Source file
src/crypto/tls/fips_test.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto/ecdsa"
9 "crypto/elliptic"
10 "crypto/rand"
11 "crypto/rsa"
12 "crypto/x509"
13 "crypto/x509/pkix"
14 "encoding/pem"
15 "fmt"
16 "internal/obscuretestdata"
17 "internal/testenv"
18 "math/big"
19 "net"
20 "runtime"
21 "strings"
22 "testing"
23 "time"
24 )
25
26 func allCipherSuitesIncludingTLS13() []uint16 {
27 s := allCipherSuites()
28 for _, suite := range cipherSuitesTLS13 {
29 s = append(s, suite.id)
30 }
31 return s
32 }
33
34 func isTLS13CipherSuite(id uint16) bool {
35 for _, suite := range cipherSuitesTLS13 {
36 if id == suite.id {
37 return true
38 }
39 }
40 return false
41 }
42
43 func generateKeyShare(group CurveID) keyShare {
44 key, err := generateECDHEKey(rand.Reader, group)
45 if err != nil {
46 panic(err)
47 }
48 return keyShare{group: group, data: key.PublicKey().Bytes()}
49 }
50
51 func TestFIPSServerProtocolVersion(t *testing.T) {
52 test := func(t *testing.T, name string, v uint16, msg string) {
53 t.Run(name, func(t *testing.T) {
54 serverConfig := testConfig.Clone()
55 serverConfig.MinVersion = VersionSSL30
56 clientConfig := testConfig.Clone()
57 clientConfig.MinVersion = v
58 clientConfig.MaxVersion = v
59 _, _, err := testHandshake(t, clientConfig, serverConfig)
60 if msg == "" {
61 if err != nil {
62 t.Fatalf("got error: %v, expected success", err)
63 }
64 } else {
65 if err == nil {
66 t.Fatalf("got success, expected error")
67 }
68 if !strings.Contains(err.Error(), msg) {
69 t.Fatalf("got error %v, expected %q", err, msg)
70 }
71 }
72 })
73 }
74
75 runWithFIPSDisabled(t, func(t *testing.T) {
76 test(t, "VersionTLS10", VersionTLS10, "")
77 test(t, "VersionTLS11", VersionTLS11, "")
78 test(t, "VersionTLS12", VersionTLS12, "")
79 test(t, "VersionTLS13", VersionTLS13, "")
80 })
81
82 runWithFIPSEnabled(t, func(t *testing.T) {
83 test(t, "VersionTLS10", VersionTLS10, "supported versions")
84 test(t, "VersionTLS11", VersionTLS11, "supported versions")
85 test(t, "VersionTLS12", VersionTLS12, "")
86 test(t, "VersionTLS13", VersionTLS13, "")
87 })
88 }
89
90 func isFIPSVersion(v uint16) bool {
91 return v == VersionTLS12 || v == VersionTLS13
92 }
93
94 func isFIPSCipherSuite(id uint16) bool {
95 switch id {
96 case TLS_AES_128_GCM_SHA256,
97 TLS_AES_256_GCM_SHA384,
98 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
99 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
100 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
101 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
102 return true
103 }
104 return false
105 }
106
107 func isFIPSCurve(id CurveID) bool {
108 switch id {
109 case CurveP256, CurveP384:
110 return true
111 }
112 return false
113 }
114
115 func isECDSA(id uint16) bool {
116 for _, suite := range cipherSuites {
117 if suite.id == id {
118 return suite.flags&suiteECSign == suiteECSign
119 }
120 }
121 return false
122 }
123
124 func isFIPSSignatureScheme(alg SignatureScheme) bool {
125 switch alg {
126 default:
127 return false
128 case PKCS1WithSHA256,
129 ECDSAWithP256AndSHA256,
130 PKCS1WithSHA384,
131 ECDSAWithP384AndSHA384,
132 PKCS1WithSHA512,
133 PSSWithSHA256,
134 PSSWithSHA384,
135 PSSWithSHA512:
136
137 }
138 return true
139 }
140
141 func TestFIPSServerCipherSuites(t *testing.T) {
142 serverConfig := testConfig.Clone()
143 serverConfig.Certificates = make([]Certificate, 1)
144
145 for _, id := range allCipherSuitesIncludingTLS13() {
146 if isECDSA(id) {
147 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
148 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
149 } else {
150 serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
151 serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
152 }
153 serverConfig.BuildNameToCertificate()
154 t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) {
155 clientHello := &clientHelloMsg{
156 vers: VersionTLS12,
157 random: make([]byte, 32),
158 cipherSuites: []uint16{id},
