From 154cdbd861445278a983232f02ac440f976e3087 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 8 Dec 2022 10:29:15 +0000 Subject: [PATCH] Test query forwarding to DoT-enabled upstream servers Change the 'forward' system test to enable DoT on ns2 server, and test that forwarding from ns4 to the DoT-enabled ns2 works. In order to test different scenarios, create a test CA (based on similar CAs for 'doth' and 'nsupdate' system tests), and test both insecure (no certificate validation) and secure (also with mutual TLS) TLS configurations, as well as a configuration with an expired certificate. --- .reuse/dep5 | 5 + bin/tests/system/forward/.gitignore | 5 + bin/tests/system/forward/CA/CA.cfg | 77 ++++++++++++++ bin/tests/system/forward/CA/CA.pem | 29 +++++ bin/tests/system/forward/CA/README | 2 + .../CA/certs/srv02.crt01.example.nil.key | 40 +++++++ .../CA/certs/srv02.crt01.example.nil.pem | 100 ++++++++++++++++++ .../certs/srv02.crt02-expired.example.nil.key | 40 +++++++ .../certs/srv02.crt02-expired.example.nil.pem | 100 ++++++++++++++++++ .../CA/certs/srv04.crt01.example.nil.key | 40 +++++++ .../CA/certs/srv04.crt01.example.nil.pem | 100 ++++++++++++++++++ bin/tests/system/forward/CA/index.txt | 3 + bin/tests/system/forward/CA/index.txt.attr | 1 + .../forward/CA/newcerts/CCC118082632E18B.pem | 100 ++++++++++++++++++ .../forward/CA/newcerts/CCC118082632E18C.pem | 100 ++++++++++++++++++ .../forward/CA/newcerts/CCC118082632E18D.pem | 100 ++++++++++++++++++ bin/tests/system/forward/CA/private/CA.key | 39 +++++++ bin/tests/system/forward/CA/serial | 1 + bin/tests/system/forward/clean.sh | 1 + bin/tests/system/forward/dhparam3072.pem | 11 ++ bin/tests/system/forward/ns1/named.conf.in | 10 ++ bin/tests/system/forward/ns2/named.conf.in | 43 ++++++++ bin/tests/system/forward/ns4/named.conf.in | 61 ++++++++++- bin/tests/system/forward/tests.sh | 47 +++++++- 24 files changed, 1047 insertions(+), 8 deletions(-) create mode 100644 bin/tests/system/forward/.gitignore create mode 100644 bin/tests/system/forward/CA/CA.cfg create mode 100644 bin/tests/system/forward/CA/CA.pem create mode 100644 bin/tests/system/forward/CA/README create mode 100644 bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key create mode 100644 bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem create mode 100644 bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key create mode 100644 bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem create mode 100644 bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key create mode 100644 bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem create mode 100644 bin/tests/system/forward/CA/index.txt create mode 100644 bin/tests/system/forward/CA/index.txt.attr create mode 100644 bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem create mode 100644 bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem create mode 100644 bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem create mode 100644 bin/tests/system/forward/CA/private/CA.key create mode 100644 bin/tests/system/forward/CA/serial create mode 100644 bin/tests/system/forward/dhparam3072.pem diff --git a/.reuse/dep5 b/.reuse/dep5 index 5672b01ce0..7a929e4f65 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -42,6 +42,11 @@ Files: **/*.after* bin/tests/system/formerr/nametoolong bin/tests/system/formerr/noquestions bin/tests/system/formerr/twoquestions + bin/tests/system/forward/CA/CA.cfg + bin/tests/system/forward/CA/README + bin/tests/system/forward/CA/index.txt + bin/tests/system/forward/CA/index.txt.attr + bin/tests/system/forward/CA/serial bin/tests/system/journal/ns1/managed-keys.bind.in bin/tests/system/journal/ns1/managed-keys.bind.jnl.in bin/tests/system/journal/ns2/managed-keys.bind.in diff --git a/bin/tests/system/forward/.gitignore b/bin/tests/system/forward/.gitignore new file mode 100644 index 0000000000..df5fe68d5d --- /dev/null +++ b/bin/tests/system/forward/.gitignore @@ -0,0 +1,5 @@ +# temporary files generated by "openssl ca" +/CA/*.old +# there is little point in keeping the certificate requests +# for the issued certificates +/CA/certs/*.csr diff --git a/bin/tests/system/forward/CA/CA.cfg b/bin/tests/system/forward/CA/CA.cfg new file mode 100644 index 0000000000..369e43a6d4 --- /dev/null +++ b/bin/tests/system/forward/CA/CA.cfg @@ -0,0 +1,77 @@ +# See ../../doth/CA/ca.cfg for more information + +# certificate authority configuration +[ca] +default_ca = CA_default # The default ca section + +[CA_default] +dir = . +new_certs_dir = $dir/newcerts # new certs dir (must be created) +certificate = $dir/CA.pem # The CA cert +private_key = $dir/private/CA.key # CA private key + +serial = $dir/serial # serial number file for the next certificate + # Update before issuing it: + # xxd -l 8 -u -ps /dev/urandom > ./serial +database = $dir/index.txt # (must be created manually: touch ./index.txt) + +default_days = 10950 # how long to certify for + +#default_crl_days = 30 # the number of days before the +default_crl_days = 10950 # next CRL is due. That is the + # days from now to place in the + # CRL nextUpdate field. If CRL + # is expired, certificate + # verifications will fail even + # for otherwise valid + # certificates. Clients might + # cache the CRL, so the expiry + # period should normally be + # relatively short (default: + # 30) for production CAs. + +default_md = sha256 # digest to use + +policy = policy_default # default policy +email_in_dn = no # Don't add the email into cert DN + +name_opt = ca_default # Subject name display option +cert_opt = ca_default # Certificate display option + +# We need the following in order to copy Subject Alt Name(s) from a +# request to the certificate. +copy_extensions = copy # copy extensions from request + +[policy_default] +countryName = optional +stateOrProvinceName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# default certificate requests settings +[req] +# Options for the `req` tool (`man req`). +default_bits = 3072 # for RSA only +distinguished_name = req_default +string_mask = utf8only +# SHA-1 is deprecated, so use SHA-256 instead. +default_md = sha256 +# do not encrypt the private key file +encrypt_key = no + +[req_default] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (e.g., city) +0.organizationName = Organization Name (e.g., company) +organizationalUnitName = Organizational Unit Name (e.g. department) +commonName = Common Name (e.g. server FQDN or YOUR name) +emailAddress = Email Address +# defaults +countryName_default = UA +stateOrProvinceName_default = Kharkiv Oblast +localityName_default = Kharkiv +0.organizationName_default = ISC +organizationalUnitName_default = Software Engeneering (BIND 9) diff --git a/bin/tests/system/forward/CA/CA.pem b/bin/tests/system/forward/CA/CA.pem new file mode 100644 index 0000000000..1f725dbb8a --- /dev/null +++ b/bin/tests/system/forward/CA/CA.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL +BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G +A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0 +aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1 +NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh +cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l +dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j +b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo +Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI +B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF +ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5 +3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee +wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia +eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX +z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ +ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD +VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y +SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB +AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc +TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig +TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod +CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz +qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO +70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS +wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE +rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2 +8Q== +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/README b/bin/tests/system/forward/CA/README new file mode 100644 index 0000000000..13069ca2f8 --- /dev/null +++ b/bin/tests/system/forward/CA/README @@ -0,0 +1,2 @@ +Please take a look at the contents of the CA.cfg file for further +instructions and configurations options. diff --git a/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key b/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key new file mode 100644 index 0000000000..03e7e99c13 --- /dev/null +++ b/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCT6jpDg/+SgAa+ +TqBTXQudybG4/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBI +Tl93dCb6qt0/e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPR +U387aTVWbYGK6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aov +XQO2W0iHtCdLmbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKH +R2fA28a5+LAxpssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY +5vL98VoA6Hcm3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8Dtv +xV8UICb6m+CvUcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bp +uFs38WHVhCdQ01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAQKCAYBG +jKj2i+5p10OgIItqx43jWBC6/l1GZZofVTU0PqQ8VDuyugE1j88aAbnIYV9Ry+Un +mf5GSWaB368QDcWOCaoP1FBL16hOGZWytKWYDtx0dNVfbxqe2tpIiJE5M07LijzY +C+1rkgxRXPCBHnSohyFIFFn9wouWla36Reg5MBhjVgHcWdvYzlR2FnH9ZpwQ3AjX +XTLTwQf6L+RCy/gZ0ccx5rT5Y5m//LAFnIsiqeEAbReeIZPvdKRIoHgWQgBgF2nJ +KAXFrf62gLSIXmnvvxiWL/xAUktg4kv+PFvEFjMjlxz3hOQuOwJQMt7zZkO0Pw2G +Ow08OznR3dXCOO7csmfTktWdB71vgtf+Y/RzCWbyHPBy4tfWDbiqQCFJSsn7CsC8 +r4YscQ55Xmw2AVsUd356Z6ONiM5LZmd+OIpamrVh4Bfgkk1ElPetnelEZO2ZPsBT +cud487ZOY0lD+lpNCAMqS2VeKRi+X/sefZHe3ZMJopRuyPLkqt3qh/sZlms3uWsC +gcEAvWeiyE75Y7DzTBY3sWCxOzj0g8oqFle4G0dxw/CxyF0ASlGNZtjyj/l2dJ1b +wRSk4HmJqgRrkW+cXYVMfoz8zoUfO/vXUe7+1ioxbQMxl7fH5O4R6ps7RxEaX9GE +Rhxx8B1Y1S8tauCFz0STOtvi6CXlCkRALMsEg7MbJJ2PjIrPSSpuWGZBYlJbh53u +spgElwq6qT0xqS8EFpGjSMsnPfXoOnKpWZpyJfKwkm9gwrvVjiVmw1TRcvcODoov +wSZrAoHBAMfsFIauVfoWGHgL80+/8NsYo0Ap3nycFWXH6XaIuhBfQdr8aLTDmj7Y +nlonP5PtsQBfpdlbm/xTTBiZ2hzTcRX7Ayu7eSmZFFP7yE4Amo+bdh9y9KWbIWjA +K5XwwJ7kTWrgiai5nu0JRH+FuMOOEpUHikfOIci7V8LGbkFQ7G1pmXyQwpFT1ClR +ORHnv2A/YklP2jpa7KdPNZgYBQic5JnaNZdFzF0pi1v69UyAP4JBzaWHOz1kMH/B +JxknYpJnOwKBwQCeSyLsrbQX8SclC9x3zgvRJwSTsD4EdkNT6R3XWC38+lznv8ih +j+cJFMA/LdQlRg+V232GLjOIVPMl5eXMTiBqqS81foCx5T/t1U2Bgg3McrgJSD6J +CDs+ZbjZI82cmuFOf/hiEw+uJv8t/m3d3y+APUtyjR/lT7byKpogu93g45Hh4Chg +kPVMKvB8Iy3+7LXJVhoynwYGE1kjU4xXphGh4wa28mU+kamctXuEprkDhuAv8Go2 +DYkOwBNra2oFzwkCgcA+TpRjGShQhdxgZZESFMby8a3HTIU7nsWIcBKRz7D1c0qp +/ip/08pZtdc8T6kf6F9Wt3iP0l49+JPpwuFYRImlCRMG6SmszjmopvrZXJTPFuts +h745cqyp4eJzm5Hcs1hxa8NbY2Zlh5Lij4Fy6O9fpPbyxAqBbem/GWq5Togw3U1p +phANjOu9aMP5kZlyXK68HHft4fKJfkU8vperBIK2dGxpVeaITm9RXlhe3EVuyiVW +ZlwPGQ+IcWFHFKBC8osCgcEAiTMZ0gMkuPHnDRcLeBqU6iGpme/+LES9RmBgL4AT +mZHOfsvwkNOdyHb20/ns/OQqBgJpbkQCCrTPJyhv1gqaYtwKlSaI334Lmfg2CP/7 +ZFxwo/MfqYDwYZQj35/cN1SkNNvuuKVIX61CNPTr0Wxrs5ZFUwG00RtZzhzYWaku +R0f3FTLR0KbQOKt8nhEgqo8NRzQGrMU9mj+61kMXTdt6N5ipxzPuAUv+D62QbO0T +ndTltEnt0w6vtzmImIWupyBm +-----END PRIVATE KEY----- diff --git a/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem b/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem new file mode 100644 index 0000000000..27e8b3c13a --- /dev/null +++ b/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cc:c1:18:08:26:32:e1:8b + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Dec 8 11:52:43 2022 GMT + Not After : Nov 30 11:52:43 2052 GMT + Subject: CN=srv02.crt01.example.nil + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:93:ea:3a:43:83:ff:92:80:06:be:4e:a0:53:5d: + 0b:9d:c9:b1:b8:fe:d5:cc:dc:af:94:7a:ab:ba:13: + 0f:c0:b6:99:71:78:90:b1:7f:41:07:85:59:26:90: + 14:88:7b:fc:0c:64:70:37:f3:2a:39:80:80:48:4e: + 5f:77:74:26:fa:aa:dd:3f:7b:8e:63:b5:a6:ce:bc: + bc:5a:aa:1d:2c:b0:9a:54:8c:03:46:8b:e6:19:52: + 51:48:16:2d:88:ac:df:73:bb:5d:86:f5:80:ff:12: + 93:d1:53:7f:3b:69:35:56:6d:81:8a:ea:4b:bd:75: + d5:bf:a2:b8:f9:98:17:c7:47:e7:5a:0a:47:a0:00: + 3d:5c:77:42:95:ef:60:ea:e2:2c:ab:97:a9:f3:1d: + c7:a7:f9:aa:2f:5d:03:b6:5b:48:87:b4:27:4b:99: + b3:e3:99:f8:cd:bb:51:88:f4:1e:34:d5:3e:e3:12: + 3c:2d:c0:b7:2a:9d:0b:73:7f:3a:ad:27:97:17:58: + 51:70:08:87:75:42:d2:87:47:67:c0:db:c6:b9:f8: + b0:31:a6:cb:15:24:7b:54:06:fd:92:e6:24:71:3f: + 55:02:02:71:f2:47:7f:e5:fe:be:d4:5f:1e:b5:58: + f7:09:fa:60:e3:36:25:bd:f4:91:58:e6:f2:fd:f1: + 5a:00:e8:77:26:dc:2d:20:10:fc:c7:a2:16:0a:e1: + 59:e4:e5:a0:72:d4:23:88:a7:56:71:1d:69:f5:1e: + e4:c1:ec:87:7a:ef:19:dd:df:fa:25:f0:3b:6f:c5: + 5f:14:20:26:fa:9b:e0:af:51:c4:18:3f:3c:49:7d: + 26:25:c2:d9:5c:67:5d:f8:af:73:20:58:ae:65:5e: + 71:03:77:78:7d:45:37:0a:a3:b7:32:eb:fe:ff:5f: + c6:e9:b8:5b:37:f1:61:d5:84:27:50:d3:55:72:2c: + 8a:75:16:9a:95:b5:f9:2d:eb:d0:22:49:57:6b:65: + 87:aa:71:a8:6d:39:96:fe:e7:a9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01.example.nil, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + 70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 77:6c:f4:07:36:0b:ef:6e:86:2d:41:73:e0:ba:f7:4c:f1:bd: + 8f:77:89:1a:8c:63:2e:39:93:a2:43:ee:70:85:f1:5d:01:60: + ab:e6:50:a1:5e:72:e3:89:13:77:e0:a5:f7:fa:27:31:93:1f: + 3a:a7:35:5f:7d:59:3c:d2:26:9c:12:fa:51:2b:d3:31:0c:5a: + e7:a8:be:6a:2e:b2:82:6c:42:f2:86:74:9c:0a:c8:58:a8:68: + 35:73:6e:1b:0c:9e:3b:08:3f:b9:ef:68:61:e9:d3:40:1d:aa: + dd:42:e3:1d:b0:1b:6e:b8:58:60:a1:68:4a:ff:09:b7:58:5b: + 72:e8:36:a3:6d:10:78:c7:7f:52:f6:dc:39:5c:05:7d:7a:ae: + 8d:3f:89:8f:10:a6:4d:8b:55:6a:9b:cb:2c:1d:00:59:9b:0c: + c3:55:e0:a3:25:69:b4:29:30:2f:20:bf:07:f4:21:88:b7:d0: + 62:ad:d7:ca:e1:91:45:9f:a2:5f:7d:07:f4:98:b0:5e:d4:3a: + 92:86:e9:a1:fb:c0:9b:81:46:da:56:ed:92:47:c0:1a:aa:55: + 37:0e:3c:92:2c:44:7a:80:55:1f:15:7a:7c:c4:7e:ad:d5:b0: + a5:7e:33:63:09:23:6b:78:42:de:37:aa:04:a7:52:ed:06:fe: + d4:56:36:12:85:b6:ec:ff:03:ea:4b:e2:7a:42:49:73:b6:ab: + e4:7d:4a:2b:94:65:1f:b1:17:a3:be:17:0b:4e:53:3d:8a:d3: + d7:04:0f:f1:1a:63:b2:a6:eb:00:31:64:b4:80:e9:ae:bb:69: + 12:04:a5:7d:2c:bd:91:62:2c:b9:5a:6e:af:e0:ee:27:f0:88: + 15:8b:b7:ce:07:5e:bc:6b:e9:3e:3f:23:c7:f9:c9:48:20:69: + 6a:8e:f2:17:9b:58:ff:72:36:21:ed:d3:83:16:60:ec:de:6f: + c4:50:47:b7:61:ce:75:c1:d6:60:28:de:bd:69:7c:e6:db:0e: + b9:fa:7b:84:24:35 +-----BEGIN CERTIFICATE----- +MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGLMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTUyNDNaGA8yMDUyMTEz +MDExNTI0M1owIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWwwggGi +MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT6jpDg/+SgAa+TqBTXQudybG4 +/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBITl93dCb6qt0/ +e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPRU387aTVWbYGK +6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aovXQO2W0iHtCdL +mbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKHR2fA28a5+LAx +pssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY5vL98VoA6Hcm +3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8DtvxV8UICb6m+Cv +UcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bpuFs38WHVhCdQ +01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAaNsMGowKAYDVR0RBCEw +H4IXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAIwHQYDVR0OBBYEFHCQlIFK +sr8T1ikakNkzpMV0Kc9ZMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQB3bPQHNgvvboYtQXPguvdM8b2Pd4kajGMuOZOi +Q+5whfFdAWCr5lChXnLjiRN34KX3+icxkx86pzVffVk80iacEvpRK9MxDFrnqL5q +LrKCbELyhnScCshYqGg1c24bDJ47CD+572hh6dNAHardQuMdsBtuuFhgoWhK/wm3 +WFty6DajbRB4x39S9tw5XAV9eq6NP4mPEKZNi1Vqm8ssHQBZmwzDVeCjJWm0KTAv +IL8H9CGIt9BirdfK4ZFFn6JffQf0mLBe1DqShumh+8CbgUbaVu2SR8AaqlU3DjyS +LER6gFUfFXp8xH6t1bClfjNjCSNreELeN6oEp1LtBv7UVjYShbbs/wPqS+J6Qklz +tqvkfUorlGUfsRejvhcLTlM9itPXBA/xGmOypusAMWS0gOmuu2kSBKV9LL2RYiy5 +Wm6v4O4n8IgVi7fOB168a+k+PyPH+clIIGlqjvIXm1j/cjYh7dODFmDs3m/EUEe3 +Yc51wdZgKN69aXzm2w65+nuEJDU= +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key b/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key new file mode 100644 index 0000000000..3711943401 --- /dev/null +++ b/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDOADZuuD/b/pD3 +3uHtQ0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z +8JsoSRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp2 +7snlkGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B +3Eb1hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeB +oE/2LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1 +/Dq0iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0Xo +uR3xBUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNE +L/RsMfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAQKCAYAM +G58XauT1/URwDT2iQG5NlsWXlsWFHb/zoMLQITbRtslUE7j36YGqiz1kUl0y2gqV +TMVSO+a3voMJB39XItS6i9xAl2lGqLvg23lRftnsA3Il7NTs7K2ZQOIkQr5rvG/R +Wus+surNL0m/K9HaGF6CPZp7a1ipXQijSUxaHRClmBhHn43VvjdYry28vMtBykyh +ZT5IEj1UrnKI0XWqQJy22SxlUqgu9+LQVUpQpu+8YXtjWMYyDJQ+ldijYZIhtR6V +WfLEE2SRWpViHwtZEs5p0E9X8rGQYYdWC1zAh+B0TtPCC3I+MAyjQOVglwUpPQnG +GqRJfJnb4PENdy9DYxEmg/AlrTCuRLcGuGVnaz55KCUN9GbL8ei2EKuTQMdR6Ysd +fKPe2L1FyjG7OmTq+1kWicDdbn++ng51C5fwTmyjOnN5//vy19rgNL11TP9UaDaQ +5/Ox7UaxQZXdskvXelzBAe4gGgwdVO3/WEAJNFyUn+O9iWSdEvdv9AeEGe5G0KEC +gcEA51ZSfPG0y4ckyyMB/BHo1sxkKFwMlLOtKHH+zXQ5mCMaFpHDnSpQ8WxE/0mZ +2qX53YpqZU11SV81CPsUox+Fn4bNyLFpDiJ412/yl/xDRHOaRqdWxz3Wg4ynLbpU +xiwFUcjoff63RelQWZka+XSz/eNzSJJe6UXSuNJ0yCCrKTBMlMEtqocFeOYzBMzj +SWbvvKiM8NYqa3pm9VAaQnQPEiwaVa4XDQZZ4EVGdO4U89M6xlrdA8OXm3Jni9CA +eAOtAoHBAOP2aGVcLDch/tP4Be15g1z1ipFQuvlKF481Fxdjy5zXNGj1n6poUgt2 ++lVt6jhkunR6Sxs4sEoa0QtcSDCfZWygP05pz41dKF8+j7aYwsDMo1v4brUNKa1y +jFwdhd4xb/YG84pNln5diLzXKbAJgDu684H9tEvl0Is3TYp9Ex2YVhDbauxourHt +shYRi3zcea5S3IE1Qx+dyimliCrsp+ufnh4MrUjn9msAt19ZmzWO1TPucPtx5gUz +zwaQl0P1CwKBwQDRSFW9tQjjq7JMl7Ie8bDcSfI+VPAIwvffBCoIgqHsEa1zR5FZ +KMQrdNCCx3oJxWfj1WnllYqKwzf+lO8Zl9XR+SlH67/nyqXZ+OvWNaBBV/f0/URT +YY0kW2WOx+gTlBWH5KL4ASyacbWAKTOvA7Yl9NQBjnGQxdsZ20NNHcjarVhKpu0C +Pb5knpT/PcBNUnOGEFHZO1cK/qQQP9RR1B8iSIXWh3VREjLS4rkX5Z9M6gZdFiym +UBdiyMAGS609Zc0CgcAI55csXm1bufg6T3Xr0NNQzkabZovnMP26mlhMkZlihwWF +FBMolOqfiAY/UAvWKBkgc6Z7abt5KZMA3pnzTEap95iBd6Cj5P+uuMLkXxM8dMHs +1cd9SwZVwCO7dWvFQikdcygQPveh+AVfWwhF2BkqPCNG8KIaVN/QkFh3EGuuvESg +Y/HJSk4ApUhPlF/egL5AEPyMD4iPs5oyBkVLZ/MnQRTsF5KtRmJZy61eDCID9ZBe +dvHy4IAbs+piV0ORZAECgcBsqhBAB1CdUOjj4EVPeEKngGZweQkJPRLKblCLGK8l +QtcSUfrqoxP8b9Ary/I0gbMhWtkUP/kZOZi/GNelswnzdSlxRKdzQvns5vw+jLfl +aw5v2ps600+e11KQ1IMVSdRdwESEBs0IQAJV3lfmpNcdxIwf8EjLjGL+uq4KGylW +z8vfM0/i2GK33hxNrQRXSrTHsiqiKGK78h7S+twll5W8T1ZYFkI1oROZOmMlA/hU +d8ykPRRZ7XjXCmIgCS9TsF8= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem b/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem new file mode 100644 index 0000000000..8cae3b1204 --- /dev/null +++ b/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cc:c1:18:08:26:32:e1:8c + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Dec 7 11:55:54 2022 GMT + Not After : Dec 8 11:55:54 2022 GMT + Subject: CN=srv02.crt02-expired.example.nil + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:ce:00:36:6e:b8:3f:db:fe:90:f7:de:e1:ed:43: + 4b:19:97:78:d8:ae:32:3c:4b:d5:8e:cd:1f:29:78: + e2:af:d3:02:95:34:2c:5e:cd:54:8a:07:70:6b:61: + a9:af:22:a7:6e:cf:86:b6:71:d7:4d:b4:af:f3:f0: + 9b:28:49:18:8c:66:88:67:63:47:e9:cd:a8:e9:5c: + 63:c0:be:08:b2:77:81:05:83:c7:3a:53:1b:c6:7a: + 82:99:fa:54:6f:4f:30:80:50:96:92:16:6e:10:16: + ca:76:ee:c9:e5:90:63:98:98:e7:58:61:09:15:e9: + 45:67:89:f1:df:21:69:b6:ad:b7:24:68:92:07:b6: + 6f:93:f8:fb:bd:b5:90:c9:57:5a:e5:46:6c:d0:73: + 33:3c:10:6e:01:dc:46:f5:84:95:5d:2b:03:e3:3a: + 0d:66:59:f8:92:37:78:49:74:32:32:96:fa:bd:05: + 27:43:f8:f9:90:7c:e4:2b:36:54:c0:f2:77:fd:4f: + ed:87:00:08:23:4d:57:81:a0:4f:f6:2e:9c:a0:22: + 3d:f6:27:b2:39:ed:44:8e:5c:92:4c:4b:b9:74:bb: + 0a:c4:97:e3:85:66:29:fc:75:3b:b5:3d:e1:22:57: + 33:11:2e:9a:a9:41:84:82:ea:44:b5:fc:3a:b4:88: + 31:11:46:98:c2:ec:db:43:55:72:a7:9f:a1:65:c0: + bf:11:a7:44:27:a3:8b:06:4f:08:2a:2d:4c:c9:aa: + d5:3d:03:24:66:e6:03:9b:9c:98:1a:5f:45:e8:b9: + 1d:f1:05:40:d8:3e:ed:40:05:1e:fa:8a:58:c5:a2: + f2:2a:a1:cb:25:7e:61:8c:0e:3c:cc:5b:43:3a:7c: + 8b:a7:64:b8:c5:2b:6b:16:59:06:ad:ec:19:b5:1d: + 73:44:2f:f4:6c:31:f1:6e:f4:55:f6:44:37:ee:db: + 20:fe:54:92:43:28:f8:44:cb:9f:9f:b6:2c:aa:61: + 1f:2f:1a:15:15:cc:61:f3:b9:6f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 34:7b:38:92:d9:c1:ba:ed:c7:b3:61:63:e6:d2:11:4e:0c:83: + 8f:97:3a:11:97:51:3e:8d:9b:49:bb:f5:2c:92:d1:c2:e4:3b: + ad:db:69:cc:1f:cf:58:3d:4f:51:97:d1:09:19:2f:22:b5:3d: + e1:0d:e5:65:40:2a:54:19:55:22:11:85:18:1a:08:31:97:d8: + fe:cf:4c:9b:ec:8b:8f:9c:cd:cf:5b:a1:56:e4:1d:e0:79:4b: + ee:6b:1c:0b:60:a8:d8:fd:5c:a8:9d:dc:74:4f:ce:b8:f8:19: + a4:00:db:93:7b:ae:34:55:c6:fb:35:1b:9e:bc:d0:5f:da:8d: + 77:0e:1f:45:89:d4:dd:f1:a9:4e:48:64:d2:4e:b6:4b:57:a0: + 87:cf:a8:30:35:6e:09:91:56:59:9b:01:af:8a:f7:11:8c:d8: + 2e:56:89:eb:a5:a0:6c:d2:56:0c:da:13:4d:36:92:28:50:b1: + e5:cd:64:60:ac:93:f4:98:d7:eb:df:7b:42:89:da:c0:6d:6e: + 75:ae:45:28:9b:e8:de:00:dc:eb:df:ba:4f:63:2a:61:e5:42: + f3:e0:8f:aa:bd:f7:f6:9b:67:1b:ed:1e:a6:ae:4c:81:a2:62: + ff:a8:8f:94:da:a8:9d:27:fa:a4:46:44:2e:13:f2:05:2b:c4: + a6:57:d3:95:1c:ca:f8:e3:d2:0f:28:70:8a:1b:37:4f:b7:c1: + b3:fd:4b:85:ca:9d:8a:bb:62:85:47:66:c7:31:b8:db:c4:5d: + 66:9d:6e:7b:94:07:fa:09:ae:5b:5b:23:31:ba:c8:40:82:4b: + 6a:48:d2:83:0c:5f:b9:62:64:06:16:05:dd:e8:a8:02:eb:d7: + 7a:9b:d9:49:d6:87:0e:16:ca:d6:4e:46:46:e5:37:e4:0d:68: + b7:d2:d6:78:c4:ee:c1:3b:38:8e:83:df:1f:39:63:1c:65:7a: + e0:26:1f:96:8a:57:9d:6b:27:62:6e:40:86:83:29:fd:1f:a1: + 69:2a:92:cf:ab:db +-----BEGIN CERTIFICATE----- +MIIEnjCCAwagAwIBAgIJAMzBGAgmMuGMMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yMjEyMDcxMTU1NTRaFw0yMjEyMDgx +MTU1NTRaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAyLWV4cGlyZWQuZXhhbXBsZS5u +aWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDOADZuuD/b/pD33uHt +Q0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z8Jso +SRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp27snl +kGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B3Eb1 +hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeBoE/2 +LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1/Dq0 +iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0XouR3x +BUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNEL/Rs +MfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAaN0MHIwMAYD +VR0RBCkwJ4Ifc3J2MDIuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5pbIcECjUAAjAd +BgNVHQ4EFgQUp4pt6hC0a7gTFmu6oCbDmuemcX4wHwYDVR0jBBgwFoAUfInoXOvl +H3JIBMWP+5IInPVgJjkwDQYJKoZIhvcNAQELBQADggGBADR7OJLZwbrtx7NhY+bS +EU4Mg4+XOhGXUT6Nm0m79SyS0cLkO63bacwfz1g9T1GX0QkZLyK1PeEN5WVAKlQZ +VSIRhRgaCDGX2P7PTJvsi4+czc9boVbkHeB5S+5rHAtgqNj9XKid3HRPzrj4GaQA +25N7rjRVxvs1G5680F/ajXcOH0WJ1N3xqU5IZNJOtktXoIfPqDA1bgmRVlmbAa+K +9xGM2C5WieuloGzSVgzaE002kihQseXNZGCsk/SY1+vfe0KJ2sBtbnWuRSib6N4A +3Ovfuk9jKmHlQvPgj6q99/abZxvtHqauTIGiYv+oj5TaqJ0n+qRGRC4T8gUrxKZX +05Ucyvjj0g8ocIobN0+3wbP9S4XKnYq7YoVHZscxuNvEXWadbnuUB/oJrltbIzG6 +yECCS2pI0oMMX7liZAYWBd3oqALr13qb2UnWhw4WytZORkblN+QNaLfS1njE7sE7 +OI6D3x85YxxleuAmH5aKV51rJ2JuQIaDKf0foWkqks+r2w== +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key