diff --git a/.travis.yml b/.travis.yml index 2fc6a984..6d8abfb2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,7 +8,7 @@ language: go go: # This should be quoted or use .x, but should not be unquoted. # Remember that a YAML bare float drops trailing zeroes. - - '1.19.11' + - "1.19.12" go_import_path: github.com/nats-io/nats-server addons: diff --git a/README.md b/README.md index 4eeb391c..7809794b 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ If you are interested in contributing to NATS, read about our... [Fossa-Image]: https://app.fossa.io/api/projects/git%2Bgithub.com%2Fnats-io%2Fnats-server.svg?type=shield [Build-Status-Url]: https://travis-ci.com/github/nats-io/nats-server [Build-Status-Image]: https://travis-ci.com/nats-io/nats-server.svg?branch=main -[Release-Url]: https://github.com/nats-io/nats-server/releases/tag/v2.9.20 +[Release-Url]: https://github.com/nats-io/nats-server/releases/tag/v2.9.21 [Release-image]: https://img.shields.io/badge/release-v2.9.20-1eb0fc.svg [Coverage-Url]: https://coveralls.io/r/nats-io/nats-server?branch=main [Coverage-image]: https://coveralls.io/repos/github/nats-io/nats-server/badge.svg?branch=main diff --git a/server/jetstream_cluster.go b/server/jetstream_cluster.go index 897f9e5d..749c4c94 100644 --- a/server/jetstream_cluster.go +++ b/server/jetstream_cluster.go @@ -2300,9 +2300,13 @@ func (js *jetStream) monitorStream(mset *stream, sa *streamAssignment, sendSnaps case isLeader = <-lch: if isLeader { - if sendSnapshot && mset != nil && n != nil { - n.SendSnapshot(mset.stateSnapshot()) - sendSnapshot = false + if mset != nil && n != nil { + // Send a snapshot if being asked or if we are tracking + // a failed state so that followers sync. + if clfs := mset.clearCLFS(); clfs > 0 || sendSnapshot { + n.SendSnapshot(mset.stateSnapshot()) + sendSnapshot = false + } } if isRestore { acc, _ := s.LookupAccount(sa.Client.serviceAccount()) @@ -2723,15 +2727,14 @@ func (js *jetStream) applyStreamEntries(mset *stream, ce *CommittedEntry, isReco // Grab last sequence and CLFS. last, clfs := mset.lastSeqAndCLFS() - // We can skip if we know this is less than what we already have. if lseq-clfs < last { s.Debugf("Apply stream entries for '%s > %s' skipping message with sequence %d with last of %d", mset.account(), mset.name(), lseq+1-clfs, last) - // Check for any preAcks in case we are interest based. + mset.mu.Lock() - seq := lseq + 1 - mset.clfs - mset.clearAllPreAcks(seq) + // Check for any preAcks in case we are interest based. + mset.clearAllPreAcks(lseq + 1 - mset.clfs) mset.mu.Unlock() continue } diff --git a/server/jetstream_cluster_3_test.go b/server/jetstream_cluster_3_test.go index e1b370a6..1ec12116 100644 --- a/server/jetstream_cluster_3_test.go +++ b/server/jetstream_cluster_3_test.go @@ -4807,3 +4807,203 @@ func TestJetStreamAccountUsageDrifts(t *testing.T) { checkAccount(sir1.State.Bytes, sir3.State.Bytes) } } + +func TestJetStreamClusterStreamFailTracking(t *testing.T) { + c := createJetStreamClusterExplicit(t, "R3S", 3) + defer c.shutdown() + + nc, js := jsClientConnect(t, c.randomServer()) + defer nc.Close() + + _, err := js.AddStream(&nats.StreamConfig{ + Name: "TEST", + Subjects: []string{"foo"}, + Replicas: 3, + }) + require_NoError(t, err) + + m := nats.NewMsg("foo") + m.Data = []byte("OK") + + b, bsz := 0, 5 + sendBatch := func() { + for i := b * bsz; i < b*bsz+bsz; i++ { + msgId := fmt.Sprintf("ID:%d", i) + m.Header.Set(JSMsgId, msgId) + // Send it twice on purpose. + js.PublishMsg(m) + js.PublishMsg(m) + } + b++ + } + + sendBatch() + + _, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second) + require_NoError(t, err) + c.waitOnStreamLeader(globalAccountName, "TEST") + + sendBatch() + + // Now stop one and restart. + nl := c.randomNonStreamLeader(globalAccountName, "TEST") + mset, err := nl.GlobalAccount().lookupStream("TEST") + require_NoError(t, err) + // Reset raft + mset.resetClusteredState(nil) + time.Sleep(100 * time.Millisecond) + + nl.Shutdown() + nl.WaitForShutdown() + + sendBatch() + + nl = c.restartServer(nl) + + sendBatch() + + for { + _, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second) + require_NoError(t, err) + c.waitOnStreamLeader(globalAccountName, "TEST") + if nl == c.streamLeader(globalAccountName, "TEST") { + break + } + } + + sendBatch() + + _, err = js.UpdateStream(&nats.StreamConfig{ + Name: "TEST", + Subjects: []string{"foo"}, + Replicas: 1, + }) + require_NoError(t, err) + + // Make sure all in order. + errCh := make(chan error, 100) + var wg sync.WaitGroup + wg.Add(1) + + expected, seen := b*bsz, 0 + + sub, err := js.Subscribe("foo", func(msg *nats.Msg) { + expectedID := fmt.Sprintf("ID:%d", seen) + if v := msg.Header.Get(JSMsgId); v != expectedID { + errCh <- err + wg.Done() + msg.Sub.Unsubscribe() + return + } + seen++ + if seen >= expected { + wg.Done() + msg.Sub.Unsubscribe() + } + }) + require_NoError(t, err) + defer sub.Unsubscribe() + + wg.Wait() + if len(errCh) > 0 { + t.Fatalf("Expected no errors, got %d", len(errCh)) + } +} + +func TestJetStreamClusterStreamFailTrackingSnapshots(t *testing.T) { + c := createJetStreamClusterExplicit(t, "R3S", 3) + defer c.shutdown() + + nc, js := jsClientConnect(t, c.randomServer()) + defer nc.Close() + + _, err := js.AddStream(&nats.StreamConfig{ + Name: "TEST", + Subjects: []string{"foo"}, + Replicas: 3, + }) + require_NoError(t, err) + + m := nats.NewMsg("foo") + m.Data = []byte("OK") + + // Send 1000 a dupe every msgID. + for i := 0; i < 1000; i++ { + msgId := fmt.Sprintf("ID:%d", i) + m.Header.Set(JSMsgId, msgId) + // Send it twice on purpose. + js.PublishMsg(m) + js.PublishMsg(m) + } + + // Now stop one. + nl := c.randomNonStreamLeader(globalAccountName, "TEST") + nl.Shutdown() + nl.WaitForShutdown() + + // Now send more and make sure leader snapshots. + for i := 1000; i < 2000; i++ { + msgId := fmt.Sprintf("ID:%d", i) + m.Header.Set(JSMsgId, msgId) + // Send it twice on purpose. + js.PublishMsg(m) + js.PublishMsg(m) + } + + sl := c.streamLeader(globalAccountName, "TEST") + mset, err := sl.GlobalAccount().lookupStream("TEST") + require_NoError(t, err) + node := mset.raftNode() + require_NotNil(t, node) + node.InstallSnapshot(mset.stateSnapshot()) + + // Now restart nl + nl = c.restartServer(nl) + c.waitOnServerCurrent(nl) + + // Move leader to NL + for { + _, err = nc.Request(fmt.Sprintf(JSApiStreamLeaderStepDownT, "TEST"), nil, time.Second) + require_NoError(t, err) + c.waitOnStreamLeader(globalAccountName, "TEST") + if nl == c.streamLeader(globalAccountName, "TEST") { + break + } + } + + _, err = js.UpdateStream(&nats.StreamConfig{ + Name: "TEST", + Subjects: []string{"foo"}, + Replicas: 1, + }) + require_NoError(t, err) + + // Make sure all in order. + errCh := make(chan error, 100) + var wg sync.WaitGroup + wg.Add(1) + + expected, seen := 2000, 0 + + sub, err := js.Subscribe("foo", func(msg *nats.Msg) { + expectedID := fmt.Sprintf("ID:%d", seen) + if v := msg.Header.Get(JSMsgId); v != expectedID { + errCh <- err + wg.Done() + msg.Sub.Unsubscribe() + return + } + seen++ + if seen >= expected { + wg.Done() + msg.Sub.Unsubscribe() + } + }) + require_NoError(t, err) + defer sub.Unsubscribe() + + wg.Wait() + if len(errCh) > 0 { + t.Fatalf("Expected no errors, got %d", len(errCh)) + } +} diff --git a/server/ocsp.go b/server/ocsp.go index 1c01132d..4ecc3700 100644 --- a/server/ocsp.go +++ b/server/ocsp.go @@ -1,4 +1,4 @@ -// Copyright 2021 The NATS Authors +// Copyright 2021-2023 The NATS Authors // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at @@ -31,6 +31,7 @@ import ( "golang.org/x/crypto/ocsp" + "github.com/nats-io/nats-server/v2/server/certidp" "github.com/nats-io/nats-server/v2/server/certstore" ) @@ -450,21 +451,20 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni } chain := s.VerifiedChains[0] - leaf := chain[0] - parent := issuer + peerLeaf := chain[0] + peerIssuer := certidp.GetLeafIssuerCert(chain, 0) + if peerIssuer == nil { + return fmt.Errorf("failed to get issuer certificate for %s peer", kind) + } - resp, err := ocsp.ParseResponseForCert(oresp, leaf, parent) + // Response signature of issuer or issuer delegate is checked in the library parse + resp, err := ocsp.ParseResponseForCert(oresp, peerLeaf, peerIssuer) if err != nil { return fmt.Errorf("failed to parse OCSP response from %s peer: %w", kind, err) } - if resp.Certificate == nil { - if err := resp.CheckSignatureFrom(parent); err != nil { - return fmt.Errorf("OCSP staple not issued by issuer: %w", err) - } - } else { - if err := resp.Certificate.CheckSignatureFrom(parent); err != nil { - return fmt.Errorf("OCSP staple's signer not signed by issuer: %w", err) - } + + // If signer was issuer delegate double-check issuer delegate authorization + if resp.Certificate != nil { ok := false for _, eku := range resp.Certificate.ExtKeyUsage { if eku == x509.ExtKeyUsageOCSPSigning { @@ -476,6 +476,14 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni return fmt.Errorf("OCSP staple's signer missing authorization by CA to act as OCSP signer") } } + + // Check that the OCSP response is effective, take defaults for clockskew and default validity + peerOpts := certidp.OCSPPeerConfig{ClockSkew: -1, TTLUnsetNextUpdate: -1} + sLog := certidp.Log{Debugf: srv.Debugf} + if !certidp.OCSPResponseCurrent(resp, &peerOpts, &sLog) { + return fmt.Errorf("OCSP staple from %s peer not current", kind) + } + if resp.Status != ocsp.Good { return fmt.Errorf("bad status for OCSP Staple from %s peer: %s", kind, ocspStatusString(resp.Status)) } diff --git a/server/reload_test.go b/server/reload_test.go index d554bba0..3b0c0f8c 100644 --- a/server/reload_test.go +++ b/server/reload_test.go @@ -2605,6 +2605,25 @@ func TestConfigReloadAccountUsers(t *testing.T) { t.Fatalf("Error on subscribe: %v", err) } + // confirm subscriptions before and after reload. + var expectedSubs uint32 = 4 + sAcc, err := s.LookupAccount("synadia") + require_NoError(t, err) + sAcc.mu.RLock() + n := sAcc.sl.Count() + sAcc.mu.RUnlock() + if n != expectedSubs { + t.Errorf("Synadia account should have %d sub, got %v", expectedSubs, n) + } + nAcc, err := s.LookupAccount("nats.io") + require_NoError(t, err) + nAcc.mu.RLock() + n = nAcc.sl.Count() + nAcc.mu.RUnlock() + if n != expectedSubs { + t.Errorf("Nats.io account should have %d sub, got %v", expectedSubs, n) + } + // Remove user from account and whole account reloadUpdateConfig(t, s, conf, ` listen: "127.0.0.1:-1" @@ -2656,7 +2675,8 @@ func TestConfigReloadAccountUsers(t *testing.T) { // being reconnected does not mean that resent of subscriptions // has already been processed. checkFor(t, 2*time.Second, 100*time.Millisecond, func() error { - gAcc, _ := s.LookupAccount(globalAccountName) + gAcc, err := s.LookupAccount(globalAccountName) + require_NoError(t, err) gAcc.mu.RLock() n := gAcc.sl.Count() fooMatch := gAcc.sl.Match("foo") @@ -2675,25 +2695,28 @@ func TestConfigReloadAccountUsers(t *testing.T) { return fmt.Errorf("Global account should have baz sub") } - sAcc, _ := s.LookupAccount("synadia") + sAcc, err := s.LookupAccount("synadia") + require_NoError(t, err) sAcc.mu.RLock() n = sAcc.sl.Count() barMatch := sAcc.sl.Match("bar") + sAcc.mu.RUnlock() - if n != 1 { - return fmt.Errorf("Synadia account should have 1 sub, got %v", n) + if n != expectedSubs { + return fmt.Errorf("Synadia account should have %d sub, got %v", expectedSubs, n) } if len(barMatch.psubs) != 1 { return fmt.Errorf("Synadia account should have bar sub") } - nAcc, _ := s.LookupAccount("nats.io") + nAcc, err := s.LookupAccount("nats.io") + require_NoError(t, err) nAcc.mu.RLock() n = nAcc.sl.Count() batMatch := nAcc.sl.Match("bat") nAcc.mu.RUnlock() - if n != 1 { - return fmt.Errorf("Nats.io account should have 1 sub, got %v", n) + if n != expectedSubs { + return fmt.Errorf("Nats.io account should have %d sub, got %v", expectedSubs, n) } if len(batMatch.psubs) != 1 { return fmt.Errorf("Synadia account should have bar sub") @@ -2702,6 +2725,85 @@ func TestConfigReloadAccountUsers(t *testing.T) { }) } +func TestConfigReloadAccountWithNoChanges(t *testing.T) { + conf := createConfFile(t, []byte(` + listen: "127.0.0.1:-1" + system_account: sys + accounts { + A { + users = [{ user: a }] + } + B { + users = [{ user: b }] + } + C { + users = [{ user: c }] + } + sys { + users = [{ user: sys }] + } + } + `)) + s, opts := RunServerWithConfig(conf) + defer s.Shutdown() + + ncA, err := nats.Connect(fmt.Sprintf("nats://a:@%s:%d", opts.Host, opts.Port)) + if err != nil { + t.Fatalf("Error on connect: %v", err) + } + defer ncA.Close() + + // Confirm default service imports are ok. + checkSubs := func(t *testing.T) { + resp, err := ncA.Request("$SYS.REQ.ACCOUNT.PING.CONNZ", nil, time.Second) + if err != nil { + t.Error(err) + } + if resp == nil || !strings.Contains(string(resp.Data), `"num_connections":1`) { + t.Fatal("unexpected data in connz response") + } + resp, err = ncA.Request("$SYS.REQ.SERVER.PING.CONNZ", nil, time.Second) + if err != nil { + t.Error(err) + } + if resp == nil || !strings.Contains(string(resp.Data), `"num_connections":1`) { + t.Fatal("unexpected data in connz response") + } + resp, err = ncA.Request("$SYS.REQ.ACCOUNT.PING.STATZ", nil, time.Second) + if err != nil { + t.Error(err) + } + if resp == nil || !strings.Contains(string(resp.Data), `"conns":1`) { + t.Fatal("unexpected data in connz response") + } + } + checkSubs(t) + before := s.NumSubscriptions() + s.Reload() + after := s.NumSubscriptions() + if before != after { + t.Errorf("Number of subscriptions changed after reload: %d -> %d", before, after) + } + + // Confirm this still works after a reload... + checkSubs(t) + before = s.NumSubscriptions() + s.Reload() + after = s.NumSubscriptions() + if before != after { + t.Errorf("Number of subscriptions changed after reload: %d -> %d", before, after) + } + + // Do another extra reload just in case. + checkSubs(t) + before = s.NumSubscriptions() + s.Reload() + after = s.NumSubscriptions() + if before != after { + t.Errorf("Number of subscriptions changed after reload: %d -> %d", before, after) + } +} + func TestConfigReloadAccountNKeyUsers(t *testing.T) { conf := createConfFile(t, []byte(` listen: "127.0.0.1:-1" diff --git a/server/server.go b/server/server.go index fcda8bae..2b2f03a8 100644 --- a/server/server.go +++ b/server/server.go @@ -1202,6 +1202,9 @@ func (s *Server) configureAccounts(reloading bool) (map[string]struct{}, error) c.processUnsub(sid) } acc.addAllServiceImportSubs() + s.mu.Unlock() + s.registerSystemImports(acc) + s.mu.Lock() } // Set the system account if it was configured. diff --git a/server/stream.go b/server/stream.go index 09f22b3e..990ee014 100644 --- a/server/stream.go +++ b/server/stream.go @@ -939,6 +939,14 @@ func (mset *stream) lastSeqAndCLFS() (uint64, uint64) { return mset.lseq, mset.clfs } +func (mset *stream) clearCLFS() uint64 { + mset.mu.Lock() + defer mset.mu.Unlock() + clfs := mset.clfs + mset.clfs, mset.clseq = 0, 0 + return clfs +} + func (mset *stream) lastSeq() uint64 { mset.mu.RLock() lseq := mset.lseq diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem new file mode 100644 index 00000000..7a1ee483 --- /dev/null +++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem @@ -0,0 +1,186 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3e:1f:9b:cd:c8:7b:95:f1:64:e6:41:9c:df:6e:03:da:92:9a:90:b7 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2 + Validity + Not Before: Aug 2 22:15:27 2023 GMT + Not After : Jul 30 22:15:27 2033 GMT + Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9a:3c:db:76:c9:19:0f:7b:e6:d3:ed:d1:0b:76: + ae:15:d4:11:1c:66:b8:5d:2a:7d:e3:1f:65:d8:1b: + c4:63:62:f6:5c:8b:18:66:a8:1c:c2:a6:5e:72:f2: + dd:57:42:8a:ab:5d:bd:37:b6:f1:4b:51:f0:b3:6a: + 37:e9:55:78:01:23:ea:53:09:83:2f:7d:59:36:ab: + 33:4f:4c:bc:ef:a9:1c:db:94:79:4c:0d:4a:7c:3f: + 9d:3c:ba:6c:76:82:47:25:eb:79:22:f4:09:6c:78: + 3c:a6:ef:4b:30:90:29:b3:5f:ba:69:b1:1a:95:ed: + 53:e0:c6:24:78:6e:52:af:8e:bc:db:4a:f0:19:d2: + 00:5a:a8:b6:73:4c:17:92:d1:8d:81:9b:4c:b8:35: + 4d:91:dd:df:d3:85:a6:9f:c4:91:19:ec:47:d1:ca: + 4e:0b:c3:06:8c:27:42:95:83:e3:28:6a:3b:74:9c: + 68:b0:55:a5:91:91:cb:37:ad:fa:d8:69:8b:de:2e: + 4a:51:59:32:4b:3d:06:21:04:65:d2:f5:8b:e8:4d: + 45:96:de:63:97:47:81:85:ea:48:f0:9d:23:2d:71: + 87:6f:d2:75:3d:45:bf:de:ad:43:82:db:a5:29:9b: + f9:5e:38:0a:39:a9:38:71:ec:40:40:b5:dc:69:c7: + 0b:73 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 7F:47:8C:9E:F1:73:7E:34:B9:5B:1E:ED:AD:3A:87:42:80:D4:E3:FD + X509v3 Authority Key Identifier: + 75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC + X509v3 Basic Constraints: critical + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + Full Name: + URI:http://127.0.0.1:28888/intermediate2_crl.der + Authority Information Access: + OCSP - URI:http://127.0.0.1:28888/ + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + b9:b4:05:48:a6:ba:6c:99:8b:23:c4:9b:b3:8a:32:3f:ca:62: + 89:81:1e:5d:04:ba:2d:22:a3:0f:5a:5d:a0:ab:40:a4:87:43: + 26:36:0a:09:64:ef:f5:b0:a7:6f:7a:1f:cc:06:6c:f7:8d:9c: + 64:5e:c2:ae:e7:45:39:dc:bc:87:06:e6:d5:aa:6b:32:76:51: + 64:e1:ac:d9:9a:dd:17:47:9b:4e:31:1c:93:f5:c5:ca:d6:b7: + 90:ff:64:97:59:df:2b:7f:ee:2d:7d:73:ef:95:ad:b5:1e:a9: + 0c:48:38:29:0b:39:4f:05:fb:07:cf:ec:94:a3:b3:d5:eb:00: + ed:b2:b9:71:a0:59:b5:3f:7c:f5:20:90:54:a8:ea:36:4c:ae: + 62:5b:2b:6d:05:8d:76:78:87:c9:90:f3:b2:d1:72:fc:87:f5: + 28:4c:ec:19:50:0f:02:32:d4:57:75:d9:c1:b2:dc:0e:d4:9a: + 3a:cd:48:70:1e:c4:2e:fd:4f:b0:89:6a:de:f0:90:91:23:16: + cd:04:fc:61:87:9c:c3:5c:7e:0f:19:ff:26:3e:fb:1b:65:2a: + 49:ae:47:9f:d5:e6:c8:30:bb:13:b9:48:d0:67:57:0f:fb:c6: + df:1c:fc:82:3b:ae:1f:f7:25:c8:df:c0:c5:d1:8d:51:94:74: + 30:be:fb:f7 +-----BEGIN CERTIFICATE----- +MIIEYjCCA0qgAwIBAgIUPh+bzch7lfFk5kGc324D2pKakLcwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx +ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe +Fw0yMzA4MDIyMjE1MjdaFw0zMzA3MzAyMjE1MjdaMFQxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU +MBIGA1UEAwwLVGVzdFNlcnZlcjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCaPNt2yRkPe+bT7dELdq4V1BEcZrhdKn3jH2XYG8RjYvZcixhmqBzCpl5y +8t1XQoqrXb03tvFLUfCzajfpVXgBI+pTCYMvfVk2qzNPTLzvqRzblHlMDUp8P508 +umx2gkcl63ki9AlseDym70swkCmzX7ppsRqV7VPgxiR4blKvjrzbSvAZ0gBaqLZz +TBeS0Y2Bm0y4NU2R3d/ThaafxJEZ7EfRyk4LwwaMJ0KVg+Moajt0nGiwVaWRkcs3 +rfrYaYveLkpRWTJLPQYhBGXS9YvoTUWW3mOXR4GF6kjwnSMtcYdv0nU9Rb/erUOC +26Upm/leOAo5qThx7EBAtdxpxwtzAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUf0eM +nvFzfjS5Wx7trTqHQoDU4/0wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft +FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD +AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg +MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl +cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6 +Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF +AAOCAQEAubQFSKa6bJmLI8Sbs4oyP8piiYEeXQS6LSKjD1pdoKtApIdDJjYKCWTv +9bCnb3ofzAZs942cZF7CrudFOdy8hwbm1aprMnZRZOGs2ZrdF0ebTjEck/XFyta3 +kP9kl1nfK3/uLX1z75WttR6pDEg4KQs5TwX7B8/slKOz1esA7bK5caBZtT989SCQ +VKjqNkyuYlsrbQWNdniHyZDzstFy/If1KEzsGVAPAjLUV3XZwbLcDtSaOs1IcB7E +Lv1PsIlq3vCQkSMWzQT8YYecw1x+Dxn/Jj77G2UqSa5Hn9XmyDC7E7lI0GdXD/vG +3xz8gjuuH/clyN/AxdGNUZR0ML779w== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA + Validity + Not Before: May 1 19:01:43 2023 GMT + Not After : Apr 28 19:01:43 2033 GMT + Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1: + 0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f: + ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa: + f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41: + ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3: + fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3: + 5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06: + c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f: + 0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6: + 59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9: + d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e: + af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19: + 6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7: + 42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47: + 6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23: + 30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39: + d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89: + 08:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC + X509v3 Authority Key Identifier: + C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1 + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: + Full Name: + URI:http://127.0.0.1:8888/root_crl.der + Authority Information Access: + OCSP - URI:http://127.0.0.1:8888/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3: + dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01: + 34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63: + 89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a: + 22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5: + 46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9: + 6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd: + ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16: + 57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c: + e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d: + 14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5: + 8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2: + 3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d: + 2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86: + f1:5e:60:55 +-----BEGIN CERTIFICATE----- +MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx +ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5 +MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB +MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ +bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ +97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh +bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn +qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW +wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5 +1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A +PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD +VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag +JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI +hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08 +ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG +m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2 +J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc +jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz +EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU= +-----END CERTIFICATE----- diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem new file mode 100644 index 00000000..b061b3d4 --- /dev/null +++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem @@ -0,0 +1,97 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3e:1f:9b:cd:c8:7b:95:f1:64:e6:41:9c:df:6e:03:da:92:9a:90:b7 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2 + Validity + Not Before: Aug 2 22:15:27 2023 GMT + Not After : Jul 30 22:15:27 2033 GMT + Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9a:3c:db:76:c9:19:0f:7b:e6:d3:ed:d1:0b:76: + ae:15:d4:11:1c:66:b8:5d:2a:7d:e3:1f:65:d8:1b: + c4:63:62:f6:5c:8b:18:66:a8:1c:c2:a6:5e:72:f2: + dd:57:42:8a:ab:5d:bd:37:b6:f1:4b:51:f0:b3:6a: + 37:e9:55:78:01:23:ea:53:09:83:2f:7d:59:36:ab: + 33:4f:4c:bc:ef:a9:1c:db:94:79:4c:0d:4a:7c:3f: + 9d:3c:ba:6c:76:82:47:25:eb:79:22:f4:09:6c:78: + 3c:a6:ef:4b:30:90:29:b3:5f:ba:69:b1:1a:95:ed: + 53:e0:c6:24:78:6e:52:af:8e:bc:db:4a:f0:19:d2: + 00:5a:a8:b6:73:4c:17:92:d1:8d:81:9b:4c:b8:35: + 4d:91:dd:df:d3:85:a6:9f:c4:91:19:ec:47:d1:ca: + 4e:0b:c3:06:8c:27:42:95:83:e3:28:6a:3b:74:9c: + 68:b0:55:a5:91:91:cb:37:ad:fa:d8:69:8b:de:2e: + 4a:51:59:32:4b:3d:06:21:04:65:d2:f5:8b:e8:4d: + 45:96:de:63:97:47:81:85:ea:48:f0:9d:23:2d:71: + 87:6f:d2:75:3d:45:bf:de:ad:43:82:db:a5:29:9b: + f9:5e:38:0a:39:a9:38:71:ec:40:40:b5:dc:69:c7: + 0b:73 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 7F:47:8C:9E:F1:73:7E:34:B9:5B:1E:ED:AD:3A:87:42:80:D4:E3:FD + X509v3 Authority Key Identifier: + 75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC + X509v3 Basic Constraints: critical + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + Full Name: + URI:http://127.0.0.1:28888/intermediate2_crl.der + Authority Information Access: + OCSP - URI:http://127.0.0.1:28888/ + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + b9:b4:05:48:a6:ba:6c:99:8b:23:c4:9b:b3:8a:32:3f:ca:62: + 89:81:1e:5d:04:ba:2d:22:a3:0f:5a:5d:a0:ab:40:a4:87:43: + 26:36:0a:09:64:ef:f5:b0:a7:6f:7a:1f:cc:06:6c:f7:8d:9c: + 64:5e:c2:ae:e7:45:39:dc:bc:87:06:e6:d5:aa:6b:32:76:51: + 64:e1:ac:d9:9a:dd:17:47:9b:4e:31:1c:93:f5:c5:ca:d6:b7: + 90:ff:64:97:59:df:2b:7f:ee:2d:7d:73:ef:95:ad:b5:1e:a9: + 0c:48:38:29:0b:39:4f:05:fb:07:cf:ec:94:a3:b3:d5:eb:00: + ed:b2:b9:71:a0:59:b5:3f:7c:f5:20:90:54:a8:ea:36:4c:ae: + 62:5b:2b:6d:05:8d:76:78:87:c9:90:f3:b2:d1:72:fc:87:f5: + 28:4c:ec:19:50:0f:02:32:d4:57:75:d9:c1:b2:dc:0e:d4:9a: + 3a:cd:48:70:1e:c4:2e:fd:4f:b0:89:6a:de:f0:90:91:23:16: + cd:04:fc:61:87:9c:c3:5c:7e:0f:19:ff:26:3e:fb:1b:65:2a: + 49:ae:47:9f:d5:e6:c8:30:bb:13:b9:48:d0:67:57:0f:fb:c6: + df:1c:fc:82:3b:ae:1f:f7:25:c8:df:c0:c5:d1:8d:51:94:74: + 30:be:fb:f7 +-----BEGIN CERTIFICATE----- +MIIEYjCCA0qgAwIBAgIUPh+bzch7lfFk5kGc324D2pKakLcwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx +ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe +Fw0yMzA4MDIyMjE1MjdaFw0zMzA3MzAyMjE1MjdaMFQxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU +MBIGA1UEAwwLVGVzdFNlcnZlcjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCaPNt2yRkPe+bT7dELdq4V1BEcZrhdKn3jH2XYG8RjYvZcixhmqBzCpl5y +8t1XQoqrXb03tvFLUfCzajfpVXgBI+pTCYMvfVk2qzNPTLzvqRzblHlMDUp8P508 +umx2gkcl63ki9AlseDym70swkCmzX7ppsRqV7VPgxiR4blKvjrzbSvAZ0gBaqLZz +TBeS0Y2Bm0y4NU2R3d/ThaafxJEZ7EfRyk4LwwaMJ0KVg+Moajt0nGiwVaWRkcs3 +rfrYaYveLkpRWTJLPQYhBGXS9YvoTUWW3mOXR4GF6kjwnSMtcYdv0nU9Rb/erUOC +26Upm/leOAo5qThx7EBAtdxpxwtzAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUf0eM +nvFzfjS5Wx7trTqHQoDU4/0wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft +FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD +AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg +MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl +cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6 +Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF +AAOCAQEAubQFSKa6bJmLI8Sbs4oyP8piiYEeXQS6LSKjD1pdoKtApIdDJjYKCWTv +9bCnb3ofzAZs942cZF7CrudFOdy8hwbm1aprMnZRZOGs2ZrdF0ebTjEck/XFyta3 +kP9kl1nfK3/uLX1z75WttR6pDEg4KQs5TwX7B8/slKOz1esA7bK5caBZtT989SCQ +VKjqNkyuYlsrbQWNdniHyZDzstFy/If1KEzsGVAPAjLUV3XZwbLcDtSaOs1IcB7E +Lv1PsIlq3vCQkSMWzQT8YYecw1x+Dxn/Jj77G2UqSa5Hn9XmyDC7E7lI0GdXD/vG +3xz8gjuuH/clyN/AxdGNUZR0ML779w== +-----END CERTIFICATE----- diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem new file mode 100644 index 00000000..27f4217d --- /dev/null +++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_bundle.pem @@ -0,0 +1,186 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 16:5e:ab:1c:8b:dc:fc:97:d9:34:9d:fd:cd:7d:b3:3c:51:83:ce:d2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2 + Validity + Not Before: Aug 2 22:15:38 2023 GMT + Not After : Jul 30 22:15:38 2033 GMT + Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer4 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:fd:fb:3f:42:c7:ca:02:37:72:6e:78:d5:af: + 8d:b4:4d:f4:4c:0c:8f:8f:67:da:62:c0:2a:0f:f3: + 73:3b:83:c1:3a:df:9e:df:1d:26:12:95:41:ca:52: + 88:4d:8b:38:7f:78:ce:ed:aa:48:b0:dc:57:62:80: + 7a:fc:1f:43:c8:d8:2d:4f:38:c3:22:fc:bb:16:53: + 84:9e:44:0c:f9:51:00:a0:57:97:3f:df:57:08:48: + 3b:2b:55:b3:90:98:98:e6:a6:eb:ca:8f:ec:f8:4f: + dc:4d:7e:71:2e:03:ff:cd:fa:ef:65:7e:6d:8c:35: + be:df:fb:c1:0b:e9:f0:3b:89:24:4d:b4:02:7f:82: + 8e:0a:34:ea:a8:68:9e:f8:4b:39:9a:8f:d5:eb:bc: + 59:68:c9:f0:a5:eb:e9:be:7c:03:49:bd:b5:d9:54: + cf:88:29:b0:2c:a3:e9:08:b6:66:37:57:ef:66:5f: + 6b:0f:34:6d:02:bf:92:2b:cc:e9:9d:c0:a8:92:0d: + 76:8f:ae:f6:3f:24:38:e9:5b:fc:12:a2:ab:fa:42: + 3f:5a:05:e3:5e:bb:08:43:5d:55:18:17:13:0a:27: + 84:5f:05:69:18:a9:45:68:37:a7:35:f9:8c:ef:c5: + 9f:b1:8d:aa:3c:b7:cc:47:b6:e5:85:e2:73:f5:8a: + 5a:71 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C4:BB:A1:42:EA:15:3E:0E:D1:48:5F:B5:E2:01:42:D0:72:BE:B0:CE + X509v3 Authority Key Identifier: + 75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC + X509v3 Basic Constraints: critical + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + Full Name: + URI:http://127.0.0.1:28888/intermediate2_crl.der + Authority Information Access: + OCSP - URI:http://127.0.0.1:28888/ + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 85:c2:1a:b0:94:8b:a0:f8:2c:85:1e:17:88:4e:ca:2c:d1:f6: + 69:26:e3:a6:94:9f:62:eb:68:54:da:2b:f2:67:23:be:4b:95: + 56:28:08:7a:52:8e:b3:b2:70:2f:c9:db:06:74:b4:8b:8e:84: + 23:0a:74:f7:c1:67:81:69:11:36:2b:0e:4c:0f:2c:76:e6:2d: + 50:f3:e8:59:0d:3a:6c:30:eb:31:16:74:c8:34:d1:62:97:6b: + 1e:2f:5c:56:b0:6e:bc:5e:08:8f:d4:ce:4a:d3:8e:91:70:7d: + 18:d4:3f:40:39:39:67:95:68:f7:16:c6:19:69:41:c2:20:2e: + 45:e3:9d:31:c2:da:67:8d:2c:1f:a2:3f:1e:46:23:19:fd:25: + 16:69:5c:80:09:1b:f7:7f:50:47:1d:d9:6b:aa:7b:0f:20:8d: + 5a:f4:37:f0:c3:a7:31:5f:4d:41:70:c8:c4:aa:2a:69:d0:a8: + 7b:3c:cc:b4:a4:12:54:a3:bf:ce:ea:22:20:58:ae:eb:29:f3: + 15:da:22:05:46:cd:26:ef:63:84:4a:5b:86:47:fe:cb:fa:4a: + 0c:fe:82:e0:db:81:dc:3e:87:8f:93:23:32:de:37:3d:d7:0f: + 6c:f1:74:63:8b:11:b7:f3:69:b7:d6:e0:72:b2:1d:e1:15:10: + 7d:2e:97:de +-----BEGIN CERTIFICATE----- +MIIEYjCCA0qgAwIBAgIUFl6rHIvc/JfZNJ39zX2zPFGDztIwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx +ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe +Fw0yMzA4MDIyMjE1MzhaFw0zMzA3MzAyMjE1MzhaMFQxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU +MBIGA1UEAwwLVGVzdFNlcnZlcjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDV/fs/QsfKAjdybnjVr420TfRMDI+PZ9piwCoP83M7g8E6357fHSYSlUHK +UohNizh/eM7tqkiw3FdigHr8H0PI2C1POMMi/LsWU4SeRAz5UQCgV5c/31cISDsr +VbOQmJjmpuvKj+z4T9xNfnEuA//N+u9lfm2MNb7f+8EL6fA7iSRNtAJ/go4KNOqo +aJ74Szmaj9XrvFloyfCl6+m+fANJvbXZVM+IKbAso+kItmY3V+9mX2sPNG0Cv5Ir +zOmdwKiSDXaPrvY/JDjpW/wSoqv6Qj9aBeNeuwhDXVUYFxMKJ4RfBWkYqUVoN6c1 ++YzvxZ+xjao8t8xHtuWF4nP1ilpxAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUxLuh +QuoVPg7RSF+14gFC0HK+sM4wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft +FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD +AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg +MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl +cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6 +Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF +AAOCAQEAhcIasJSLoPgshR4XiE7KLNH2aSbjppSfYutoVNor8mcjvkuVVigIelKO +s7JwL8nbBnS0i46EIwp098FngWkRNisOTA8sduYtUPPoWQ06bDDrMRZ0yDTRYpdr +Hi9cVrBuvF4Ij9TOStOOkXB9GNQ/QDk5Z5Vo9xbGGWlBwiAuReOdMcLaZ40sH6I/ +HkYjGf0lFmlcgAkb939QRx3Za6p7DyCNWvQ38MOnMV9NQXDIxKoqadCoezzMtKQS +VKO/zuoiIFiu6ynzFdoiBUbNJu9jhEpbhkf+y/pKDP6C4NuB3D6Hj5MjMt43PdcP +bPF0Y4sRt/Npt9bgcrId4RUQfS6X3g== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3c:d7:16:fb:15:99:81:4e:53:f8:80:7c:b6:7c:77:a6:06:a4:3e:ea + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Root CA + Validity + Not Before: May 1 19:01:43 2023 GMT + Not After : Apr 28 19:01:43 2033 GMT + Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:da:5f:ff:1d:f7:8d:1a:9e:9a:f3:2b:68:8f:c1: + 0c:33:06:41:00:c9:3e:e4:1a:e1:e0:70:6a:f5:2f: + ad:df:f3:e9:99:ed:c5:d7:aa:93:13:37:ff:47:aa: + f3:c5:89:f7:b7:ad:3a:47:e5:9c:4e:9f:8c:e2:41: + ed:a4:7c:9d:88:32:ae:f5:8a:84:9f:0c:18:a0:b3: + fe:8e:dc:2a:88:6a:f5:2f:9c:86:92:fa:7b:6e:b3: + 5a:78:67:53:0b:21:6c:0d:6c:80:1a:0e:1e:ee:06: + c4:d2:e7:24:c6:e5:74:be:1e:2e:17:55:2b:e5:9f: + 0b:a0:58:cc:fe:bf:53:37:f7:dc:95:88:f4:77:a6: + 59:b4:b8:7c:a2:4b:b7:6a:67:aa:84:dc:29:f1:f9: + d7:89:05:4d:0b:f3:8b:2d:52:99:57:ed:6f:11:9e: + af:28:a3:61:44:c2:ec:6e:7f:9f:3d:0b:dc:f7:19: + 6d:14:8a:a5:b8:b6:29:02:34:90:b4:96:c1:cb:a7: + 42:46:97:cf:8d:59:fd:17:b1:a6:27:a7:7b:8a:47: + 6f:fa:03:24:1c:12:25:ee:34:d6:5c:da:45:98:23: + 30:e1:48:c9:9a:df:37:aa:1b:70:6c:b2:0f:95:39: + d6:6d:3e:25:20:a8:07:2c:48:57:0c:99:52:cb:89: + 08:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC + X509v3 Authority Key Identifier: + C3:12:42:BA:A9:D8:4D:E0:C3:3E:BA:D7:47:41:A6:09:2F:6D:B4:E1 + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: + Full Name: + URI:http://127.0.0.1:8888/root_crl.der + Authority Information Access: + OCSP - URI:http://127.0.0.1:8888/ + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 1f:c6:fc:1c:a1:a5:6d:76:f0:7d:28:1f:e1:15:ab:86:e0:c3: + dd:a0:17:96:0a:c0:16:32:52:37:a4:b6:ad:24:d7:fd:3c:01: + 34:3b:a9:a2:ea:81:05:e7:06:5f:a3:af:7b:fa:b2:a9:c3:63: + 89:bb:0c:70:48:e9:73:cc:33:64:cd:b3:71:88:d1:d1:a1:5a: + 22:a6:ed:03:46:8e:9a:c0:92:37:46:9b:e5:37:78:a5:43:d5: + 46:99:1b:34:40:27:8f:95:dd:c6:9a:55:d9:60:25:8d:b8:e9: + 6e:c9:b3:ee:e8:f0:d9:11:ef:4e:ae:1e:03:70:03:60:66:fd: + ab:b0:f4:74:b6:27:7c:7a:96:9d:86:58:5f:5c:d3:04:ab:16: + 57:12:53:51:c7:93:ca:0b:4e:67:27:2d:b7:20:79:b6:b7:8c: + e7:c3:d9:25:5e:25:63:cf:93:f0:6e:31:c0:d5:4f:05:1c:8d: + 14:1b:6a:d5:01:b6:7a:09:6f:38:f3:e5:e2:5a:e4:e2:42:d5: + 8a:8d:de:ef:73:25:85:3c:e3:a9:ef:f7:f7:23:4f:d3:27:c2: + 3a:c6:c0:6f:2a:9b:1e:fe:fc:31:73:10:e1:08:62:98:2b:6d: + 2f:cc:ab:dd:3a:65:c2:00:7f:29:18:32:cd:8f:56:a9:1d:86: + f1:5e:60:55 +-----BEGIN CERTIFICATE----- +MIIECTCCAvGgAwIBAgIUPNcW+xWZgU5T+IB8tnx3pgakPuowDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx +ETAPBgNVBAoMCFRlc3RuYXRzMRAwDgYDVQQDDAdSb290IENBMB4XDTIzMDUwMTE5 +MDE0M1oXDTMzMDQyODE5MDE0M1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB +MQ8wDQYDVQQHDAZUYWNvbWExETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJ +bnRlcm1lZGlhdGUgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANpf/x33jRqemvMraI/BDDMGQQDJPuQa4eBwavUvrd/z6ZntxdeqkxM3/0eq88WJ +97etOkflnE6fjOJB7aR8nYgyrvWKhJ8MGKCz/o7cKohq9S+chpL6e26zWnhnUwsh +bA1sgBoOHu4GxNLnJMbldL4eLhdVK+WfC6BYzP6/Uzf33JWI9HemWbS4fKJLt2pn +qoTcKfH514kFTQvziy1SmVftbxGeryijYUTC7G5/nz0L3PcZbRSKpbi2KQI0kLSW +wcunQkaXz41Z/Rexpiene4pHb/oDJBwSJe401lzaRZgjMOFIyZrfN6obcGyyD5U5 +1m0+JSCoByxIVwyZUsuJCEECAwEAAaOB0DCBzTAdBgNVHQ4EFgQUdVXijuetpd2A +PckzCyyiV3ftFawwHwYDVR0jBBgwFoAUwxJCuqnYTeDDPrrXR0GmCS9ttOEwEgYD +VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwMwYDVR0fBCwwKjAooCag +JIYiaHR0cDovLzEyNy4wLjAuMTo4ODg4L3Jvb3RfY3JsLmRlcjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6ODg4OC8wDQYJKoZI +hvcNAQELBQADggEBAB/G/ByhpW128H0oH+EVq4bgw92gF5YKwBYyUjektq0k1/08 +ATQ7qaLqgQXnBl+jr3v6sqnDY4m7DHBI6XPMM2TNs3GI0dGhWiKm7QNGjprAkjdG +m+U3eKVD1UaZGzRAJ4+V3caaVdlgJY246W7Js+7o8NkR706uHgNwA2Bm/auw9HS2 +J3x6lp2GWF9c0wSrFlcSU1HHk8oLTmcnLbcgeba3jOfD2SVeJWPPk/BuMcDVTwUc +jRQbatUBtnoJbzjz5eJa5OJC1YqN3u9zJYU846nv9/cjT9MnwjrGwG8qmx7+/DFz +EOEIYpgrbS/Mq906ZcIAfykYMs2PVqkdhvFeYFU= +-----END CERTIFICATE----- diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem new file mode 100644 index 00000000..70326255 --- /dev/null +++ b/test/configs/certs/ocsp_peer/mini-ca/server2/TestServer4_cert.pem @@ -0,0 +1,97 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 16:5e:ab:1c:8b:dc:fc:97:d9:34:9d:fd:cd:7d:b3:3c:51:83:ce:d2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WA, L=Tacoma, O=Testnats, CN=Intermediate CA 2 + Validity + Not Before: Aug 2 22:15:38 2023 GMT + Not After : Jul 30 22:15:38 2033 GMT + Subject: C=US, ST=WA, L=Tacoma, O=Testnats, CN=TestServer4 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:fd:fb:3f:42:c7:ca:02:37:72:6e:78:d5:af: + 8d:b4:4d:f4:4c:0c:8f:8f:67:da:62:c0:2a:0f:f3: + 73:3b:83:c1:3a:df:9e:df:1d:26:12:95:41:ca:52: + 88:4d:8b:38:7f:78:ce:ed:aa:48:b0:dc:57:62:80: + 7a:fc:1f:43:c8:d8:2d:4f:38:c3:22:fc:bb:16:53: + 84:9e:44:0c:f9:51:00:a0:57:97:3f:df:57:08:48: + 3b:2b:55:b3:90:98:98:e6:a6:eb:ca:8f:ec:f8:4f: + dc:4d:7e:71:2e:03:ff:cd:fa:ef:65:7e:6d:8c:35: + be:df:fb:c1:0b:e9:f0:3b:89:24:4d:b4:02:7f:82: + 8e:0a:34:ea:a8:68:9e:f8:4b:39:9a:8f:d5:eb:bc: + 59:68:c9:f0:a5:eb:e9:be:7c:03:49:bd:b5:d9:54: + cf:88:29:b0:2c:a3:e9:08:b6:66:37:57:ef:66:5f: + 6b:0f:34:6d:02:bf:92:2b:cc:e9:9d:c0:a8:92:0d: + 76:8f:ae:f6:3f:24:38:e9:5b:fc:12:a2:ab:fa:42: + 3f:5a:05:e3:5e:bb:08:43:5d:55:18:17:13:0a:27: + 84:5f:05:69:18:a9:45:68:37:a7:35:f9:8c:ef:c5: + 9f:b1:8d:aa:3c:b7:cc:47:b6:e5:85:e2:73:f5:8a: + 5a:71 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C4:BB:A1:42:EA:15:3E:0E:D1:48:5F:B5:E2:01:42:D0:72:BE:B0:CE + X509v3 Authority Key Identifier: + 75:55:E2:8E:E7:AD:A5:DD:80:3D:C9:33:0B:2C:A2:57:77:ED:15:AC + X509v3 Basic Constraints: critical + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + Full Name: + URI:http://127.0.0.1:28888/intermediate2_crl.der + Authority Information Access: + OCSP - URI:http://127.0.0.1:28888/ + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 85:c2:1a:b0:94:8b:a0:f8:2c:85:1e:17:88:4e:ca:2c:d1:f6: + 69:26:e3:a6:94:9f:62:eb:68:54:da:2b:f2:67:23:be:4b:95: + 56:28:08:7a:52:8e:b3:b2:70:2f:c9:db:06:74:b4:8b:8e:84: + 23:0a:74:f7:c1:67:81:69:11:36:2b:0e:4c:0f:2c:76:e6:2d: + 50:f3:e8:59:0d:3a:6c:30:eb:31:16:74:c8:34:d1:62:97:6b: + 1e:2f:5c:56:b0:6e:bc:5e:08:8f:d4:ce:4a:d3:8e:91:70:7d: + 18:d4:3f:40:39:39:67:95:68:f7:16:c6:19:69:41:c2:20:2e: + 45:e3:9d:31:c2:da:67:8d:2c:1f:a2:3f:1e:46:23:19:fd:25: + 16:69:5c:80:09:1b:f7:7f:50:47:1d:d9:6b:aa:7b:0f:20:8d: + 5a:f4:37:f0:c3:a7:31:5f:4d:41:70:c8:c4:aa:2a:69:d0:a8: + 7b:3c:cc:b4:a4:12:54:a3:bf:ce:ea:22:20:58:ae:eb:29:f3: + 15:da:22:05:46:cd:26:ef:63:84:4a:5b:86:47:fe:cb:fa:4a: + 0c:fe:82:e0:db:81:dc:3e:87:8f:93:23:32:de:37:3d:d7:0f: + 6c:f1:74:63:8b:11:b7:f3:69:b7:d6:e0:72:b2:1d:e1:15:10: + 7d:2e:97:de +-----BEGIN CERTIFICATE----- +MIIEYjCCA0qgAwIBAgIUFl6rHIvc/JfZNJ39zX2zPFGDztIwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMQ8wDQYDVQQHDAZUYWNvbWEx +ETAPBgNVBAoMCFRlc3RuYXRzMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMjAe +Fw0yMzA4MDIyMjE1MzhaFw0zMzA3MzAyMjE1MzhaMFQxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJXQTEPMA0GA1UEBwwGVGFjb21hMREwDwYDVQQKDAhUZXN0bmF0czEU +MBIGA1UEAwwLVGVzdFNlcnZlcjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDV/fs/QsfKAjdybnjVr420TfRMDI+PZ9piwCoP83M7g8E6357fHSYSlUHK +UohNizh/eM7tqkiw3FdigHr8H0PI2C1POMMi/LsWU4SeRAz5UQCgV5c/31cISDsr +VbOQmJjmpuvKj+z4T9xNfnEuA//N+u9lfm2MNb7f+8EL6fA7iSRNtAJ/go4KNOqo +aJ74Szmaj9XrvFloyfCl6+m+fANJvbXZVM+IKbAso+kItmY3V+9mX2sPNG0Cv5Ir +zOmdwKiSDXaPrvY/JDjpW/wSoqv6Qj9aBeNeuwhDXVUYFxMKJ4RfBWkYqUVoN6c1 ++YzvxZ+xjao8t8xHtuWF4nP1ilpxAgMBAAGjggEkMIIBIDAdBgNVHQ4EFgQUxLuh +QuoVPg7RSF+14gFC0HK+sM4wHwYDVR0jBBgwFoAUdVXijuetpd2APckzCyyiV3ft +FawwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBsAwDgYDVR0PAQH/BAQD +AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA9BgNVHR8ENjA0MDKg +MKAuhixodHRwOi8vMTI3LjAuMC4xOjI4ODg4L2ludGVybWVkaWF0ZTJfY3JsLmRl +cjAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly8xMjcuMC4wLjE6 +Mjg4ODgvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF +AAOCAQEAhcIasJSLoPgshR4XiE7KLNH2aSbjppSfYutoVNor8mcjvkuVVigIelKO +s7JwL8nbBnS0i46EIwp098FngWkRNisOTA8sduYtUPPoWQ06bDDrMRZ0yDTRYpdr +Hi9cVrBuvF4Ij9TOStOOkXB9GNQ/QDk5Z5Vo9xbGGWlBwiAuReOdMcLaZ40sH6I/ +HkYjGf0lFmlcgAkb939QRx3Za6p7DyCNWvQ38MOnMV9NQXDIxKoqadCoezzMtKQS +VKO/zuoiIFiu6ynzFdoiBUbNJu9jhEpbhkf+y/pKDP6C4NuB3D6Hj5MjMt43PdcP +bPF0Y4sRt/Npt9bgcrId4RUQfS6X3g== +-----END CERTIFICATE----- diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem new file mode 100644 index 00000000..bb0d7e45 --- /dev/null +++ b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCaPNt2yRkPe+bT +7dELdq4V1BEcZrhdKn3jH2XYG8RjYvZcixhmqBzCpl5y8t1XQoqrXb03tvFLUfCz +ajfpVXgBI+pTCYMvfVk2qzNPTLzvqRzblHlMDUp8P508umx2gkcl63ki9AlseDym +70swkCmzX7ppsRqV7VPgxiR4blKvjrzbSvAZ0gBaqLZzTBeS0Y2Bm0y4NU2R3d/T +haafxJEZ7EfRyk4LwwaMJ0KVg+Moajt0nGiwVaWRkcs3rfrYaYveLkpRWTJLPQYh +BGXS9YvoTUWW3mOXR4GF6kjwnSMtcYdv0nU9Rb/erUOC26Upm/leOAo5qThx7EBA +tdxpxwtzAgMBAAECggEALjBPYLE0SgjGxWyQj6hI1cyeGy0/xNa2wE9kxmT6WPEH +6grVkdiCVGBSJIZKdpk8wbjes1Kby/yL4o7Kk5u+xkilIZzVpmEZWF/Ii9TlN7gj +Jja+ZGIOjkrWoZsKZCr7d4WezzLZp5wSPcOndrGVa1wdjQ02cvORjNyJi28uX9gd +8uBK5AIXS1lbkt/v+8mrBPgZUttz6gxhlHwxKs6JWWlIpGemNddE39UxuGDGHmVA +aw/gH/G4LNXtbAIPq5zDtFbfCKnQVgU1ppWILehoFqIs8JLtz4LPuvIxeztzKff4 +DU31rs14Zati5ykq9CVqY/d+4nKdstwhRPcPfsvgYQKBgQDBNVPn73A7fRoURpzV +sdJPA4RDbrbiZj0x/cAskuzzx/mmJUuNyuJxGizJU0ebT3VxtdCR2LqpgGEQEaKS +wYmMlSJ4NccugWgRl7/of5d5oY2m6f4W4YaNp4RebdVhNPJ4wSbeW7pH+2OKr2xd +my+m1WJUvRBbPq5kV2BdHNw62QKBgQDMXTqaOjsC9jpOOIjsUHmV55MbMmwK8For +H6e3Dn1ZO0Tpcg33GMLO5wHwzH6dlT2JVJAOdr5HqZgdIqjt30ACZsdf2VkutH94 +OvZmEAbwI9A+TAoxE8QlLYyz/qjJSGopJRU0x+KqEORxBmjO6LVV1GL9VVdoYrlH +Z7mrJ+7RKwKBgQC87LyDS2rfgNEDipjJjPwtLy8iERzb/UVRoONNss3pA15mzIk4 +uW77UbEBnGGkyOn6quKr+tVr8ZD3+YaTIpSx1xLBoTSHkRqGOXD6k+k2knbFBIHl +NdowoeGZxKSmTPPciGLNg7x/rp4Des3oKltKM9XXLpjT4FL+40HjStk+4QKBgQC8 +71AXd9BIy7VZzaCgwUG3GhIBadtDPbRO/AQFFAtE7KuoGz7X+/dWa3F62sQQEgKD +LT/Fb3g5LoyoGvwMdoJp9fVLItj1egAC+pgEAbs4VhPXFFuzxa9oI7VaTwxikmU7 +RsJVOprOWbGo4KES8Ud8Y09lIHof0m2ymy2nE9MRYwKBgDn86ZcbBr6sBXgc6PEM +rq4JXBCX8O17id9rJO37PkhPsOKpNf7YbQwHlHjwkUq5+g7Ec/LbeZ/tssEBY0ab +zUXwgWFMUKJVTEZUFwl2aTBqW8+LSu1TgzGMx2H/sxrvS4ElxC04jpPWUQstcuRH +y3yIz1HsmlMEg7qCiQ4maZE3 +-----END PRIVATE KEY----- diff --git a/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem new file mode 100644 index 00000000..97927280 --- /dev/null +++ b/test/configs/certs/ocsp_peer/mini-ca/server2/private/TestServer4_keypair.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDV/fs/QsfKAjdy +bnjVr420TfRMDI+PZ9piwCoP83M7g8E6357fHSYSlUHKUohNizh/eM7tqkiw3Fdi +gHr8H0PI2C1POMMi/LsWU4SeRAz5UQCgV5c/31cISDsrVbOQmJjmpuvKj+z4T9xN +fnEuA//N+u9lfm2MNb7f+8EL6fA7iSRNtAJ/go4KNOqoaJ74Szmaj9XrvFloyfCl +6+m+fANJvbXZVM+IKbAso+kItmY3V+9mX2sPNG0Cv5IrzOmdwKiSDXaPrvY/JDjp +W/wSoqv6Qj9aBeNeuwhDXVUYFxMKJ4RfBWkYqUVoN6c1+YzvxZ+xjao8t8xHtuWF +4nP1ilpxAgMBAAECggEABmE7dr39Ep3ZDRdz0QwaNY5O6p8Dvy7llQTdZCsaDAPQ +NJsC46w87LgoNVnbUDOGwE8n3TBS2ToCfXBu6joc5V2jkS10LOR7x+0+wpCtEdhL +RFyEKP51u+yaXf8Aut5/zX2bwUbj9d28p89NnMV4AIo7Dau0pKXcDlW1Qk+LztyI +hKFN6hrSFqAurmSt/pu3oo9kI9WJkrCxoj+VjQdVi420uAYOFR22aFaHrzpuHouW +4IzFbLhVF+c33xSbs1OEIpZSFzNucWYEKSwEREcyFgIXfWpDaXjoqWcrvXkeqyo9 +vGytQ3YaEsZPzfzgcViwa30g7WAA7kO9RuwcCPK4wQKBgQDpVmbVnmTlRwFbtdkD +4rjd5vtAB3nfsl0Ex11nU8+Oo0kZWeg8mm+Gba4vjEKfVyojbjFmm0ytQG0OGEK7 +UQ13mE1wueMn5qEVX9nTXIxVwcS7+rQAUrC5a6SSg81WIWzeclkqNc1J1EVC7jtl +zqy3PtC94g4tV68urpD86RRxUQKBgQDqxpWscN1u7GeuYf8rSPhPcoZTupqyrV3L +h+w7jUt5O/vfNPOYIXVfo2u05jiK0mTvLf5tVjYoQDF+x6odA2oBH2yz1ED0DZsf +2AhdtCSrMbxazcl/5fPrIIa1GRBp6y5i0ddX8T19twr/PVoYGRqkU4xoN+KoOKz+ +HLFUUgQPIQKBgG5N9v0DDMVKRL0bAQUSN7xGxf1ly1pRUiHBMUl4WEUgsZy3YM7N +Xu1YiiBWGOSEaxomrFnKDnxUWXlxRJKSZWBk8i7Y4SZqozmcfzeop3qeyCbpBBCn +Bn4RAdJ1VitiT7n0qmwG1Q4St89FGXUuN33Exx8MbxFGQz05LrcwZAaRAoGAVFez +PZfudQMI3GToPqygSCpkh3/qQ3Z008Go5FwGWS9rdOyY9nZOrGURNJPgjD65dBOZ +672lByDIpzsjqfioBG89pf0CuKqKqA38M22cHsRnXle/o+sAjd/JhRXUB7ktmOK5 +8iYAaUFw+fEYhL/ACnjZYDdzfeueekvkiN5OBwECgYB90hQJ2lw5s6GFJd+9T5xS +OMngfLAWDvW8+0hvtWCTLAVpMDWRGhGmvj532jWfkgqnvUemyF541RkV0Hy5K1Xl +0icXtpuZ+REh7NCXFJlEiOd+69OEdu78s5Zy8V1zCkEsgxzl2q6PkBDWfxepgdRC +LbwiAF8h2mxCwvvHbaBiKA== +-----END PRIVATE KEY----- diff --git a/test/ocsp_test.go b/test/ocsp_test.go index 3f705d42..fe901c67 100644 --- a/test/ocsp_test.go +++ b/test/ocsp_test.go @@ -3694,3 +3694,284 @@ func TestOCSPLocalIssuerDetermination(t *testing.T) { }) } } + +func TestMixedCAOCSPSuperCluster(t *testing.T) { + const ( + caCert = "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + caKey = "configs/certs/ocsp/ca-key.pem" + ) + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + intermediateCA1Responder := newOCSPResponderIntermediateCA1(t) + intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr) + defer intermediateCA1Responder.Shutdown(ctx) + setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Good) + + intermediateCA2Responder := newOCSPResponderIntermediateCA2(t) + intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr) + defer intermediateCA2Responder.Shutdown(ctx) + setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_cert.pem", ocsp.Good) + + // Store Dirs + storeDirA := t.TempDir() + storeDirB := t.TempDir() + storeDirC := t.TempDir() + + // Gateway server configuration + srvConfA := ` + host: "127.0.0.1" + port: -1 + + server_name: "A" + + ocsp { mode: "always" } + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + } + store_dir: '%s' + + cluster { + name: A + host: "127.0.0.1" + advertise: 127.0.0.1 + port: -1 + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + } + } + + gateway { + name: A + host: "127.0.0.1" + port: -1 + advertise: "127.0.0.1" + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + verify: true + } + } + ` + srvConfA = fmt.Sprintf(srvConfA, storeDirA) + sconfA := createConfFile(t, []byte(srvConfA)) + srvA, optsA := RunServerWithConfig(sconfA) + defer srvA.Shutdown() + + // Server that has the original as a cluster. + srvConfB := ` + host: "127.0.0.1" + port: -1 + + server_name: "B" + + ocsp { mode: "always" } + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + } + store_dir: '%s' + + cluster { + name: A + host: "127.0.0.1" + advertise: 127.0.0.1 + port: -1 + + routes: [ nats://127.0.0.1:%d ] + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + } + } + + gateway { + name: A + host: "127.0.0.1" + advertise: "127.0.0.1" + port: -1 + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + verify: true + } + } + ` + srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.Cluster.Port) + conf := createConfFile(t, []byte(srvConfB)) + srvB, optsB := RunServerWithConfig(conf) + defer srvB.Shutdown() + + // Client connects to server A. + cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port), + nats.Secure(&tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + if s.OCSPResponse == nil { + return fmt.Errorf("missing OCSP Staple from server") + } + return nil + }, + }), + nats.RootCAs(caCert), + nats.ErrorHandler(noOpErrHandler), + ) + if err != nil { + t.Fatal(err) + + } + defer cA.Close() + + // Start another server that will make connect as a gateway to cluster A but with different CA issuer. + srvConfC := ` + host: "127.0.0.1" + port: -1 + + server_name: "C" + + ocsp { mode: "always" } + + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + } + store_dir: '%s' + gateway { + name: C + host: "127.0.0.1" + advertise: "127.0.0.1" + port: -1 + gateways: [{ + name: "A", + urls: ["nats://127.0.0.1:%d"] + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + } + }] + tls { + cert_file: "configs/certs/ocsp_peer/mini-ca/server2/TestServer3_bundle.pem" + key_file: "configs/certs/ocsp_peer/mini-ca/server2/private/TestServer3_keypair.pem" + ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem" + timeout: 5 + verify: true + } + } + ` + srvConfC = fmt.Sprintf(srvConfC, storeDirC, optsA.Gateway.Port) + conf = createConfFile(t, []byte(srvConfC)) + srvC, optsC := RunServerWithConfig(conf) + defer srvC.Shutdown() + + // Check that server is connected to any server from the other cluster. + checkClusterFormed(t, srvA, srvB) + waitForOutboundGateways(t, srvC, 1, 5*time.Second) + + // Connect to cluster A using server B. + cB, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsB.Port), + nats.Secure(&tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + if s.OCSPResponse == nil { + return fmt.Errorf("missing OCSP Staple from server") + } + return nil + }, + }), + nats.RootCAs(caCert), + nats.ErrorHandler(noOpErrHandler), + ) + if err != nil { + t.Fatal(err) + } + defer cB.Close() + + // Connects to cluster C using server C. + cC, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsC.Port), + nats.Secure(&tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + if s.OCSPResponse == nil { + return fmt.Errorf("missing OCSP Staple from server") + } + return nil + }, + }), + nats.RootCAs(caCert), + nats.ErrorHandler(noOpErrHandler), + ) + if err != nil { + t.Fatal(err) + } + defer cC.Close() + + _, err = cA.Subscribe("foo", func(m *nats.Msg) { + m.Respond([]byte("From Server A")) + }) + if err != nil { + t.Errorf("%v", err) + } + cA.Flush() + + _, err = cB.Subscribe("bar", func(m *nats.Msg) { + m.Respond([]byte("From Server B")) + }) + if err != nil { + t.Fatal(err) + } + cB.Flush() + + // Confirm that a message from server C can flow back to server A via gateway.. + var ( + resp *nats.Msg + lerr error + ) + for i := 0; i < 10; i++ { + resp, lerr = cC.Request("foo", nil, 500*time.Millisecond) + if lerr != nil { + continue + } + got := string(resp.Data) + expected := "From Server A" + if got != expected { + t.Fatalf("Expected %v, got: %v", expected, got) + } + + // Make request to B + resp, lerr = cC.Request("bar", nil, 500*time.Millisecond) + if lerr != nil { + continue + } + got = string(resp.Data) + expected = "From Server B" + if got != expected { + t.Errorf("Expected %v, got: %v", expected, got) + } + lerr = nil + break + } + if lerr != nil { + t.Errorf("Unexpected error: %v", lerr) + } +}