159 compressionMethods: []uint8{compressionNone},
160 supportedCurves: defaultCurvePreferences(),
161 keyShares: []keyShare{generateKeyShare(CurveP256)},
162 supportedPoints: []uint8{pointFormatUncompressed},
163 supportedVersions: []uint16{VersionTLS12},
164 supportedSignatureAlgorithms: defaultSupportedSignatureAlgorithmsFIPS,
165 }
166 if isTLS13CipherSuite(id) {
167 clientHello.supportedVersions = []uint16{VersionTLS13}
168 }
169
170 runWithFIPSDisabled(t, func(t *testing.T) {
171 testClientHello(t, serverConfig, clientHello)
172 })
173
174 runWithFIPSEnabled(t, func(t *testing.T) {
175 msg := ""
176 if !isFIPSCipherSuite(id) {
177 msg = "no cipher suite supported by both client and server"
178 }
179 testClientHelloFailure(t, serverConfig, clientHello, msg)
180 })
181 })
182 }
183 }
184
185 func TestFIPSServerCurves(t *testing.T) {
186 serverConfig := testConfig.Clone()
187 serverConfig.CurvePreferences = nil
188 serverConfig.BuildNameToCertificate()
189
190 for _, curveid := range defaultCurvePreferences() {
191 t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) {
192 clientConfig := testConfig.Clone()
193 clientConfig.CurvePreferences = []CurveID{curveid}
194
195 runWithFIPSDisabled(t, func(t *testing.T) {
196 if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
197 t.Fatalf("got error: %v, expected success", err)
198 }
199 })
200
201
202 runWithFIPSEnabled(t, func(t *testing.T) {
203 _, _, err := testHandshake(t, clientConfig, serverConfig)
204 if err != nil && isFIPSCurve(curveid) {
205 t.Fatalf("got error: %v, expected success", err)
206 } else if err == nil && !isFIPSCurve(curveid) {
207 t.Fatalf("got success, expected error")
208 }
209 })
210 })
211 }
212 }
213
214 func fipsHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
215 c, s := localPipe(t)
216 client := Client(c, clientConfig)
217 server := Server(s, serverConfig)
218 done := make(chan error, 1)
219 go func() {
220 done <- client.Handshake()
221 c.Close()
222 }()
223 serverErr = server.Handshake()
224 s.Close()
225 clientErr = <-done
226 return
227 }
228
229 func TestFIPSServerSignatureAndHash(t *testing.T) {
230 defer func() {
231 testingOnlyForceClientHelloSignatureAlgorithms = nil
232 }()
233
234 for _, sigHash := range defaultSupportedSignatureAlgorithms {
235 t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) {
236 serverConfig := testConfig.Clone()
237 serverConfig.Certificates = make([]Certificate, 1)
238
239 testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
240
241 sigType, _, _ := typeAndHashFromSignatureScheme(sigHash)
242 switch sigType {
243 case signaturePKCS1v15, signatureRSAPSS:
244 serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
245 serverConfig.Certificates[0].Certificate = [][]byte{testRSAPSS2048Certificate}
246 serverConfig.Certificates[0].PrivateKey = testRSAPSS2048PrivateKey
247 case signatureEd25519:
248 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
249 serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
250 serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey
251 case signatureECDSA:
252 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
253 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
254 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
255 }
256 serverConfig.BuildNameToCertificate()
257
258
259 serverConfig.MaxVersion = VersionTLS12
260
261 runWithFIPSDisabled(t, func(t *testing.T) {
262 clientErr, serverErr := fipsHandshake(t, testConfig, serverConfig)
263 if clientErr != nil {
264 t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
265 }
266 })
267
268
269 runWithFIPSEnabled(t, func(t *testing.T) {
270 clientErr, _ := fipsHandshake(t, testConfig, serverConfig)
271 if isFIPSSignatureScheme(sigHash) {
272 if clientErr != nil {
273 t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr)
274 }
275 } else {
276 if clientErr == nil {
277 t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash)
278 }
279 }
