertFIPSOK == fipsCertLeaf {
596 tmpl.DNSNames = []string{"example.com"}
597 } else {
598 tmpl.IsCA = true
599 tmpl.KeyUsage |= x509.KeyUsageCertSign
600 }
601
602 var pcert *x509.Certificate
603 var pkey interface{}
604 if parent != nil {
605 pcert = parent.cert
606 pkey = parent.key
607 } else {
608 pcert = tmpl
609 pkey = key
610 }
611
612 var pub interface{}
613 var desc string
614 switch k := key.(type) {
615 case *rsa.PrivateKey:
616 pub = &k.PublicKey
617 desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
618 case *ecdsa.PrivateKey:
619 pub = &k.PublicKey
620 desc = "ECDSA-" + k.Curve.Params().Name
621 default:
622 t.Fatalf("invalid key %T", key)
623 }
624
625 der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey)
626 if err != nil {
627 t.Fatal(err)
628 }
629 cert, err := x509.ParseCertificate(der)
630 if err != nil {
631 t.Fatal(err)
632 }
633
634 fipsOK := mode&fipsCertFIPSOK != 0
635 runWithFIPSEnabled(t, func(t *testing.T) {
636 if isCertificateAllowedFIPS(cert) != fipsOK {
637 t.Errorf("fipsAllowCert(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
638 }
639 })
640
641 return &fipsCertificate{name, org, parentOrg, der, cert, key, fipsOK}
642 }
643
644
645
646 var (
647 testRSAPSS2048Certificate []byte
648 testRSAPSS2048PrivateKey *rsa.PrivateKey
649 )
650
651 func init() {
652 block, _ := pem.Decode(obscuretestdata.Rot13([]byte(`
653 -----ORTVA PREGVSVPNGR-----
654 ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj
655 RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0
656 ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj
657 ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R
658 4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq
659 ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF
660 +RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P
661 vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS
662 MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS
663 bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP
664 QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU
665 qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e
666 I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe
667 7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt
668 aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f
669 m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju
670 TAnR
671 -----RAQ PREGVSVPNGR-----`)))
672 testRSAPSS2048Certificate = block.Bytes
673
674 block, _ = pem.Decode(obscuretestdata.Rot13([]byte(`
675 -----ORTVA EFN CEVINGR XRL-----
676 ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY
677 EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M
678 v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr
679 m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj
680 AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7
681 I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u
682 UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi
683 98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd
684 ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G
685 6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS
686 Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e
687 zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR
688 wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl
689 CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM
690 p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX
691 Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C
692 /5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu
693 hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB
694 38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe
695 pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm
696 8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut
697 Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS
698 HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc
699 bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE
700 9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD==
701 -----RAQ EFN CEVINGR XRL-----`)))
702 var err error
703 testRSAPSS2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
704 if err != nil {
705 panic(err)
706 }
707 }
708
View as plain text