This is an automated email from the ASF dual-hosted git repository.
xyz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pulsar-client-cpp.git
The following commit(s) were added to refs/heads/main by this push:
new 4ba83e8 Fix issue where cert chain is not taken into account in mTLS
authentication (#467)
4ba83e8 is described below
commit 4ba83e83fbb4319c0b4cda82372caf042e9ccaa6
Author: Masahiro Sakamoto <[email protected]>
AuthorDate: Thu Dec 19 15:42:23 2024 +0900
Fix issue where cert chain is not taken into account in mTLS authentication
(#467)
---
.../start-mim-test-service-inside-container.sh | 3 +-
.../start-test-service-inside-container.sh | 3 +-
lib/ClientConnection.cc | 4 +-
test-conf/broker-cert.pem | 134 ++++++----------
test-conf/cacert.pem | 177 ++++++++-------------
test-conf/cakey.pem | 27 ++++
test-conf/chained-client-cert.pem | 51 ++++++
test-conf/chained-client-key.pem | 27 ++++
test-conf/client-cert.pem | 117 +++++++-------
test-conf/intermediate-cacert.pem | 83 ++++++++++
test-conf/intermediate-cakey.pem | 27 ++++
tests/AuthPluginTest.cc | 17 ++
12 files changed, 411 insertions(+), 259 deletions(-)
diff --git a/build-support/start-mim-test-service-inside-container.sh
b/build-support/start-mim-test-service-inside-container.sh
index e7b307d..fdeb787 100755
--- a/build-support/start-mim-test-service-inside-container.sh
+++ b/build-support/start-mim-test-service-inside-container.sh
@@ -76,7 +76,8 @@ put tenants/private '{
put namespaces/private/auth '{
"auth_policies": {
"namespace_auth": {
- "token-principal": ["produce", "consume"]
+ "token-principal": ["produce", "consume"],
+ "chained-client": ["produce", "consume"]
}
},
"replication_clusters": ["standalone"]
diff --git a/build-support/start-test-service-inside-container.sh
b/build-support/start-test-service-inside-container.sh
index 678341a..71b9306 100755
--- a/build-support/start-test-service-inside-container.sh
+++ b/build-support/start-test-service-inside-container.sh
@@ -134,7 +134,8 @@ put tenants/private '{
put namespaces/private/auth '{
"auth_policies": {
"namespace_auth": {
- "token-principal": ["produce", "consume"]
+ "token-principal": ["produce", "consume"],
+ "chained-client": ["produce", "consume"]
}
},
"replication_clusters": ["standalone"]
diff --git a/lib/ClientConnection.cc b/lib/ClientConnection.cc
index 5b2b2ca..2037722 100644
--- a/lib/ClientConnection.cc
+++ b/lib/ClientConnection.cc
@@ -253,11 +253,11 @@ ClientConnection::ClientConnection(const std::string&
logicalAddress, const std:
throw ResultAuthenticationError;
}
ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem);
- ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem);
+ ctx.use_certificate_chain_file(tlsCertificates);
} else {
if (file_exists(tlsPrivateKey) && file_exists(tlsCertificates)) {
ctx.use_private_key_file(tlsPrivateKey,
ASIO::ssl::context::pem);
- ctx.use_certificate_file(tlsCertificates,
ASIO::ssl::context::pem);
+ ctx.use_certificate_chain_file(tlsCertificates);
}
}
diff --git a/test-conf/broker-cert.pem b/test-conf/broker-cert.pem
index 8d0a02f..f4e7a56 100644
--- a/test-conf/broker-cert.pem
+++ b/test-conf/broker-cert.pem
@@ -1,16 +1,17 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 4098 (0x1002)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software
Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
+ Serial Number:
+ 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:32
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=Pulsar CA/[email protected]
Validity
- Not Before: Feb 17 17:00:44 2021 GMT
- Not After : Feb 12 17:00:44 2041 GMT
+ Not Before: Dec 18 06:29:25 2024 GMT
+ Not After : Dec 13 06:29:25 2044 GMT
Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=localhost/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
+ RSA Public-Key: (2048 bit)
Modulus:
00:9b:2a:6f:24:02:23:f7:ff:e6:75:61:ca:07:a8:
c0:ab:e9:8d:eb:51:2e:64:f7:9e:9b:d4:b4:be:3a:
@@ -32,86 +33,53 @@ Certificate:
5e:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
- X509v3 Basic Constraints:
+ X509v3 Basic Constraints:
CA:FALSE
- Netscape Cert Type:
- SSL Server
- Netscape Comment:
- OpenSSL Generated Server Certificate
- X509v3 Subject Key Identifier:
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
49:3C:B2:98:30:CE:7F:79:7A:C6:8B:57:CA:24:9F:12:82:1E:5D:EF
- X509v3 Authority Key Identifier:
-
keyid:D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71
- DirName:/C=US/ST=California/L=Palo Alto/O=Apache Software
Foundation/OU=Pulsar/CN=Pulsar CA/[email protected]
-
serial:52:7B:B4:00:96:60:B4:26:85:BE:01:82:B8:B8:E2:8C:72:EF:5B:90
+ X509v3 Authority Key Identifier:
+
keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F
- X509v3 Key Usage: critical
- Digital Signature, Key Encipherment
- X509v3 Extended Key Usage:
- TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
- 0f:bd:af:39:0c:2c:dc:8f:7e:06:0d:27:df:35:c7:8d:5a:03:
- 68:97:f6:dc:d6:d3:39:0e:b4:76:48:7d:e1:1c:a9:4b:83:fa:
- 52:00:ab:28:93:2d:06:76:0c:14:35:3c:f1:8e:3b:af:c8:d0:
- 27:1f:58:d4:71:22:5f:05:a6:9e:73:c6:a5:5e:2a:e6:fb:eb:
- fc:73:52:87:ca:8a:2a:f9:1e:5f:e2:b9:bd:01:27:9f:7c:61:
- a6:97:ad:a0:ab:4e:fb:cc:fa:c8:77:6a:65:1b:ae:60:5e:fb:
- 97:14:8c:40:d7:96:c6:2c:64:59:c0:52:52:7c:2d:98:4b:f4:
- 72:da:83:f7:c6:4f:32:42:ce:df:02:dd:5f:eb:58:42:f9:62:
- a1:9a:05:ef:13:48:27:af:a3:7f:23:eb:e0:dc:1d:8f:96:2a:
- 88:47:f7:e4:75:6f:a9:15:f6:44:f1:6d:39:3a:2c:df:a7:82:
- cc:7e:aa:9c:1c:c0:a7:7d:68:31:4a:4e:21:b8:9f:17:90:4b:
- f1:68:23:ef:a7:53:fc:a9:a8:35:6b:8f:4c:5e:d4:ea:b0:8a:
- 27:9a:86:89:ce:f2:5d:03:35:80:fc:45:e8:87:66:0f:32:b5:
- 2a:f5:1b:79:0e:09:8b:90:40:20:fb:e3:27:8a:c9:92:c1:53:
- 97:10:5a:8c:50:ef:02:46:7e:ec:68:c8:1e:26:66:0e:1d:d6:
- 6c:82:e7:38:14:e8:cb:45:77:29:5f:2c:1a:9d:d7:54:21:8a:
- cf:0f:b7:0c:ae:fe:d6:fb:fb:c3:07:3e:33:df:59:25:1c:73:
- d4:87:73:14:b4:76:16:8a:3f:82:05:7b:42:0a:55:0c:79:24:
- 3c:58:31:3f:e0:3e:9f:4e:d0:0e:fd:77:b7:13:2c:d3:d0:46:
- cc:80:09:0f:50:56:8b:6e:6e:91:b2:5b:c8:2f:4d:86:dc:72:
- 00:de:08:0d:5e:3e:96:1f:12:7d:3b:0d:4d:71:d5:c8:a8:06:
- ba:00:23:ec:10:4c:a4:c3:6f:bc:f0:d7:b1:cf:57:3f:3b:79:
- db:80:87:35:c7:4e:7f:bb:38:30:0a:9f:fe:5a:86:f5:97:ce:
- 24:38:79:fd:a0:dc:0b:82:11:a1:ea:0c:e9:16:65:e0:c0:54:
- 80:ad:6e:55:18:ac:27:35:3a:b0:20:70:62:8e:5d:a2:33:53:
- 8c:ce:f9:ee:a1:27:cb:db:e5:9a:5e:e6:f7:80:93:84:63:04:
- 26:58:ab:23:bb:94:80:d0:a0:55:a2:8a:ed:bc:0f:c3:41:d2:
- 26:a5:b9:8d:8a:45:e8:a1:fc:e8:ee:7a:64:93:ed:d6:ef:a2:
- 51:d7:c9:0a:31:39:35:4a
+ 46:44:07:07:74:de:fa:e9:ad:ee:10:87:72:e4:06:81:e7:d9:
+ 9c:91:99:9e:fe:b2:fe:29:fc:58:12:38:7d:28:c1:3b:d6:ca:
+ 19:dd:06:6c:1e:95:17:58:fa:48:47:62:2b:4f:29:a2:39:3a:
+ 90:f4:37:5a:8c:75:4c:60:b3:61:50:94:5a:4d:70:6a:50:62:
+ c8:17:46:38:92:1a:02:4d:71:ad:ab:94:10:a3:91:b1:aa:18:
+ a9:00:88:b7:16:25:3c:aa:59:45:90:49:9a:9c:15:5e:d5:2f:
+ 2f:2a:9e:61:77:b8:59:b7:7e:30:c9:8e:89:2a:57:11:84:e2:
+ cd:a6:ba:78:73:05:a0:f0:aa:47:5b:8c:f2:a9:20:c6:f7:50:
+ 39:d7:07:bc:ef:7f:04:85:60:1b:c2:5e:53:dc:40:f9:22:f8:
+ 78:b6:be:d7:1b:84:51:45:f7:30:6c:15:fd:c4:07:83:cf:89:
+ f0:6f:f9:49:7a:cc:f3:17:00:ef:33:f5:0a:6a:79:75:e5:6f:
+ 2e:1f:ad:bf:7e:34:e8:1c:2e:08:de:1e:16:c0:ab:73:69:f9:
+ 2e:09:d1:7b:f4:f0:8c:59:b6:82:c3:1a:a3:8c:25:0f:78:bf:
+ 0b:b3:87:72:46:36:be:8e:4c:67:4c:ca:49:05:a0:2e:fd:3d:
+ a1:62:d6:01
-----BEGIN CERTIFICATE-----
-MIIGPDCCBCSgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgaYxCzAJBgNVBAYTAlVT
-MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIzAhBgNV
-BAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMQ8wDQYDVQQLDAZQdWxzYXIx
-EjAQBgNVBAMMCVB1bHNhciBDQTEkMCIGCSqGSIb3DQEJARYVZGV2QHB1bHNhci5h
-cGFjaGUub3JnMB4XDTIxMDIxNzE3MDA0NFoXDTQxMDIxMjE3MDA0NFowgZIxCzAJ
-BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQKDBpBcGFjaGUg
-U29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQDDAls
-b2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsqbyQCI/f/5nVhygeowKvp
-jetRLmT3npvUtL46+vRuxpKPOE0IzYkVPizEmW3LWID84E3WffaCqw2U8uJFydMV
-lVcKbIbceGQ7NEsBfF3eT9QhGl0noKVwei4CUOEZtLkF35kNi8xi3BBz+nKLOH/T
-VlRhULuS/wlxCce9BEM8jJyLMtEFBIrGidh4Vk3aL/TsNDcmtYfkPybJQWC6MRAZ
-vvgMpAqFGVniAF23wL3RLvymNIuFKswF9vvkAOZ0lf8Cb0N/OafCg45bOEDJQsi8
-JnI2NWTCVCIRh+hljz3pQadtGYiaIJuaUufSy7PgLo/BVlS8bRQwc8XXjtBaXs0C
-AwEAAaOCAYQwggGAMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
-SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
-HQYDVR0OBBYEFEk8spgwzn95esaLV8oknxKCHl3vMIHmBgNVHSMEgd4wgduAFNKy
-PbGkfEhLNuGn3tj8upK6p8RxoYGspIGpMIGmMQswCQYDVQQGEwJVUzETMBEGA1UE
-CAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMSMwIQYDVQQKDBpBcGFj
-aGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQD
-DAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9y
-Z4IUUnu0AJZgtCaFvgGCuLjijHLvW5AwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
-MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAPva85DCzcj34GDSffNceN
-WgNol/bc1tM5DrR2SH3hHKlLg/pSAKsoky0GdgwUNTzxjjuvyNAnH1jUcSJfBaae
-c8alXirm++v8c1KHyooq+R5f4rm9ASeffGGml62gq077zPrId2plG65gXvuXFIxA
-15bGLGRZwFJSfC2YS/Ry2oP3xk8yQs7fAt1f61hC+WKhmgXvE0gnr6N/I+vg3B2P
-liqIR/fkdW+pFfZE8W05Oizfp4LMfqqcHMCnfWgxSk4huJ8XkEvxaCPvp1P8qag1
-a49MXtTqsIonmoaJzvJdAzWA/EXoh2YPMrUq9Rt5DgmLkEAg++MnismSwVOXEFqM
-UO8CRn7saMgeJmYOHdZsguc4FOjLRXcpXywanddUIYrPD7cMrv7W+/vDBz4z31kl
-HHPUh3MUtHYWij+CBXtCClUMeSQ8WDE/4D6fTtAO/Xe3EyzT0EbMgAkPUFaLbm6R
-slvIL02G3HIA3ggNXj6WHxJ9Ow1NcdXIqAa6ACPsEEykw2+88Nexz1c/O3nbgIc1
-x05/uzgwCp/+Wob1l84kOHn9oNwLghGh6gzpFmXgwFSArW5VGKwnNTqwIHBijl2i
-M1OMzvnuoSfL2+WaXub3gJOEYwQmWKsju5SA0KBVoortvA/DQdImpbmNikXoofzo
-7npkk+3W76JR18kKMTk1Sg==
+MIIELzCCAxegAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DIwDQYJKoZIhvcNAQEL
+BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
+DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
+EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
+Y2hlLm9yZzAeFw0yNDEyMTgwNjI5MjVaFw00NDEyMTMwNjI5MjVaMIGSMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv
+ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjESMBAGA1UEAwwJbG9j
+YWxob3N0MSQwIgYJKoZIhvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbKm8kAiP3/+Z1YcoHqMCr6Y3r
+US5k956b1LS+Ovr0bsaSjzhNCM2JFT4sxJlty1iA/OBN1n32gqsNlPLiRcnTFZVX
+CmyG3HhkOzRLAXxd3k/UIRpdJ6ClcHouAlDhGbS5Bd+ZDYvMYtwQc/pyizh/01ZU
+YVC7kv8JcQnHvQRDPIycizLRBQSKxonYeFZN2i/07DQ3JrWH5D8myUFgujEQGb74
+DKQKhRlZ4gBdt8C90S78pjSLhSrMBfb75ADmdJX/Am9DfzmnwoOOWzhAyULIvCZy
+NjVkwlQiEYfoZY896UGnbRmImiCbmlLn0suz4C6PwVZUvG0UMHPF147QWl7NAgMB
+AAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
+dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJPLKYMM5/eXrGi1fKJJ8Sgh5d7zAf