280 })
281 })
282 }
283 }
284
285 func TestFIPSClientHello(t *testing.T) {
286 runWithFIPSEnabled(t, testFIPSClientHello)
287 }
288
289 func testFIPSClientHello(t *testing.T) {
290
291
292
293 c, s := net.Pipe()
294 defer c.Close()
295 defer s.Close()
296
297 clientConfig := testConfig.Clone()
298
299 clientConfig.MinVersion = VersionSSL30
300 clientConfig.MaxVersion = VersionTLS13
301 clientConfig.CipherSuites = allCipherSuites()
302 clientConfig.CurvePreferences = defaultCurvePreferences()
303
304 go Client(c, clientConfig).Handshake()
305 srv := Server(s, testConfig)
306 msg, err := srv.readHandshake(nil)
307 if err != nil {
308 t.Fatal(err)
309 }
310 hello, ok := msg.(*clientHelloMsg)
311 if !ok {
312 t.Fatalf("unexpected message type %T", msg)
313 }
314
315 if !isFIPSVersion(hello.vers) {
316 t.Errorf("client vers=%#x", hello.vers)
317 }
318 for _, v := range hello.supportedVersions {
319 if !isFIPSVersion(v) {
320 t.Errorf("client offered disallowed version %#x", v)
321 }
322 }
323 for _, id := range hello.cipherSuites {
324 if !isFIPSCipherSuite(id) {
325 t.Errorf("client offered disallowed suite %#x", id)
326 }
327 }
328 for _, id := range hello.supportedCurves {
329 if !isFIPSCurve(id) {
330 t.Errorf("client offered disallowed curve %d", id)
331 }
332 }
333 for _, sigHash := range hello.supportedSignatureAlgorithms {
334 if !isFIPSSignatureScheme(sigHash) {
335 t.Errorf("client offered disallowed signature-and-hash %v", sigHash)
336 }
337 }
338 }
339
340 func TestFIPSCertAlgs(t *testing.T) {
341
342
343 if testenv.CPUIsSlow() {
344 t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH)
345 }
346
347
348
349 R1 := fipsCert(t, "R1", fipsRSAKey(t, 2048), nil, fipsCertCA|fipsCertFIPSOK)
350 R2 := fipsCert(t, "R2", fipsRSAKey(t, 1024), nil, fipsCertCA)
351 R3 := fipsCert(t, "R3", fipsRSAKey(t, 4096), nil, fipsCertCA|fipsCertFIPSOK)
352
353 M1_R1 := fipsCert(t, "M1_R1", fipsECDSAKey(t, elliptic.P256()), R1, fipsCertCA|fipsCertFIPSOK)
354 M2_R1 := fipsCert(t, "M2_R1", fipsECDSAKey(t, elliptic.P224()), R1, fipsCertCA)
355
356 I_R1 := fipsCert(t, "I_R1", fipsRSAKey(t, 3072), R1, fipsCertCA|fipsCertFIPSOK)
357 I_R2 := fipsCert(t, "I_R2", I_R1.key, R2, fipsCertCA|fipsCertFIPSOK)
358 I_M1 := fipsCert(t, "I_M1", I_R1.key, M1_R1, fipsCertCA|fipsCertFIPSOK)
359 I_M2 := fipsCert(t, "I_M2", I_R1.key, M2_R1, fipsCertCA|fipsCertFIPSOK)
360
361 I_R3 := fipsCert(t, "I_R3", fipsRSAKey(t, 3072), R3, fipsCertCA|fipsCertFIPSOK)
362 fipsCert(t, "I_R3", I_R3.key, R3, fipsCertCA|fipsCertFIPSOK)
363
364 L1_I := fipsCert(t, "L1_I", fipsECDSAKey(t, elliptic.P384()), I_R1, fipsCertLeaf|fipsCertFIPSOK)
365 L2_I := fipsCert(t, "L2_I", fipsRSAKey(t, 1024), I_R1, fipsCertLeaf)
366
367
368 testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
369 clientConfig := testConfig.Clone()
370 clientConfig.RootCAs = pool
371 clientConfig.InsecureSkipVerify = false
372 clientConfig.ServerName = "example.com"
373
374 serverConfig := testConfig.Clone()
375 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
376 serverConfig.BuildNameToCertificate()
377
378 clientErr, _ := fipsHandshake(t, clientConfig, serverConfig)
379
380 if (clientErr == nil) == ok {
381 if ok {
382 t.Logf("%s: accept", desc)
383 } else {
384 t.Logf("%s: reject", desc)
385 }
386 } else {
387 if ok {
388 t.Errorf("%s: BAD reject (%v)", desc, clientErr)
389 } else {
390 t.Errorf("%s: BAD accept", desc)
391 }
392 }
393 }
394
395
396 testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
397 clientConfig := testConfig.Clone()
398 clientConfig.ServerName = "example.com"
399 clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
400
401 serverConfig := testConfig.Clone()
402 serverConfig.ClientCAs = pool
403 serverConfig.ClientAuth = RequireAndVerifyClientCert
404
405 _, serverErr := fipsHandshake(t, clientConfig, serverConfig)
406
407 if (serverErr == nil) == ok {
408 if ok {
409 t.Logf("%s: accept", desc)
410 } else {
411 t.Logf("%s: reject", desc)
412 }
413 } else {
414 if ok {
415 t.Errorf("%s: BAD reject (%v)", desc, serverErr)
416 } else {
417 t.Errorf("%s: BAD accept", desc)
418 }
419 }
420 }
421
422
423
424 r1pool := x509.NewCertPool()
425 r1pool.AddCert(R1.cert)
426
427 runWithFIPSDisabled(t, func(t *testing.T) {
428 testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
429 testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
430 })
431
432 runWithFIPSEnabled(t, func(t *testing.T) {
433 testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
434 testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
435 })
436
437 if t.Failed() {
438 t.Fatal("basic test failed, skipping exhaustive test")
439 }
440
441 if testing.Short() {
442 t.Logf("basic test passed; skipping exhaustive test in -short mode")
443 return
444 }
445
446 for l := 1; l <= 2; l++ {
447 leaf := L1_I
448 if l == 2 {
449 leaf = L2_I
450 }
451 for i := 0; i < 64; i++ {
452 reachable := map[string]bool{leaf.parentOrg: true}
453 reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK}
454 list := [][]byte{leaf.der}
455 listName := leaf.name
456 addList := func(cond int, c *fipsCertificate) {
457 if cond != 0 {
458 list = append(list, c.der)
459 listName += "," + c.name
460 if reachable[c.org] {
461 reachable[c.parentOrg] = true
462 }
463 if reachableFIPS[c.org] && c.fipsOK {
464 reachableFIPS[c.parentOrg] = true
465 }
466 }
467 }
468 addList(i&1, I_R1)
469 addList(i&2, I_R2)
470 addList(i&4, I_M1)
471 addList(i&8, I_M2)
472 addList(i&16, M1_R1)
473 addList(i&32, M2_R1)
474
475 for r := 1; r <= 3; r++ {
476 pool := x509.NewCertPool()
477 rootName := ","
478 shouldVerify := false
479 shouldVerifyFIPS := false
480 addRoot := func(cond int, c *fipsCertificate) {
481 if cond != 0 {
482 rootName += "," + c.name
483 pool.AddCert(c.cert)
484 if reachable[c.org] {
485 shouldVerify = true
486 }
487 if reachableFIPS[c.org] && c.fipsOK {
488 shouldVerifyFIPS = true
489 }
490 }
491 }
492 addRoot(r&1, R1)
493 addRoot(r&2, R2)
494 rootName = rootName[1:]
495
496 runWithFIPSDisabled(t, func(t *testing.T) {
497 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
498 testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
499 })
500
501 runWithFIPSEnabled(t, func(t *testing.T) {
502 testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS)
503 testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS)
504 })
505 }
506 }
507 }
508 }
509
510 const (
511 fipsCertCA = iota
512 fipsCertLeaf
513 fipsCertFIPSOK = 0x80
514 )
515
516 func fipsRSAKey(t *testing.T, size int) *rsa.PrivateKey {
517 k, err := rsa.GenerateKey(rand.Reader, size)
518 if err != nil {
519 t.Fatal(err)
520 }
521 return k
522 }
523
524 func fipsECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey {
525 k, err := ecdsa.GenerateKey(curve, rand.Reader)
526 if err != nil {
527 t.Fatal(err)
528 }
529 return k
530 }
531
532 type fipsCertificate struct {
533 name string
534 org string
535 parentOrg string
536 der []byte
537 cert *x509.Certificate
538 key interface{}
539 fipsOK bool
540 }
541
542 func fipsCert(t *testing.T, name string, key interface{}, parent *fipsCertificate, mode int) *fipsCertificate {
543 org := name
544 parentOrg := ""
545 if i := strings.Index(org, "_"); i >= 0 {
546 org = org[:i]
547 parentOrg = name[i+1:]
548 }
549 tmpl := &x509.Certificate{
550 SerialNumber: big.NewInt(1),
551 Subject: pkix.Name{
552 Organization: []string{org},
553 },
554 NotBefore: time.Unix(0, 0),
555 NotAfter: time.Unix(0, 0),
556
557 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
558 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
559 BasicConstraintsValid: true,
560 }
561 if mode&^fipsCertFIPSOK == fipsCertLeaf {
562 tmpl.DNSNames = []string{"example.com"}
563 } else {
564 tmpl.IsCA = true
565 tmpl.KeyUsage |= x509.KeyUsageCertSign
566 }
567
568 var pcert *x509.Certificate
569 var pkey interface{}
570 if parent != nil {
571 pcert = parent.cert
572 pkey = parent.key