+BgNVHSMEGDAWgBScZqZelaXXcm4RdkRDNbRh+3AnbzANBgkqhkiG9w0BAQsFAAOC
+AQEARkQHB3Te+umt7hCHcuQGgefZnJGZnv6y/in8WBI4fSjBO9bKGd0GbB6VF1j6
+SEdiK08pojk6kPQ3Wox1TGCzYVCUWk1walBiyBdGOJIaAk1xrauUEKORsaoYqQCI
+txYlPKpZRZBJmpwVXtUvLyqeYXe4Wbd+MMmOiSpXEYTizaa6eHMFoPCqR1uM8qkg
+xvdQOdcHvO9/BIVgG8JeU9xA+SL4eLa+1xuEUUX3MGwV/cQHg8+J8G/5SXrM8xcA
+7zP1Cmp5deVvLh+tv3406BwuCN4eFsCrc2n5LgnRe/TwjFm2gsMao4wlD3i/C7OH
+ckY2vo5MZ0zKSQWgLv09oWLWAQ==
-----END CERTIFICATE-----
diff --git a/test-conf/cacert.pem b/test-conf/cacert.pem
index 6abfc2d..4cf868f 100644
--- a/test-conf/cacert.pem
+++ b/test-conf/cacert.pem
@@ -2,126 +2,81 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 52:7b:b4:00:96:60:b4:26:85:be:01:82:b8:b8:e2:8c:72:ef:5b:90
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software
Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
+ 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:30
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=Pulsar CA/[email protected]
Validity
- Not Before: Feb 17 16:43:44 2021 GMT
- Not After : Feb 12 16:43:44 2041 GMT
- Subject: C=US, ST=California, L=Palo Alto, O=Apache Software
Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
+ Not Before: Dec 18 05:14:53 2024 GMT
+ Not After : Dec 13 05:14:53 2044 GMT
+ Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=Pulsar CA/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (4096 bit)
+ RSA Public-Key: (2048 bit)
Modulus:
- 00:b1:3c:7d:ab:4a:54:72:37:2a:92:94:0a:66:46:
- af:8c:ed:f4:2e:f3:87:1a:d0:c7:9d:23:35:1b:61:
- 74:69:ca:f7:f5:3e:95:9c:86:f2:21:34:f8:0b:ed:
- 45:76:22:ec:75:52:c0:67:db:2f:ba:da:25:3f:e1:
- 5b:ac:da:15:dd:a5:75:24:b2:12:f0:b0:ce:fd:ab:
- 44:06:a9:09:f6:b0:8e:8f:83:53:16:69:fa:9c:cc:
- 00:fa:dd:13:f3:da:fd:f2:bf:88:8e:c4:f8:1a:6f:
- ab:4d:f8:32:81:80:7e:51:7a:99:2d:94:cd:f3:5d:
- 1c:58:b2:44:f1:96:12:46:56:bd:60:8f:65:32:b7:
- d4:4b:7b:f3:23:88:2d:9b:a4:c4:c9:52:ea:9f:66:
- c1:74:be:4b:91:c6:b9:57:ec:c1:cc:81:bb:03:d5:
- fa:a0:46:4f:9a:a7:3e:3c:27:26:2b:97:eb:69:53:
- 04:75:50:97:d6:0d:90:b1:37:9f:64:df:70:4d:d9:
- b3:e3:b7:cc:76:50:d9:3c:9b:4c:ac:e9:26:2e:cf:
- ac:47:42:14:b7:60:00:0a:de:42:47:66:0c:c7:7a:
- b9:4d:f4:fb:c2:6a:45:78:ec:b0:b4:ce:b3:1f:50:
- 25:96:13:0c:55:0a:e0:d6:76:f7:1f:e1:16:e6:41:
- d6:72:6a:49:17:12:d9:05:8f:dc:56:b6:31:b3:b7:
- 9c:e3:d8:a9:99:8a:1d:3b:9d:d9:59:44:ee:46:88:
- 11:5f:ab:fa:38:a9:8b:d2:23:15:8b:af:1a:de:66:
- ba:7d:51:95:37:94:91:aa:01:01:d7:83:19:4b:5d:
- 8d:f4:18:39:ef:e3:32:d0:62:c8:12:50:4e:91:c2:
- ac:58:73:68:bb:92:20:fc:14:e5:1a:86:bd:40:4c:
- 94:e0:7d:0d:9c:08:57:ae:00:44:38:94:a3:3d:64:
- 99:43:f8:e3:12:90:14:0f:5d:63:e2:c6:07:ea:d0:
- 4c:8e:cf:e0:ae:34:be:86:4f:fc:58:e2:ea:f5:23:
- 82:37:96:02:57:1b:b4:29:ca:fd:68:a0:48:79:e8:
- 31:97:9a:5a:0e:2b:b4:b0:84:bb:57:4e:5f:4f:a7:
- 43:45:97:d7:de:05:fc:2f:6c:3e:f5:53:26:56:a3:
- a5:da:52:69:57:8e:a0:4b:27:50:f9:ad:6e:76:a6:
- 29:cc:06:94:dd:d0:ac:c6:18:22:a0:e2:bb:ed:d5:
- e4:97:f7:ac:23:df:75:30:41:97:07:3f:d3:12:8e:
- c5:a4:ef:ce:40:e8:3b:57:24:19:33:1b:ee:8a:0e:
- dd:0c:70:f2:1a:87:35:d9:71:d8:18:a7:9c:47:db:
- 93:51:c3
+ 00:d5:72:38:a5:5c:cb:a7:2b:f7:a7:ed:34:59:69:
+ 9f:9d:f6:5c:a2:91:c1:4c:41:15:3f:13:6d:4a:3b:
+ 5a:25:1c:5e:c5:8c:d9:7e:44:19:be:49:f4:3b:fb:
+ fb:85:0d:04:29:1c:31:65:4f:fa:2c:ac:8f:90:e2:
+ c4:d1:9d:1d:bd:60:24:d3:b4:50:cc:6c:42:e0:9c:
+ a3:ef:ee:44:b8:51:b8:64:a2:77:03:16:fd:b7:17:
+ ed:d6:28:5f:c0:71:3a:c3:87:55:a5:2c:07:16:f1:
+ c8:79:07:3f:69:de:cd:b3:1d:35:2f:0b:e9:e3:8e:
+ 9b:a8:47:ee:fe:b4:9b:12:78:01:cb:45:90:52:18:
+ 0c:ec:3e:db:fd:1e:38:3b:f4:e0:01:f6:8d:e7:fe:
+ bc:b4:89:f4:cc:64:6e:65:66:c3:2b:6f:3c:04:b4:
+ 3e:52:18:b8:27:f8:87:6d:87:41:d5:a8:61:20:d2:
+ 50:75:ee:af:6f:08:2d:9e:d5:d0:57:92:0a:d1:06:
+ 9a:f6:c0:c2:c8:38:c3:0a:93:ea:be:7d:25:32:75:
+ eb:dd:d2:30:a7:07:f1:b7:88:b7:60:1c:32:a3:45:
+ e7:73:38:a8:35:b3:d3:cd:0e:bc:bd:f7:57:03:aa:
+ d7:e1:dc:2a:0a:41:69:eb:35:df:8c:c0:ec:e8:2d:
+ 9a:77
Exponent: 65537 (0x10001)
X509v3 extensions:
- X509v3 Subject Key Identifier:
- D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71
- X509v3 Authority Key Identifier:
-
keyid:D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71
+ X509v3 Subject Key Identifier:
+ 9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F
+ X509v3 Authority Key Identifier:
+
keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F
X509v3 Basic Constraints: critical
CA:TRUE
- X509v3 Key Usage: critical
- Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
- 14:3d:7c:15:86:de:aa:5a:30:5d:d4:f2:bc:5f:10:d2:af:fe:
- 91:d7:ee:f3:b8:5f:ce:e4:c9:b2:01:c3:16:da:66:8e:7e:b1:
- c1:e3:30:ff:1d:73:d0:9c:20:3d:54:32:57:ae:07:80:4a:24:
- 6e:7e:32:a3:e7:23:4d:5c:31:54:8b:c1:1b:c5:bc:20:5d:43:
- 62:93:e0:2e:a7:01:77:39:cf:fd:ec:4c:57:09:4f:2b:ad:ac:
- b6:c0:be:5a:a3:ea:12:ac:5a:7f:60:23:81:bb:9a:fa:5f:7a:
- 67:a9:31:c3:34:af:db:ff:32:22:83:40:c2:7d:2f:39:5e:8a:
- 29:44:73:5f:6e:b4:f4:a2:ae:60:1f:8e:ef:91:9a:49:bb:a6:
- 90:2b:e0:44:95:24:8b:37:90:18:2d:41:32:8a:8e:07:8d:ea:
- 75:62:b8:9c:ec:73:6f:12:54:23:6d:40:00:74:c7:d3:fb:b7:
- 95:06:7d:cc:6d:8e:2c:d0:8b:11:06:8a:b7:43:1a:d7:e9:98:
- f4:c6:ef:ad:2a:75:08:fb:07:8f:20:36:7a:86:1a:cf:f7:d6:
- 96:ad:ed:71:59:d1:81:56:18:8d:98:c2:c0:44:e5:29:7a:7c:
- c0:e3:d7:fb:b8:f5:b2:50:53:8a:cf:38:ff:99:aa:bb:28:51:
- 60:e8:05:91:e1:ee:86:90:90:9b:87:60:63:38:cf:54:a5:82:
- 74:0f:40:b5:d2:6a:c5:a9:98:22:59:4e:fb:a5:81:e2:7b:0e:
- 3f:71:f3:24:17:1e:c5:89:fc:ae:ed:f3:69:65:02:b8:1e:98:
- bc:37:c6:25:36:f8:ca:99:60:8e:13:3b:33:ec:91:b3:eb:04:
- 6d:41:97:3e:35:c0:97:ed:66:12:25:44:23:f3:2e:fa:9c:2e:
- c2:ba:dd:f3:63:d7:5b:b2:72:03:4d:3b:fb:5e:29:d6:5c:02:
- 32:93:47:d1:4c:77:4a:58:c5:aa:81:ab:67:84:80:81:14:28:
- e1:db:11:16:6d:31:50:7a:47:b2:a8:2d:15:a1:c4:63:1b:ce:
- d5:e1:d7:57:dc:1a:71:e0:55:9f:6d:fb:be:e6:99:e8:89:be:
- 2c:e0:19:5e:cd:02:79:52:ee:93:56:9f:dc:d7:de:31:9b:2a:
- c8:91:48:a0:c7:44:7d:72:32:27:c3:2b:d8:e8:6b:94:67:b5:
- 1d:9d:99:25:23:d9:24:b5:ed:4b:f2:18:2d:88:f5:d4:36:bb:
- 53:8c:a8:b1:7f:05:13:d7:8d:89:9d:55:33:90:bc:60:99:cf:
- 05:ba:bd:cb:c5:61:f9:c5:1a:f7:46:9c:40:90:dd:83:aa:7a:
- 1f:ab:5c:10:8d:26:27:1e
+ c4:99:05:f8:fd:0e:45:f5:01:3d:58:dd:11:77:da:e3:49:cc:
+ 7c:1c:56:16:51:5a:b7:ad:9f:ab:95:5b:55:9c:2f:f5:11:62:
+ a4:6b:df:3e:6f:a5:30:80:34:57:c4:cb:00:35:41:14:ba:09:
+ b8:20:0a:c1:0f:5b:e8:51:40:83:be:72:14:84:9f:26:47:3e:
+ 5d:20:73:47:b9:f9:8c:13:d2:a3:ec:ce:a8:57:d4:f6:e8:3c:
+ 55:5c:d9:cb:00:c8:e3:20:5c:78:d3:06:fb:16:cb:15:e7:52:
+ c8:c5:16:20:26:ee:9c:8f:ed:ba:7a:f2:07:a9:13:6b:44:83:
+ 03:18:5e:67:c3:61:5d:85:17:d9:f8:60:a9:84:f0:37:ce:23:
+ 83:ba:a4:00:b4:18:ce:df:d5:21:53:5c:7f:5c:55:33:49:f3:
+ 28:5f:39:14:bb:05:6b:6b:ea:da:e4:7a:3a:ef:e6:05:4b:ae:
+ d1:ad:f3:84:d3:18:ba:23:ff:04:2e:62:b6:9f:b3:dd:0b:2b:
+ e3:6a:89:8c:ff:11:8b:5c:63:5d:39:05:56:c3:ea:3a:fd:6b:
+ 87:06:74:ad:cc:0c:10:70:ec:53:49:eb:42:d8:30:45:80:0a:
+ 8c:6a:51:d2:1c:65:74:c8:46:4e:1d:7f:c3:b1:b2:5b:f9:2c:
+ 85:e3:8d:f6
-----BEGIN CERTIFICATE-----
-MIIGPzCCBCegAwIBAgIUUnu0AJZgtCaFvgGCuLjijHLvW5AwDQYJKoZIhvcNAQEL
-BQAwgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
-DAlQYWxvIEFsdG8xIzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9u
-MQ8wDQYDVQQLDAZQdWxzYXIxEjAQBgNVBAMMCVB1bHNhciBDQTEkMCIGCSqGSIb3
-DQEJARYVZGV2QHB1bHNhci5hcGFjaGUub3JnMB4XDTIxMDIxNzE2NDM0NFoXDTQx
-MDIxMjE2NDM0NFowgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
-MRIwEAYDVQQHDAlQYWxvIEFsdG8xIzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBG
-b3VuZGF0aW9uMQ8wDQYDVQQLDAZQdWxzYXIxEjAQBgNVBAMMCVB1bHNhciBDQTEk
-MCIGCSqGSIb3DQEJARYVZGV2QHB1bHNhci5hcGFjaGUub3JnMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEAsTx9q0pUcjcqkpQKZkavjO30LvOHGtDHnSM1
-G2F0acr39T6VnIbyITT4C+1FdiLsdVLAZ9svutolP+FbrNoV3aV1JLIS8LDO/atE
-BqkJ9rCOj4NTFmn6nMwA+t0T89r98r+IjsT4Gm+rTfgygYB+UXqZLZTN810cWLJE
-8ZYSRla9YI9lMrfUS3vzI4gtm6TEyVLqn2bBdL5Lkca5V+zBzIG7A9X6oEZPmqc+
-PCcmK5fraVMEdVCX1g2QsTefZN9wTdmz47fMdlDZPJtMrOkmLs+sR0IUt2AACt5C
-R2YMx3q5TfT7wmpFeOywtM6zH1AllhMMVQrg1nb3H+EW5kHWcmpJFxLZBY/cVrYx
-s7ec49ipmYodO53ZWUTuRogRX6v6OKmL0iMVi68a3ma6fVGVN5SRqgEB14MZS12N
-9Bg57+My0GLIElBOkcKsWHNou5Ig/BTlGoa9QEyU4H0NnAhXrgBEOJSjPWSZQ/jj
-EpAUD11j4sYH6tBMjs/grjS+hk/8WOLq9SOCN5YCVxu0Kcr9aKBIeegxl5paDiu0
-sIS7V05fT6dDRZfX3gX8L2w+9VMmVqOl2lJpV46gSydQ+a1udqYpzAaU3dCsxhgi
-oOK77dXkl/esI991MEGXBz/TEo7FpO/OQOg7VyQZMxvuig7dDHDyGoc12XHYGKec
-R9uTUcMCAwEAAaNjMGEwHQYDVR0OBBYEFNKyPbGkfEhLNuGn3tj8upK6p8RxMB8G
-A1UdIwQYMBaAFNKyPbGkfEhLNuGn3tj8upK6p8RxMA8GA1UdEwEB/wQFMAMBAf8w
-DgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAUPXwVht6qWjBd1PK8
-XxDSr/6R1+7zuF/O5MmyAcMW2maOfrHB4zD/HXPQnCA9VDJXrgeASiRufjKj5yNN
-XDFUi8EbxbwgXUNik+AupwF3Oc/97ExXCU8rray2wL5ao+oSrFp/YCOBu5r6X3pn
-qTHDNK/b/zIig0DCfS85XoopRHNfbrT0oq5gH47vkZpJu6aQK+BElSSLN5AYLUEy
-io4Hjep1Yric7HNvElQjbUAAdMfT+7eVBn3MbY4s0IsRBoq3QxrX6Zj0xu+tKnUI
-+wePIDZ6hhrP99aWre1xWdGBVhiNmMLAROUpenzA49f7uPWyUFOKzzj/maq7KFFg
-6AWR4e6GkJCbh2BjOM9UpYJ0D0C10mrFqZgiWU77pYHiew4/cfMkFx7Fifyu7fNp
-ZQK4Hpi8N8YlNvjKmWCOEzsz7JGz6wRtQZc+NcCX7WYSJUQj8y76nC7Cut3zY9db
-snIDTTv7XinWXAIyk0fRTHdKWMWqgatnhICBFCjh2xEWbTFQekeyqC0VocRjG87V
-4ddX3Bpx4FWfbfu+5pnoib4s4BlezQJ5Uu6TVp/c194xmyrIkUigx0R9cjInwyvY
-6GuUZ7UdnZklI9kkte1L8hgtiPXUNrtTjKixfwUT142JnVUzkLxgmc8Fur3LxWH5
-xRr3RpxAkN2Dqnofq1wQjSYnHg==
+MIIEBzCCAu+gAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DAwDQYJKoZIhvcNAQEL
+BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
+DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
+EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
+Y2hlLm9yZzAeFw0yNDEyMTgwNTE0NTNaFw00NDEyMTMwNTE0NTNaMIGSMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv
+ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjESMBAGA1UEAwwJUHVs
+c2FyIENBMSQwIgYJKoZIhvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVcjilXMunK/en7TRZaZ+d9lyi
+kcFMQRU/E21KO1olHF7FjNl+RBm+SfQ7+/uFDQQpHDFlT/osrI+Q4sTRnR29YCTT
+tFDMbELgnKPv7kS4UbhkoncDFv23F+3WKF/AcTrDh1WlLAcW8ch5Bz9p3s2zHTUv
+C+njjpuoR+7+tJsSeAHLRZBSGAzsPtv9Hjg79OAB9o3n/ry0ifTMZG5lZsMrbzwE
+tD5SGLgn+Idth0HVqGEg0lB17q9vCC2e1dBXkgrRBpr2wMLIOMMKk+q+fSUydevd
+0jCnB/G3iLdgHDKjRedzOKg1s9PNDry991cDqtfh3CoKQWnrNd+MwOzoLZp3AgMB
+AAGjUzBRMB0GA1UdDgQWBBScZqZelaXXcm4RdkRDNbRh+3AnbzAfBgNVHSMEGDAW
+gBScZqZelaXXcm4RdkRDNbRh+3AnbzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQDEmQX4/Q5F9QE9WN0Rd9rjScx8HFYWUVq3rZ+rlVtVnC/1EWKk
+a98+b6UwgDRXxMsANUEUugm4IArBD1voUUCDvnIUhJ8mRz5dIHNHufmME9Kj7M6o
+V9T26DxVXNnLAMjjIFx40wb7FssV51LIxRYgJu6cj+26evIHqRNrRIMDGF5nw2Fd
+hRfZ+GCphPA3ziODuqQAtBjO39UhU1x/XFUzSfMoXzkUuwVra+ra5Ho67+YFS67R
+rfOE0xi6I/8ELmK2n7PdCyvjaomM/xGLXGNdOQVWw+o6/WuHBnStzAwQcOxTSetC