573 } else {
574 pcert = tmpl
575 pkey = key
576 }
577
578 var pub interface{}
579 var desc string
580 switch k := key.(type) {
581 case *rsa.PrivateKey:
582 pub = &k.PublicKey
583 desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
584 case *ecdsa.PrivateKey:
585 pub = &k.PublicKey
586 desc = "ECDSA-" + k.Curve.Params().Name
587 default:
588 t.Fatalf("invalid key %T", key)
589 }
590
591 der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey)
592 if err != nil {
593 t.Fatal(err)
594 }
595 cert, err := x509.ParseCertificate(der)
596 if err != nil {
597 t.Fatal(err)
598 }
599
600 fipsOK := mode&fipsCertFIPSOK != 0
601 runWithFIPSEnabled(t, func(t *testing.T) {
602 if fipsAllowCert(cert) != fipsOK {
603 t.Errorf("fipsAllowCert(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
604 }
605 })
606
607 return &fipsCertificate{name, org, parentOrg, der, cert, key, fipsOK}
608 }
609
610
611
612 var (
613 testRSAPSS2048Certificate []byte
614 testRSAPSS2048PrivateKey *rsa.PrivateKey
615 )
616
617 func init() {
618 block, _ := pem.Decode(obscuretestdata.Rot13([]byte(`
619 -----ORTVA PREGVSVPNGR-----
620 ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj
621 RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0
622 ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj
623 ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R
624 4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq
625 ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF
626 +RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P
627 vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS
628 MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS
629 bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP
630 QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU
631 qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e
632 I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe
633 7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt
634 aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f
635 m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju
636 TAnR
637 -----RAQ PREGVSVPNGR-----`)))
638 testRSAPSS2048Certificate = block.Bytes
639
640 block, _ = pem.Decode(obscuretestdata.Rot13([]byte(`
641 -----ORTVA EFN CEVINGR XRL-----
642 ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY
643 EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M
644 v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr
645 m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj
646 AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7
647 I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u
648 UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi
649 98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd
650 ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G
651 6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS
652 Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e
653 zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR
654 wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl
655 CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM
656 p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX
657 Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C
658 /5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu
659 hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB
660 38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe
661 pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm
662 8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut
663 Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS
664 HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc
665 bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE
666 9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD==
667 -----RAQ EFN CEVINGR XRL-----`)))
668 var err error
669 testRSAPSS2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
670 if err != nil {
671 panic(err)
672 }
673 }
674
View as plain text