+2DBFgAqMalHSHGV0yEZOHX/DsbJb+SyF4432
-----END CERTIFICATE-----
diff --git a/test-conf/cakey.pem b/test-conf/cakey.pem
new file mode 100644
index 0000000..cda1202
--- /dev/null
+++ b/test-conf/cakey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1XI4pVzLpyv3p+00WWmfnfZcopHBTEEVPxNtSjtaJRxexYzZ
+fkQZvkn0O/v7hQ0EKRwxZU/6LKyPkOLE0Z0dvWAk07RQzGxC4Jyj7+5EuFG4ZKJ3
+Axb9txft1ihfwHE6w4dVpSwHFvHIeQc/ad7Nsx01Lwvp446bqEfu/rSbEngBy0WQ
+UhgM7D7b/R44O/TgAfaN5/68tIn0zGRuZWbDK288BLQ+Uhi4J/iHbYdB1ahhINJQ
+de6vbwgtntXQV5IK0Qaa9sDCyDjDCpPqvn0lMnXr3dIwpwfxt4i3YBwyo0Xnczio
+NbPTzQ68vfdXA6rX4dwqCkFp6zXfjMDs6C2adwIDAQABAoIBAQCZe9cL4dx3y3/8
+eu+H1BH5LqySIilTQgGbJ8cQ9/jscqgbehrzVtkEIn3DnIDSvfdd8G38ojQNZ9Cc
+qNRKvqYiBT62FRV8yeSVS03/O+CigfEMPF9EE4ZB4K0fsEyaP1G4RFrruOsoLpiv
+nuyUnqhfwgL6X6DCB0wbCA7tjMVt0xlkZrm+eVu3spihjXCf49R4nRU5IEIzrZP/
+efjcxmylbr9xOqSYAb5Dj3qk4DEEROmgQMVpMuoPNJ9wZOzoUPyHrLuMUb5pBStB
+25tsGea2/4haTxgKIc9nksanVS6OauYA07UkE/5iDp11cT2h1t/HvdA95d205Y72
+g0FgpguhAoGBAPIIV7p6mqFTs97JTG8qniUcdJ5elfn5OAOMkrDfhwWb3tPTCkSo
+rpJ+cEb/8s+VNSsaLAUDHOqPCUHeKF9vuAOvPlz5VjAoeibO+kDNnBSxgqofMkBh
+sdm6LrWiDgLlKoPqmNuaFvd2G2kFWORnlIBafVqvo1/7rTMOyZs2/am/AoGBAOHD
+jvzOYSZckbkoRSeMiiZVQxtzLCP1WTktZ3ZHyYwmXdP7EcaKcvIlh7JL/kGTisQN
+Fw8hB54TxbGyubuJuOiF6dFRS0SoAP2mLRwYgXEP+trIX4r2sy7lNa+CK9YXS+sP
+ECCc/0pdM/kv4rFNhfzLzBA6OAX825TchMDvJo1JAoGBAL09fKqXtlOxiJAHQLYi
+0mgd6ajyN72t+Pf9b6zP+ViPWRiyh/LLGUP9jHhXI1jfRyUeX5DDsFZN5GUV+Oc2
+COEIonA7nAIng+rYJp+IpCMh8BJoNfhU6qRciK0HuoDVAfsG8OGzh4WRWTkyLyDX
+RCtflWfUsJ8Zv4CObV/pDUktAoGADNXfdUQOhe3RYyOE+wCkghVq4U6k/c5fKj8I
+mNLwBIXR49Fsa0tHybiUhHCJnhTTWN4dp4CLPFOHc9jjcmQcHSwv5PSoQNkEZWdj
+PSuvgEwWSQYHWJE6Erp5WOcfsuZULKMImbITWZj+8XXlf4sWyQ6VJX8J3F1J5qa6
+7XUrTfECgYBDB2qSarK3gsmYEZLSBExEV+jo4XXR4uwkOztRbjE2WNePNu59d8fE
+urOifLXJFGikzz5PD078wOQBitmkuRi3wx8YNjj/sUAUR5qdvJ/tlsoFGmsq79BL
+GMPCuslHXqXGSiixPdtFbO3GxOt6j7fu+oSyIacXLUJI+lsiSQnpwg==
+-----END RSA PRIVATE KEY-----
diff --git a/test-conf/chained-client-cert.pem
b/test-conf/chained-client-cert.pem
new file mode 100644
index 0000000..03472af
--- /dev/null
+++ b/test-conf/chained-client-cert.pem
@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIEVTCCAz2gAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DIwDQYJKoZIhvcNAQEL
+BQAwgbMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
+DAlQYWxvIEFsdG8xIzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9u
+MQ8wDQYDVQQLDAZQdWxzYXIxHzAdBgNVBAMMFlB1bHNhciBJbnRlcm1lZGlhdGUg
+Q0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzAeFw0yNDEy
+MTgwNjAxNDFaFw00NDEyMTMwNjAxNDFaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRp
+b24xDzANBgNVBAsMBlB1bHNhcjEXMBUGA1UEAwwOY2hhaW5lZC1jbGllbnQxJDAi
+BgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALn/EH4ihlV4O8axycQ1VOlSf9WpG3iCWfsvDUlB
+ouCcCwPZfImFrYLsf8+wYTHizh+tjdKvQwZ2XFNuij4niwxcSjWgM7zQ+Q3BSnLJ
+DtXVso7xEdGcb5MEnSXWfkXUcqy50AZgPj8jEXVjGRjBqPjc+eHJVLzMDyQDihPk
+tqQ6FKlGCF2XRKz2P3TTV3x41NX5qoEkJxb5ZNwj/DCjg4D0CLgfkJ2q9cDp/KmK
+G9+bLBQn73BT+RYZrkz+2e3rGv6SWVyn9h2ZsCr25CPKDPkbjCve+6Lg96y709lQ
+yuZODrT+s1zlb5WMVRUDVxY+pR5YVwmrjnTBx3dX2/EmInECAwEAAaN7MHkwCQYD
+VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFOhd7zi3lFlVk4oVFHAxCVcomX6eMB8GA1UdIwQYMBaA
+FGx2pSK1bA7OpssHo0XAJ2D/pCiUMA0GCSqGSIb3DQEBCwUAA4IBAQANVrrKIfy/
+ZCf9ISmZZXXxodRSCN5F/2CpuGhiSD28iJzNR0iYTlyiKqE+2hdTAJw2PJxb4kEa
+fUcndt8vgn0deZxztCBNFJiZK8jH1FPehT48di1o+ilIHK9t1WRAs2+Pac8D5CBK
+sESrvPsk61TDZ0wsFaN5jTi5a2aMbK8wnNJZfZQNanHFjZV4CwnKS6w9KIs4Q3Sq
+KbReOlLmYvpaioD9BhiemLLUm/sPknTqdRRy+JtlNDhiehum/FMO5p3bDUJ+yk6R
+YT4oYvNiMNzGu/i2dlplvIugmXDa9o2s1lX6fFrwdV0nE5CT8U7CRZ61mJazCjMd
+qZnN3ZyOqAa9
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DEwDQYJKoZIhvcNAQEL
+BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
+DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
+EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
+Y2hlLm9yZzAeFw0yNDEyMTgwNTM3MzBaFw00NDEyMTMwNTM3MzBaMIGzMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv
+MSMwIQYDVQQKDBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwG
+UHVsc2FyMR8wHQYDVQQDDBZQdWxzYXIgSW50ZXJtZWRpYXRlIENBMSQwIgYJKoZI
+hvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6otQU0UdAX3Ja50bBqS95cdausctcsx6zbWA7YA4cW8O4
+fGuvSUGtdqDIxCCtVPkxq+gduUWCvmEl65CFwex6+HMi3WXbm+QS+B6TTM3RQoam
+SDgmmQDcgp/HseWJpqU+Z3C0yxFa604VKxGszqYP0nnSgXjt9sV6I1p6BEHb/tWN
+5t1us7nhGve34Hn1HRt9BTv3GPmcp1vPdb0FrDDx2basfPAtG4IODsJixv1SKjfD
+PRB1QTyw5jgPnaljv7WiMr70nRjtSaRxoHYU+2TZtT04uahxzKGRV+o3u4t3x+lr
++VuXIAal4jwOi6ShJFvn8JOJy8UKhhYKR7UhXGNVAgMBAAGjUzBRMB0GA1UdDgQW
+BBRsdqUitWwOzqbLB6NFwCdg/6QolDAfBgNVHSMEGDAWgBScZqZelaXXcm4RdkRD
+NbRh+3AnbzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCAUlpI
+awp3XeKGW90jCoqFKeJx1Fu6xRW8VoJ/zQFygSnvHgspZzvzxLovXAdU7gpzUvKb
+kXG2el4jkKefeS/31RIw4YMMQMEzM2o/uNa8OTtaIum86yM4UgvyeH98/Lh6oqbD
+LUOSpMsfvrYDtGGpz7OjmaczqsfgpwS4MN+tYd57F8klcZ941g+iT18h6B26AuxN
+X0tAhz3/gQ4cEfuYE4GbR9POcn/pqwW8PNJ9cUEMHFjccBYnn/yMpnvH/OUoU9Z5
+nRdoF0QktKUIazvFwoTdWM99Wss79ddcZc1DUbXL+mRtob9Mou60xPlSnIUQ9FkS
+q6k0NpG8iP0IcDuJ
+-----END CERTIFICATE-----
diff --git a/test-conf/chained-client-key.pem b/test-conf/chained-client-key.pem
new file mode 100644
index 0000000..e1c2704
--- /dev/null
+++ b/test-conf/chained-client-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAuf8QfiKGVXg7xrHJxDVU6VJ/1akbeIJZ+y8NSUGi4JwLA9l8
+iYWtgux/z7BhMeLOH62N0q9DBnZcU26KPieLDFxKNaAzvND5DcFKcskO1dWyjvER
+0ZxvkwSdJdZ+RdRyrLnQBmA+PyMRdWMZGMGo+Nz54clUvMwPJAOKE+S2pDoUqUYI
+XZdErPY/dNNXfHjU1fmqgSQnFvlk3CP8MKODgPQIuB+Qnar1wOn8qYob35ssFCfv
+cFP5FhmuTP7Z7esa/pJZXKf2HZmwKvbkI8oM+RuMK977ouD3rLvT2VDK5k4OtP6z
+XOVvlYxVFQNXFj6lHlhXCauOdMHHd1fb8SYicQIDAQABAoIBAG+OuMmu03u4HcJT
+KH1yr3cycFIql7t0E5xA4Gsr3xFxBnpMnBGwCB4a054yYFmXe6IsaoAPdtgNbdrs
+1iXpedD0Gd6IM//wJzFE2e53AVroTazGkrVyasl3Xvou6JXhktZerJLmbu9XjUUn
+JwpePYbmo0n1g8mpavti1BKSf6mH1nlbrGpyKi4UwJVtLmz3z03nba1EmMJOwEJH
+F+CL29AB5D7UpcKEnE+qoR5T3SzvMCq8X3bQAsyCfxZu8gGviyj5EHs6Ymm/L/yJ
+f5l469JVTli1Qu2jkiAzNBFf6GeSV6gOpD0YEC6UPG7WvKYiwwHEqNdEFkEawqy3
+4fsRHUECgYEA5brvQY7El4YSp6cHIOfZ9enlPgecpse39U65cL5BEBEkYPmZwibK
+5yj/Q4or6EAW3EpdbTGDXIEHtD6eQCkZwzDPDJRqrsueOS4zwJpDYQPpf+pp3xNS
+hnpsI21K0Q5njPUSA0eogX7w8PusRBM8EJ7d5Xr4QKBRo7SScpXI1K0CgYEAz0Pg
+Gq1iFM5S3Tb6lZlzkqJ4BKiCidNB8Kch5sG8lXxh7ZuBN72WXgUnfodAbdCsDs4p
+/wiOBAAGnw4ahX9N8Be4JAl6R1HDcc4YiDQnlAxSN03piM75ObXHx/EkeD6gW33f
+AmD3IcgdE+UdKrz9XMxUeINwwrzNsGltPQ0xOVUCgYBAEFVQTuP77WOeZTHTt1RN
+A6DuH2lMCT3/pqiIDEZQmLcwY+rA/dhvhjtJNmrwJY86d3J+VORxE3p2hU/UTKHm
+kOHsfCcT/6xr/bpo55wKnfCrv08u6lCFN/aYGo5WplGyOVWAnKcdFa1TRpvPkB2b
+9PGkYRqByzN5F44Pbj3HMQKBgEzt749XTXFVh3IuRuIh+8CwZwWrmhAYBoCROEcT
+H7EIYryznEmZJ+er2BXhk6tu6X3xTasofLXFYK/Gp1dnggEcfK97iRRRp85k5bwg
+R5Ru4lE+rPCnid++tfFjctriu9hZpt2WKgQy54AL6UCEtzGrcartdnwBYgMZjn87
+l0qlAoGAFfUzYYCJ2BixDbmeR1ZutPYlrxOTofQG8gIb3ihUx3YBXg5ZKMJySAXL
+DH55/VZmppXMX5LLL/p3aiZU30L6j4G7X5OFLH7S/UDTUgc2qtmk1Hwz+oGW5HhU
+5SD52RzjzisfLye6VeOEQw6Oj5DrYkRAXg9dAMbib5Y34sJGYQk=
+-----END RSA PRIVATE KEY-----
diff --git a/test-conf/client-cert.pem b/test-conf/client-cert.pem
index 45f3cde..b4d9237 100644
--- a/test-conf/client-cert.pem
+++ b/test-conf/client-cert.pem
@@ -1,16 +1,17 @@
Certificate:
Data:
- Version: 1 (0x0)
- Serial Number: 4097 (0x1001)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software
Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
+ Version: 3 (0x2)
+ Serial Number:
+ 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:33
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=Pulsar CA/[email protected]
Validity
- Not Before: Feb 17 16:56:55 2021 GMT
- Not After : Feb 12 16:56:55 2041 GMT
+ Not Before: Dec 18 06:42:06 2024 GMT
+ Not After : Dec 13 06:42:06 2044 GMT
Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=admin/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
+ RSA Public-Key: (2048 bit)
Modulus:
00:ab:61:f5:12:b1:e1:ae:19:01:3e:59:4a:c6:ca:
00:0c:96:e8:76:3a:83:20:d9:af:3a:e1:11:20:12:
@@ -31,60 +32,54 @@ Certificate:
70:43:2f:64:bf:d2:0f:20:25:f7:c7:7d:70:05:b8:
2e:bf
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ 3C:01:00:F0:C7:91:EF:2A:3F:76:F0:A1:75:83:FF:AD:F9:8B:4C:BF
+ X509v3 Authority Key Identifier:
+
keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F
+
Signature Algorithm: sha256WithRSAEncryption
- 1c:31:b8:0f:a1:03:28:a0:da:31:ec:34:ce:e0:fd:01:99:9d:
- 9b:ad:f8:03:5d:20:85:18:de:ca:b5:ea:61:c9:3b:65:42:9c:
- e5:21:73:d2:06:41:4b:a9:3a:fb:7f:ff:45:f3:5a:4a:ab:5a:
- 86:cd:57:6a:5f:13:c0:ae:7e:ad:5c:6e:c3:c4:e7:b7:d3:14:
- bf:86:fe:f2:d1:70:0e:fc:98:50:a7:fe:53:62:5a:2d:f5:63:
- 2c:ee:4a:7c:dd:32:3e:d1:52:3a:1f:15:38:4b:2a:4a:ee:27:
- a9:d8:92:a8:33:92:83:c9:3a:09:5a:01:66:0e:68:da:8f:82:
- c0:18:cc:78:ea:c5:db:09:7c:2f:61:c3:51:f8:58:7a:27:d7:
- 92:c0:ff:f8:29:d7:a0:e9:54:17:8d:48:a8:ff:5e:92:ee:81:
- 6c:37:90:1c:93:28:8c:d2:f5:b1:20:96:d3:1d:0f:c0:7f:db:
- 0c:6d:65:7f:3a:55:e5:c9:9a:ad:09:91:a5:57:cb:fc:bf:df:
- 69:bd:6b:87:94:5b:d0:cf:3b:8b:48:41:3d:56:b6:1d:3f:e7:
- f6:b6:58:f7:54:2a:dd:da:60:68:db:9b:70:04:8b:19:c3:44:
- bf:1d:b4:28:b9:f8:ea:ad:d3:1a:6e:64:72:b1:61:6a:f3:e1:
- d4:68:56:7b:0e:ad:4c:53:1e:d2:2e:1c:bc:b7:82:59:af:65:
- d2:fd:ef:89:7c:34:8f:51:a1:4e:9d:7e:dc:c7:97:68:ea:aa:
- e5:67:ed:be:dc:38:74:0e:c3:6f:fd:08:62:54:d8:1f:15:d1:
- 25:fc:21:f6:8c:f9:2f:65:5e:07:b9:e9:56:ba:48:14:5c:0d:
- 18:ba:f8:83:54:5b:b6:27:0c:36:2c:20:29:9c:c2:68:c5:3a:
- 0f:a5:d6:5f:7c:aa:f9:a6:2a:2b:69:c5:b1:39:e7:1c:02:31:
- 5b:f5:82:de:c9:4e:8d:33:dc:94:02:44:0a:44:95:75:7b:a1:
- e7:ee:92:fc:35:93:73:8c:22:c1:32:ea:39:17:ca:d0:87:fc:
- 4d:8e:04:f8:59:66:d3:14:3f:59:ad:76:14:20:16:7b:77:4f:
- 94:58:f8:85:5c:ba:b3:69:ed:7f:75:54:9a:1a:88:21:5d:04:
- 57:87:85:e2:d4:0e:1b:61:7f:5d:36:dc:72:a1:9d:0b:c8:ce:
- 19:69:49:fa:1b:bb:3f:3d:1b:4d:81:42:95:4e:d8:0b:04:d1:
- 08:6d:15:b3:ae:52:41:12:ff:e1:90:c4:7d:52:88:55:8b:87:
- 83:06:48:8b:fc:3a:a7:47:0e:6c:a8:4c:9e:b0:aa:da:50:f5:
- 97:97:98:3e:9d:18:ef:43
+ c7:d2:cd:c4:f0:29:47:b6:41:94:56:85:15:39:6f:c4:ca:b1:
+ ac:d3:e8:ef:62:b1:03:e4:5f:19:f4:f2:aa:e8:6f:47:61:1d:
+ 9d:8d:38:03:a2:d0:a6:66:cd:9d:86:15:95:48:d4:00:b2:2b:
+ 99:20:7b:26:1a:8d:a1:95:8b:8d:ea:cd:7a:a1:4b:80:3c:0f:
+ 14:1c:14:94:c4:aa:94:ea:79:df:39:57:46:e1:2f:26:c8:ac:
+ f6:42:e3:81:af:30:4a:58:91:88:9a:82:8f:08:c9:b2:6f:18:
+ 4e:d0:32:12:ed:f6:7e:70:bb:50:f8:44:ed:5f:f5:39:26:91:
+ 7e:7d:e6:81:48:0e:ef:d3:db:c4:d3:85:90:c7:ef:1f:52:8f:
+ 59:bb:8e:c0:bb:29:49:d2:2b:54:9b:1e:34:3f:90:6e:b3:bc:
+ 16:1a:52:87:a4:17:fc:73:2b:da:ec:1d:a7:15:9e:65:b7:4f:
+ 23:9c:4e:f7:55:7d:31:95:6a:b8:dc:12:9a:0d:e1:de:5b:e8:
+ 79:e8:f2:37:12:72:df:94:bd:dd:aa:83:f7:d4:30:d0:6e:bf:
+ 8d:57:83:da:9f:33:2b:6d:98:44:1a:f7:3d:26:c8:d2:9f:c4:
+ 66:c1:94:f7:84:89:39:9e:ca:d9:e3:46:fd:30:9a:09:76:46:
+ 30:09:00:22
-----BEGIN CERTIFICATE-----
-MIIEqzCCApMCAhABMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJVUzETMBEG
-A1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMSMwIQYDVQQKDBpB
-cGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYD
-VQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hl
-Lm9yZzAeFw0yMTAyMTcxNjU2NTVaFw00MTAyMTIxNjU2NTVaMIGOMQswCQYDVQQG
-EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNvZnR3
-YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjEOMAwGA1UEAwwFYWRtaW4x
-JDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKth9RKx4a4ZAT5ZSsbKAAyW6HY6gyDZrzrh
-ESAS4OTQcI9Le6/hie+bxanC7a4kjbtCbuxZET/1Y1lhGJ9wtnaI4sp5Fcz7nF5c
-u6HX8NgR1Bc0HoF+Cw4Fvl361kav4ZXYoF3FL9mpj2lkSZX3QhZqhCsur5FzPbbU
-RFaaYUNJFSKukF0EKZBOskE0cz6iSAUcvI4bC8HV31YyQOmRonveMStn8Y7WxcCH
-V3Ap+a/bV6AujDAKp0c5M0zXLTKqSCm9xEjFWFIHxJmxzGbarChNwbwfRD+jY2G9
-/0hhdgSyfRxunO6Cu/dgHHqgmL4tcEMvZL/SDyAl98d9cAW4Lr8CAwEAATANBgkq
-hkiG9w0BAQsFAAOCAgEAHDG4D6EDKKDaMew0zuD9AZmdm634A10ghRjeyrXqYck7
-ZUKc5SFz0gZBS6k6+3//RfNaSqtahs1Xal8TwK5+rVxuw8Tnt9MUv4b+8tFwDvyY
-UKf+U2JaLfVjLO5KfN0yPtFSOh8VOEsqSu4nqdiSqDOSg8k6CVoBZg5o2o+CwBjM
-eOrF2wl8L2HDUfhYeifXksD/+CnXoOlUF41IqP9eku6BbDeQHJMojNL1sSCW0x0P
-wH/bDG1lfzpV5cmarQmRpVfL/L/fab1rh5Rb0M87i0hBPVa2HT/n9rZY91Qq3dpg
-aNubcASLGcNEvx20KLn46q3TGm5kcrFhavPh1GhWew6tTFMe0i4cvLeCWa9l0v3v
-iXw0j1GhTp1+3MeXaOqq5Wftvtw4dA7Db/0IYlTYHxXRJfwh9oz5L2VeB7npVrpI
-FFwNGLr4g1RbticMNiwgKZzCaMU6D6XWX3yq+aYqK2nFsTnnHAIxW/WC3slOjTPc
-lAJECkSVdXuh5+6S/DWTc4wiwTLqORfK0If8TY4E+Flm0xQ/Wa12FCAWe3dPlFj4
-hVy6s2ntf3VUmhqIIV0EV4eF4tQOG2F/XTbccqGdC8jOGWlJ+hu7Pz0bTYFClU7Y
-CwTRCG0Vs65SQRL/4ZDEfVKIVYuHgwZIi/w6p0cObKhMnrCq2lD1l5eYPp0Y70M=
+MIIEKzCCAxOgAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DMwDQYJKoZIhvcNAQEL
+BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
+DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
+EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
+Y2hlLm9yZzAeFw0yNDEyMTgwNjQyMDZaFw00NDEyMTMwNjQyMDZaMIGOMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv
+ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjEOMAwGA1UEAwwFYWRt
+aW4xJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKth9RKx4a4ZAT5ZSsbKAAyW6HY6gyDZ
+rzrhESAS4OTQcI9Le6/hie+bxanC7a4kjbtCbuxZET/1Y1lhGJ9wtnaI4sp5Fcz7
+nF5cu6HX8NgR1Bc0HoF+Cw4Fvl361kav4ZXYoF3FL9mpj2lkSZX3QhZqhCsur5Fz
+PbbURFaaYUNJFSKukF0EKZBOskE0cz6iSAUcvI4bC8HV31YyQOmRonveMStn8Y7W
+xcCHV3Ap+a/bV6AujDAKp0c5M0zXLTKqSCm9xEjFWFIHxJmxzGbarChNwbwfRD+j
+Y2G9/0hhdgSyfRxunO6Cu/dgHHqgmL4tcEMvZL/SDyAl98d9cAW4Lr8CAwEAAaN7
+MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFDwBAPDHke8qP3bwoXWD/635i0y/MB8GA1Ud
+IwQYMBaAFJxmpl6VpddybhF2REM1tGH7cCdvMA0GCSqGSIb3DQEBCwUAA4IBAQDH
+0s3E8ClHtkGUVoUVOW/EyrGs0+jvYrED5F8Z9PKq6G9HYR2djTgDotCmZs2dhhWV
+SNQAsiuZIHsmGo2hlYuN6s16oUuAPA8UHBSUxKqU6nnfOVdG4S8myKz2QuOBrzBK
+WJGImoKPCMmybxhO0DIS7fZ+cLtQ+ETtX/U5JpF+feaBSA7v09vE04WQx+8fUo9Z
+u47AuylJ0itUmx40P5Bus7wWGlKHpBf8cyva7B2nFZ5lt08jnE73VX0xlWq43BKa
+DeHeW+h56PI3EnLflL3dqoP31DDQbr+NV4PanzMrbZhEGvc9JsjSn8RmwZT3hIk5
+nsrZ40b9MJoJdkYwCQAi
-----END CERTIFICATE-----
diff --git a/test-conf/intermediate-cacert.pem
b/test-conf/intermediate-cacert.pem
new file mode 100644
index 0000000..f9711fa
--- /dev/null
+++ b/test-conf/intermediate-cacert.pem
@@ -0,0 +1,83 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:31
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar,
CN=Pulsar CA/[email protected]
+ Validity
+ Not Before: Dec 18 05:37:30 2024 GMT
+ Not After : Dec 13 05:37:30 2044 GMT
+ Subject: C=US, ST=California, L=Palo Alto, O=Apache Software
Foundation, OU=Pulsar, CN=Pulsar Intermediate
CA/[email protected]
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:ba:a2:d4:14:d1:47:40:5f:72:5a:e7:46:c1:a9:
+ 2f:79:71:d6:ae:b1:cb:5c:b3:1e:b3:6d:60:3b:60:
+ 0e:1c:5b:c3:b8:7c:6b:af:49:41:ad:76:a0:c8:c4:
+ 20:ad:54:f9:31:ab:e8:1d:b9:45:82:be:61:25:eb:
+ 90:85:c1:ec:7a:f8:73:22:dd:65:db:9b:e4:12:f8:
+ 1e:93:4c:cd:d1:42:86:a6:48:38:26:99:00:dc:82:
+ 9f:c7:b1:e5:89:a6:a5:3e:67:70:b4:cb:11:5a:eb:
+ 4e:15:2b:11:ac:ce:a6:0f:d2:79:d2:81:78:ed:f6:
+ c5:7a:23:5a:7a:04:41:db:fe:d5:8d:e6:dd:6e:b3:
+ b9:e1:1a:f7:b7:e0:79:f5:1d:1b:7d:05:3b:f7:18:
+ f9:9c:a7:5b:cf:75:bd:05:ac:30:f1:d9:b6:ac:7c:
+ f0:2d:1b:82:0e:0e:c2:62:c6:fd:52:2a:37:c3:3d:
+ 10:75:41:3c:b0:e6:38:0f:9d:a9:63:bf:b5:a2:32:
+ be:f4:9d:18:ed:49:a4:71:a0:76:14:fb:64:d9:b5:
+ 3d:38:b9:a8:71:cc:a1:91:57:ea:37:bb:8b:77:c7:
+ e9:6b:f9:5b:97:20:06:a5:e2:3c:0e:8b:a4:a1:24:
+ 5b:e7:f0:93:89:cb:c5:0a:86:16:0a:47:b5:21:5c:
+ 63:55
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 6C:76:A5:22:B5:6C:0E:CE:A6:CB:07:A3:45:C0:27:60:FF:A4:28:94
+ X509v3 Authority Key Identifier:
+
keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 80:52:5a:48:6b:0a:77:5d:e2:86:5b:dd:23:0a:8a:85:29:e2:
+ 71:d4:5b:ba:c5:15:bc:56:82:7f:cd:01:72:81:29:ef:1e:0b:
+ 29:67:3b:f3:c4:ba:2f:5c:07:54:ee:0a:73:52:f2:9b:91:71:
+ b6:7a:5e:23:90:a7:9f:79:2f:f7:d5:12:30:e1:83:0c:40:c1:
+ 33:33:6a:3f:b8:d6:bc:39:3b:5a:22:e9:bc:eb:23:38:52:0b:
+ f2:78:7f:7c:fc:b8:7a:a2:a6:c3:2d:43:92:a4:cb:1f:be:b6:
+ 03:b4:61:a9:cf:b3:a3:99:a7:33:aa:c7:e0:a7:04:b8:30:df:
+ ad:61:de:7b:17:c9:25:71:9f:78:d6:0f:a2:4f:5f:21:e8:1d:
+ ba:02:ec:4d:5f:4b:40:87:3d:ff:81:0e:1c:11:fb:98:13:81:
+ 9b:47:d3:ce:72:7f:e9:ab:05:bc:3c:d2:7d:71:41:0c:1c:58:
+ dc:70:16:27:9f:fc:8c:a6:7b:c7:fc:e5:28:53:d6:79:9d:17:
+ 68:17:44:24:b4:a5:08:6b:3b:c5:c2:84:dd:58:cf:7d:5a:cb:
+ 3b:f5:d7:5c:65:cd:43:51:b5:cb:fa:64:6d:a1:bf:4c:a2:ee:
+ b4:c4:f9:52:9c:85:10:f4:59:12:ab:a9:34:36:91:bc:88:fd:
+ 08:70:3b:89
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DEwDQYJKoZIhvcNAQEL
+BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
+DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
+EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
+Y2hlLm9yZzAeFw0yNDEyMTgwNTM3MzBaFw00NDEyMTMwNTM3MzBaMIGzMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv
+MSMwIQYDVQQKDBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwG
+UHVsc2FyMR8wHQYDVQQDDBZQdWxzYXIgSW50ZXJtZWRpYXRlIENBMSQwIgYJKoZI
+hvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6otQU0UdAX3Ja50bBqS95cdausctcsx6zbWA7YA4cW8O4
+fGuvSUGtdqDIxCCtVPkxq+gduUWCvmEl65CFwex6+HMi3WXbm+QS+B6TTM3RQoam
+SDgmmQDcgp/HseWJpqU+Z3C0yxFa604VKxGszqYP0nnSgXjt9sV6I1p6BEHb/tWN
+5t1us7nhGve34Hn1HRt9BTv3GPmcp1vPdb0FrDDx2basfPAtG4IODsJixv1SKjfD
+PRB1QTyw5jgPnaljv7WiMr70nRjtSaRxoHYU+2TZtT04uahxzKGRV+o3u4t3x+lr
++VuXIAal4jwOi6ShJFvn8JOJy8UKhhYKR7UhXGNVAgMBAAGjUzBRMB0GA1UdDgQW
+BBRsdqUitWwOzqbLB6NFwCdg/6QolDAfBgNVHSMEGDAWgBScZqZelaXXcm4RdkRD
+NbRh+3AnbzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCAUlpI
+awp3XeKGW90jCoqFKeJx1Fu6xRW8VoJ/zQFygSnvHgspZzvzxLovXAdU7gpzUvKb
+kXG2el4jkKefeS/31RIw4YMMQMEzM2o/uNa8OTtaIum86yM4UgvyeH98/Lh6oqbD
+LUOSpMsfvrYDtGGpz7OjmaczqsfgpwS4MN+tYd57F8klcZ941g+iT18h6B26AuxN
+X0tAhz3/gQ4cEfuYE4GbR9POcn/pqwW8PNJ9cUEMHFjccBYnn/yMpnvH/OUoU9Z5
+nRdoF0QktKUIazvFwoTdWM99Wss79ddcZc1DUbXL+mRtob9Mou60xPlSnIUQ9FkS
+q6k0NpG8iP0IcDuJ
+-----END CERTIFICATE-----
diff --git a/test-conf/intermediate-cakey.pem b/test-conf/intermediate-cakey.pem
new file mode 100644
index 0000000..c30c803
--- /dev/null
+++ b/test-conf/intermediate-cakey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuqLUFNFHQF9yWudGwakveXHWrrHLXLMes21gO2AOHFvDuHxr
+r0lBrXagyMQgrVT5MavoHblFgr5hJeuQhcHsevhzIt1l25vkEvgek0zN0UKGpkg4
+JpkA3IKfx7HliaalPmdwtMsRWutOFSsRrM6mD9J50oF47fbFeiNaegRB2/7Vjebd
+brO54Rr3t+B59R0bfQU79xj5nKdbz3W9Baww8dm2rHzwLRuCDg7CYsb9Uio3wz0Q
+dUE8sOY4D52pY7+1ojK+9J0Y7UmkcaB2FPtk2bU9OLmoccyhkVfqN7uLd8fpa/lb
+lyAGpeI8DoukoSRb5/CTicvFCoYWCke1IVxjVQIDAQABAoIBAQC6nERh7D7J5qV4
+rvbYfEmzrFdzpOIpdg+kaCBoPcreIAK6W+1v/ldlEdAB7diedvAS8kfMMIuIBsMs
+HzUKCLRi4Dh/C8/knSKWtPAdaBYCvfnUGTHLpgBue003ZnCUCcP/eX3/x2s69TvF
+fqLVnmn8N/8Gs94uUSdy0BaPGeKgC6Acfu/3O01TLxOCiEm7ihMZY8NfhAWfMEqC
+DvB9CWjftFsr5j3P6JIY/ouiMb9JL+NigP7C/WiaBqdzhEAyDIL0MJx1ghzIGrMB
+Sa5NJdGbD9iJqbYsHxBiEYj79wLCxNzzWLJB75Y/YDqz8W/IHReVtVtlUtWkYqxN
+6RpiFpKhAoGBAOMb8+pOF97XUjZSDNUd+pTnYl/U9WI5iBYnrxuk8ArtmTK225Yx
+6HAbJGj2CBM8ae0oao0VmCqo4+NUtVQg9L/aRQPzwdaV3WtT4mSixbcvH4pjWh0q
+xYRDhDGHM+etgBd38sILc6Cs1IYA0QP1yM3FaxtmLKvHFiuBmB0aCCa/AoGBANJg
+012txP/Eci//rKdbYtn0xvh/vx8cJyQ0YZOsVJze2h3iL1S04n1stYMlT00d6V9R
+E9QmMxrA2Nn05nF9YBVwN2yoSeuCfhaQrPlSoJJA2PFV0U7/T6MQ3+YEckRlhQwl
+ooDQRLKMe9dqmWPn6JLX3jHOvjdFJ6eWAppUNa7rAoGAYAWIim88PnaxhtAIJu9G
+7EAsYrJKkZ4bgKqEqd6Bs00j8cJIc2dkjEmdildDsMZhTulAq6gOrzK7L3m4NPq+
+IIOrnHEqaozwkhlkZgJAMCRXZI5/IkfcPQDC2qH8ex7rQoDvfcWTvMJ2FLYxqUf4
+/69RisMXbgV9xSVE6EECY0cCgYAvltmZYlqi5ORTuUlsHj8RQM7Vncg1GGA+T18X
+Ua9eQQckJWtBhR2K89FnlkQHFNIazrNmlTGQRrmHLGAIoizfDKBtAvCdxsoQ/q8y
+Qx+xldu9VAViEl0IbSPI246hrDlZkxXcf8Bah27oPuPt9qLkvNI1gCgFRq5+uW9j
+S9NM+wKBgQCHQba07zjY0FMEIHd06V1fFZMJqC2VPR7SC10+G5jEFJJtHLlml0IK
+m8hPYMmqkTYLNUAwlBrRP5GX13p0CDV8UJ12X1oqGtgPEKN00t4O9KZmWMypToJ5
+gIAnG3hMNKCHlch2w5TSvwiFTwH5Ft+gHQ0+D71Z09Gug13/VQSb/Q==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/AuthPluginTest.cc b/tests/AuthPluginTest.cc
index b091f97..24549d7 100644
--- a/tests/AuthPluginTest.cc
+++ b/tests/AuthPluginTest.cc
@@ -49,6 +49,8 @@ static const std::string serviceUrlHttps =
"https://localhost:8443";;
static const std::string caPath = TEST_CONF_DIR "/cacert.pem";
static const std::string clientPublicKeyPath = TEST_CONF_DIR
"/client-cert.pem";
static const std::string clientPrivateKeyPath = TEST_CONF_DIR
"/client-key.pem";
+static const std::string chainedClientPublicKeyPath = TEST_CONF_DIR
"/chained-client-cert.pem";
+static const std::string chainedClientPrivateKeyPath = TEST_CONF_DIR
"/chained-client-key.pem";
// Man in middle certificate which tries to act as a broker by sending its own
valid certificate
static const std::string mimServiceUrlTls = "pulsar+ssl://localhost:6653";
@@ -288,6 +290,21 @@ TEST(AuthPluginTest, testTlsDetectHttpsWithInvalidBroker) {
ASSERT_EQ(ResultOk, res);
}
+TEST(AuthPluginTest, testTlsDetectClientCertSignedByICA) {
+ ClientConfiguration config = ClientConfiguration();
+ config.setTlsTrustCertsFilePath(caPath);
+ config.setTlsAllowInsecureConnection(false);
+ config.setValidateHostName(true);
+ config.setAuth(pulsar::AuthTls::create(chainedClientPublicKeyPath,
chainedClientPrivateKeyPath));
+
+ Client client(serviceUrlTls, config);
+ std::string topicName =
"persistent://private/auth/testTlsDetectClientCertSignedByICA";
+
+ Producer producer;
+ Result res = client.createProducer(topicName, producer);
+ ASSERT_EQ(ResultOk, res);
+}
+
namespace testAthenz {
std::string principalToken;
void mockZTS(Latch& latch, int port) {