b/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key new file mode 100644 index 0000000000..3b5c4b1157 --- /dev/null +++ b/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCN5ooQbwaPsuX0 +3hRN1DwaIQP+MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8w +qJmxwxrIlqWKDHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ2 +4xiLYHdsaNOeYoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr +/wKTzAiTnh4MozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rM +gNNkVm8Jr/Zzi8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRw +ej8L22Q+I6WZRxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcx +K0vcOwkArZoSyunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2 +JXZOqxHJpdfKMgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAQKCAYAZ +f+E1nM4ACrT6MOJTLh1y0JYIGvKZl9Sn5Q5Ujw/l7B+7DFeVZofwt7+B9QjZcrUS +ol0K3zaoFBgI5XNhF197xl6PFTkMv7/us5sAcaj1tXwwSlazuRyCzoxo7iWU8+XB +WMH2ATq8ckEZL+wcN8SeLaRBpRAC334EuCe+yGWQdiEQ5+OidhAGNzaujUbpqmsL +o5CFg50Q4A2B+7x51MOBy3s46CaQbm2zNyC7Ac5DB74JMF3XO50HZ3TeRjPaOQ84 +f8fWoFTqfwS3h7SIswsWpZRa2Lz9Q3FTQjtZ54ZVdnIqQblXnFh5yTw5ERmVWgXZ +EGmUPqMHyhOPRM2kTIvs4GFs+wAJiy2keMgWd39ZT4Z0qXlOrYpTKpRxoG49QS/v +zzddU3FgcjrrA3PZqMse9/elBWaFGxa/3Y8FI5wMaSL1Y7z+sTozF5qb+HGwd71M +09/N2vU3M4dqgSfEjsCPxeG+/6z693nyzrqYh0D0LeEl+ZsyHsTfkAUrFG330fEC +gcEAuhy8LM6sdoMTLYPkAxTs4mUfZtZS3EFQsPyjbcJXbOeugNUphEMr6mik/yYf +fkOKz7VZ6CR8ugX4mLGHB57YIX5QjoPN0Obu1BeCxspAq36XDYrRcJM5eEsWdkfB +43YN4xzMT0uH+660hMnrvxU1kCAVjF+e4AUwFUY/2879LtQZZbdOupwLEmYAaYUI +RyWLmdDPf8W1R38K7QRLG6VCjwdo0reEYIOqj/01fErzKwRdRYbjMJUtUZ8Iy20o +O8vnAoHBAMMvqc9oaxFicVsHMZU3mc91jcOVJqvNCINP7y3fNwcvwcdwXecNFoTn +ygTWgkBDRzueZcxJwtcZOtiq2o4L+zlEZinFyROmJqKVcy+g/hvepj9mbT+5CwYx +/J6AKWwFAIylFbWmqVMeBsZp4K/9qQN+s4V2MWsMNrqoVFCjlBxef4grIbyJSOzU +DZVqz97vA5IqWnAQU53BPUoVns3u2jHkgNDMdMPIdhx++l7++FinNluWheV5KYOF +T1OJe6gpKQKBwQCWubbcQvUBdd4OOoZqyIOgRm1MB79LicojzDc/KOlM1cVJqVja +ONxUFzOpP+K5i1HcLe8GRqaMsVFHuF63GTnIxlfPU4dX6+737aKIBDyjpv4Ghaph +FZqxhX5HhI3N/Un56NS+U1lpx2+DK1S1iCO8+X76FGbC3vC2ChKlndkGF9gJvI8S +KlX9LIag7pBprkqE48tom2HY6Vab5aI+XXSuCT4niWC4GWoE+vhaFQkiiYJQUJGm +QupU9AtXVKwE4XkCgcEAtef35Fq2Xi9W4bUkmqKE8HnoMv0QW1DsvCSFDkVXrZTu +jgbFHQ5vjFHRTwzzuxx4iLGowemEcp8K3t7sbTHxYn/Cju/L5EoW+7M49IygBi1M +1w2Ih7jW82EmxDlBYXCQAIPiZbb7W4FCYyxNwPcwyxcMDDgI+nEZmIBEhBrPcFkJ +lkhMWr+/fShruHMhY+1xcImUW5h7tSxhCGh55gbSx2jkPLQvpj9vBEO650nM/iJo +YJc6FpEDBZX6Rip9Wk1xAoHAUcms1tuGcDRTtzCRdKOl0PiZTr8qzwJPzZlDxrsA +KqcONMhhiFMXneu4xj/M09EVMiElcf1xxs0CtD/1aod3kK5IMq4D+ck2rd/1QKed +FH5jOesE7PRZtW4Du8PCsi2D5V8dR/yBLy/525unqTTCCEZWZ1hrZqStR3nNFcNQ +aC6hhkMTr2GqFJsfNowFQ9gto4kn2XsIpvMW14Gqm0rW+K0i3HDjXk7R7RTDSO5J +B2yNl2lHM+2aSG8A3vug23aE +-----END PRIVATE KEY----- diff --git a/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem b/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem new file mode 100644 index 0000000000..ca558fc483 --- /dev/null +++ b/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cc:c1:18:08:26:32:e1:8d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Dec 8 11:58:45 2022 GMT + Not After : Nov 30 11:58:45 2052 GMT + Subject: CN=srv04.crt01.example.nil + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:8d:e6:8a:10:6f:06:8f:b2:e5:f4:de:14:4d:d4: + 3c:1a:21:03:fe:32:02:d6:6d:0a:25:35:3d:50:00: + 71:d6:7b:75:d1:e0:04:36:20:da:39:db:9d:df:19: + fe:5b:c3:e2:d0:72:c4:0d:be:57:d8:c2:3f:30:a8: + 99:b1:c3:1a:c8:96:a5:8a:0c:7a:e6:e9:2b:3e:c9: + f9:f5:46:b2:cc:14:4c:e6:d1:65:25:19:fb:2c:2b: + e4:6d:00:ba:7c:7f:f6:07:24:17:30:42:cb:04:e9: + 94:36:e3:18:8b:60:77:6c:68:d3:9e:62:81:82:64: + 24:2c:e9:ba:b8:d0:40:2f:e6:fd:e9:fa:aa:14:83: + 6f:26:16:c1:b7:b3:6d:fd:4a:3f:8f:a1:a9:e6:7b: + bd:c1:60:a1:6b:ff:02:93:cc:08:93:9e:1e:0c:a3: + 31:29:20:74:e5:37:46:d8:41:10:c7:11:f4:d8:e7: + 43:7c:4d:bc:fb:fd:39:3a:79:8e:c2:0b:fe:21:df: + 16:c2:fc:10:b3:9b:da:cc:80:d3:64:56:6f:09:af: + f6:73:8b:cb:64:e4:fe:c5:4c:85:4e:c3:ed:a4:0a: + 0a:53:f6:be:8d:5e:7a:42:4f:cd:b0:21:a4:8e:e4: + 45:fe:28:f6:4d:29:58:db:4a:b4:70:7a:3f:0b:db: + 64:3e:23:a5:99:47:11:7b:2c:66:83:a9:79:27:09: + 45:72:ac:4a:fa:35:6f:1f:64:d4:ab:cf:09:90:92: + 71:4a:d1:02:80:b1:ab:b0:19:ec:01:c6:a7:31:2b: + 4b:dc:3b:09:00:ad:9a:12:ca:e9:cd:54:bd:96:23: + a3:14:2e:40:58:33:58:2f:70:05:c9:c6:28:f1:3e: + d4:94:13:db:09:b3:63:78:6f:57:72:e8:1f:28:6f: + 7c:b6:25:76:4e:ab:11:c9:a5:d7:ca:32:00:5f:5e: + 14:ae:53:65:13:37:2b:d2:98:3c:d4:47:74:40:cf: + ff:1b:ad:59:35:c1:d1:d3:a6:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv04.crt01.example.nil, IP Address:10.53.0.4 + X509v3 Subject Key Identifier: + CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 6f:24:c5:ba:8e:62:5d:58:50:a5:25:a1:fc:41:fc:18:cb:7c: + 11:02:0a:ad:7f:13:2a:20:07:92:5a:82:c0:92:9d:35:40:b0: + c9:85:5a:23:26:fb:55:b7:99:7a:18:a7:ae:b4:6e:a2:29:f8: + 25:70:fa:3e:bf:b0:ec:91:d7:46:55:55:ab:fd:22:a6:c1:b4: + 50:92:27:ea:d8:a1:71:ec:14:84:69:0a:c9:de:3f:c1:63:94: + 17:5e:78:e7:85:34:80:bf:c3:58:f1:4d:fb:0c:b4:2e:2b:9c: + 66:15:1f:e3:d6:3a:c1:95:b1:f5:f2:9c:dc:99:cb:d5:39:35: + 6a:bf:bc:f4:81:9d:7c:4c:c1:76:f8:4d:26:ab:f4:f0:50:b2: + f9:41:65:6c:df:9d:16:57:e3:dc:7d:85:0a:14:5f:20:ea:08: + 5e:ab:3c:75:ae:f6:7e:55:62:3b:4c:4a:c7:48:4f:24:f2:78: + e6:99:52:76:87:6e:b3:08:7c:d6:4e:41:72:8f:ed:f1:5a:1a: + 20:e7:c2:cd:a0:6f:04:6c:f1:71:87:21:00:49:29:c1:fb:bd: + 08:a7:51:34:bb:e0:f1:f7:59:3d:b8:9e:c6:48:06:fe:e6:ea: + 30:8b:65:8f:d2:31:c5:d6:4e:a8:22:7e:fc:85:05:3d:e4:7c: + 38:54:07:46:cc:94:8e:a5:d3:4c:09:71:6e:60:63:e4:6a:8e: + aa:c2:81:df:31:37:2a:96:b3:53:36:a2:76:44:59:18:33:81: + 6c:24:84:a3:61:68:63:a2:02:bd:fd:b2:9c:db:0f:cc:a6:44: + 54:c6:2d:13:fb:96:80:63:e7:e9:2e:36:3c:00:34:3e:62:5d: + fe:59:95:cb:b2:d0:cc:9a:69:ce:00:cc:59:c3:f7:79:3a:4f: + 95:e9:64:c9:ad:28:96:e2:80:dd:59:45:29:6c:ed:0d:6e:4e: + 50:69:6e:ef:50:32:4e:5c:af:63:39:57:90:08:0f:b9:4e:ba: + b2:24:ae:bb:78:39 +-----BEGIN CERTIFICATE----- +MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGNMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTU4NDVaGA8yMDUyMTEz +MDExNTg0NVowIjEgMB4GA1UEAwwXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWwwggGi +MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCN5ooQbwaPsuX03hRN1DwaIQP+ +MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8wqJmxwxrIlqWK +DHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ24xiLYHdsaNOe +YoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr/wKTzAiTnh4M +ozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rMgNNkVm8Jr/Zz +i8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRwej8L22Q+I6WZ +RxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcxK0vcOwkArZoS +yunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2JXZOqxHJpdfK +MgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAaNsMGowKAYDVR0RBCEw +H4IXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAQwHQYDVR0OBBYEFMqDBvs+ +V1Dd/b8AWmDibZhxzSzyMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQBvJMW6jmJdWFClJaH8QfwYy3wRAgqtfxMqIAeS +WoLAkp01QLDJhVojJvtVt5l6GKeutG6iKfglcPo+v7DskddGVVWr/SKmwbRQkifq +2KFx7BSEaQrJ3j/BY5QXXnjnhTSAv8NY8U37DLQuK5xmFR/j1jrBlbH18pzcmcvV +OTVqv7z0gZ18TMF2+E0mq/TwULL5QWVs350WV+PcfYUKFF8g6gheqzx1rvZ+VWI7 +TErHSE8k8njmmVJ2h26zCHzWTkFyj+3xWhog58LNoG8EbPFxhyEASSnB+70Ip1E0 +u+Dx91k9uJ7GSAb+5uowi2WP0jHF1k6oIn78hQU95Hw4VAdGzJSOpdNMCXFuYGPk +ao6qwoHfMTcqlrNTNqJ2RFkYM4FsJISjYWhjogK9/bKc2w/MpkRUxi0T+5aAY+fp +LjY8ADQ+Yl3+WZXLstDMmmnOAMxZw/d5Ok+V6WTJrSiW4oDdWUUpbO0Nbk5QaW7v +UDJOXK9jOVeQCA+5TrqyJK67eDk= +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/index.txt b/bin/tests/system/forward/CA/index.txt new file mode 100644 index 0000000000..1d7c4951a6 --- /dev/null +++ b/bin/tests/system/forward/CA/index.txt @@ -0,0 +1,3 @@ +V 20521130115243Z CCC118082632E18B unknown /CN=srv02.crt01.example.nil +V 221208115554Z CCC118082632E18C unknown /CN=srv02.crt02-expired.example.nil +V 20521130115845Z CCC118082632E18D unknown /CN=srv04.crt01.example.nil diff --git a/bin/tests/system/forward/CA/index.txt.attr b/bin/tests/system/forward/CA/index.txt.attr new file mode 100644 index 0000000000..8f7e63a347 --- /dev/null +++ b/bin/tests/system/forward/CA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem b/bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem new file mode 100644 index 0000000000..27e8b3c13a --- /dev/null +++ b/bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cc:c1:18:08:26:32:e1:8b + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Dec 8 11:52:43 2022 GMT + Not After : Nov 30 11:52:43 2052 GMT + Subject: CN=srv02.crt01.example.nil + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:93:ea:3a:43:83:ff:92:80:06:be:4e:a0:53:5d: + 0b:9d:c9:b1:b8:fe:d5:cc:dc:af:94:7a:ab:ba:13: + 0f:c0:b6:99:71:78:90:b1:7f:41:07:85:59:26:90: + 14:88:7b:fc:0c:64:70:37:f3:2a:39:80:80:48:4e: + 5f:77:74:26:fa:aa:dd:3f:7b:8e:63:b5:a6:ce:bc: + bc:5a:aa:1d:2c:b0:9a:54:8c:03:46:8b:e6:19:52: + 51:48:16:2d:88:ac:df:73:bb:5d:86:f5:80:ff:12: + 93:d1:53:7f:3b:69:35:56:6d:81:8a:ea:4b:bd:75: + d5:bf:a2:b8:f9:98:17:c7:47:e7:5a:0a:47:a0:00: + 3d:5c:77:42:95:ef:60:ea:e2:2c:ab:97:a9:f3:1d: + c7:a7:f9:aa:2f:5d:03:b6:5b:48:87:b4:27:4b:99: + b3:e3:99:f8:cd:bb:51:88:f4:1e:34:d5:3e:e3:12: + 3c:2d:c0:b7:2a:9d:0b:73:7f:3a:ad:27:97:17:58: + 51:70:08:87:75:42:d2:87:47:67:c0:db:c6:b9:f8: + b0:31:a6:cb:15:24:7b:54:06:fd:92:e6:24:71:3f: + 55:02:02:71:f2:47:7f:e5:fe:be:d4:5f:1e:b5:58: + f7:09:fa:60:e3:36:25:bd:f4:91:58:e6:f2:fd:f1: + 5a:00:e8:77:26:dc:2d:20:10:fc:c7:a2:16:0a:e1: + 59:e4:e5:a0:72:d4:23:88:a7:56:71:1d:69:f5:1e: + e4:c1:ec:87:7a:ef:19:dd:df:fa:25:f0:3b:6f:c5: + 5f:14:20:26:fa:9b:e0:af:51:c4:18:3f:3c:49:7d: + 26:25:c2:d9:5c:67:5d:f8:af:73:20:58:ae:65:5e: + 71:03:77:78:7d:45:37:0a:a3:b7:32:eb:fe:ff:5f: + c6:e9:b8:5b:37:f1:61:d5:84:27:50:d3:55:72:2c: + 8a:75:16:9a:95:b5:f9:2d:eb:d0:22:49:57:6b:65: + 87:aa:71:a8:6d:39:96:fe:e7:a9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01.example.nil, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + 70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 77:6c:f4:07:36:0b:ef:6e:86:2d:41:73:e0:ba:f7:4c:f1:bd: + 8f:77:89:1a:8c:63:2e:39:93:a2:43:ee:70:85:f1:5d:01:60: + ab:e6:50:a1:5e:72:e3:89:13:77:e0:a5:f7:fa:27:31:93:1f: + 3a:a7:35:5f:7d:59:3c:d2:26:9c:12:fa:51:2b:d3:31:0c:5a: + e7:a8:be:6a:2e:b2:82:6c:42:f2:86:74:9c:0a:c8:58:a8:68: + 35:73:6e:1b:0c:9e:3b:08:3f:b9:ef:68:61:e9:d3:40:1d:aa: + dd:42:e3:1d:b0:1b:6e:b8:58:60:a1:68:4a:ff:09:b7:58:5b: + 72:e8:36:a3:6d:10:78:c7:7f:52:f6:dc:39:5c:05:7d:7a:ae: + 8d:3f:89:8f:10:a6:4d:8b:55:6a:9b:cb:2c:1d:00:59:9b:0c: + c3:55:e0:a3:25:69:b4:29:30:2f:20:bf:07:f4:21:88:b7:d0: + 62:ad:d7:ca:e1:91:45:9f:a2:5f:7d:07:f4:98:b0:5e:d4:3a: + 92:86:e9:a1:fb:c0:9b:81:46:da:56:ed:92:47:c0:1a:aa:55: + 37:0e:3c:92:2c:44:7a:80:55:1f:15:7a:7c:c4:7e:ad:d5:b0: + a5:7e:33:63:09:23:6b:78:42:de:37:aa:04:a7:52:ed:06:fe: + d4:56:36:12:85:b6:ec:ff:03:ea:4b:e2:7a:42:49:73:b6:ab: + e4:7d:4a:2b:94:65:1f:b1:17:a3:be:17:0b:4e:53:3d:8a:d3: + d7:04:0f:f1:1a:63:b2:a6:eb:00:31:64:b4:80:e9:ae:bb:69: + 12:04:a5:7d:2c:bd:91:62:2c:b9:5a:6e:af:e0:ee:27:f0:88: + 15:8b:b7:ce:07:5e:bc:6b:e9:3e:3f:23:c7:f9:c9:48:20:69: + 6a:8e:f2:17:9b:58:ff:72:36:21:ed:d3:83:16:60:ec:de:6f: + c4:50:47:b7:61:ce:75:c1:d6:60:28:de:bd:69:7c:e6:db:0e: + b9:fa:7b:84:24:35 +-----BEGIN CERTIFICATE----- +MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGLMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTUyNDNaGA8yMDUyMTEz +MDExNTI0M1owIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWwwggGi +MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT6jpDg/+SgAa+TqBTXQudybG4 +/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBITl93dCb6qt0/ +e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPRU387aTVWbYGK +6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aovXQO2W0iHtCdL +mbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKHR2fA28a5+LAx +pssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY5vL98VoA6Hcm +3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8DtvxV8UICb6m+Cv +UcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bpuFs38WHVhCdQ +01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAaNsMGowKAYDVR0RBCEw +H4IXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAIwHQYDVR0OBBYEFHCQlIFK +sr8T1ikakNkzpMV0Kc9ZMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQB3bPQHNgvvboYtQXPguvdM8b2Pd4kajGMuOZOi +Q+5whfFdAWCr5lChXnLjiRN34KX3+icxkx86pzVffVk80iacEvpRK9MxDFrnqL5q +LrKCbELyhnScCshYqGg1c24bDJ47CD+572hh6dNAHardQuMdsBtuuFhgoWhK/wm3 +WFty6DajbRB4x39S9tw5XAV9eq6NP4mPEKZNi1Vqm8ssHQBZmwzDVeCjJWm0KTAv +IL8H9CGIt9BirdfK4ZFFn6JffQf0mLBe1DqShumh+8CbgUbaVu2SR8AaqlU3DjyS +LER6gFUfFXp8xH6t1bClfjNjCSNreELeN6oEp1LtBv7UVjYShbbs/wPqS+J6Qklz +tqvkfUorlGUfsRejvhcLTlM9itPXBA/xGmOypusAMWS0gOmuu2kSBKV9LL2RYiy5 +Wm6v4O4n8IgVi7fOB168a+k+PyPH+clIIGlqjvIXm1j/cjYh7dODFmDs3m/EUEe3 +Yc51wdZgKN69aXzm2w65+nuEJDU= +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem b/bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem new file mode 100644 index 0000000000..8cae3b1204 --- /dev/null +++ b/bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cc:c1:18:08:26:32:e1:8c + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Dec 7 11:55:54 2022 GMT + Not After : Dec 8 11:55:54 2022 GMT + Subject: CN=srv02.crt02-expired.example.nil + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:ce:00:36:6e:b8:3f:db:fe:90:f7:de:e1:ed:43: + 4b:19:97:78:d8:ae:32:3c:4b:d5:8e:cd:1f:29:78: + e2:af:d3:02:95:34:2c:5e:cd:54:8a:07:70:6b:61: + a9:af:22:a7:6e:cf:86:b6:71:d7:4d:b4:af:f3:f0: + 9b:28:49:18:8c:66:88:67:63:47:e9:cd:a8:e9:5c: + 63:c0:be:08:b2:77:81:05:83:c7:3a:53:1b:c6:7a: + 82:99:fa:54:6f:4f:30:80:50:96:92:16:6e:10:16: + ca:76:ee:c9:e5:90:63:98:98:e7:58:61:09:15:e9: + 45:67:89:f1:df:21:69:b6:ad:b7:24:68:92:07:b6: + 6f:93:f8:fb:bd:b5:90:c9:57:5a:e5:46:6c:d0:73: + 33:3c:10:6e:01:dc:46:f5:84:95:5d:2b:03:e3:3a: + 0d:66:59:f8:92:37:78:49:74:32:32:96:fa:bd:05: + 27:43:f8:f9:90:7c:e4:2b:36:54:c0:f2:77:fd:4f: + ed:87:00:08:23:4d:57:81:a0:4f:f6:2e:9c:a0:22: + 3d:f6:27:b2:39:ed:44:8e:5c:92:4c:4b:b9:74:bb: + 0a:c4:97:e3:85:66:29:fc:75:3b:b5:3d:e1:22:57: + 33:11:2e:9a:a9:41:84:82:ea:44:b5:fc:3a:b4:88: + 31:11:46:98:c2:ec:db:43:55:72:a7:9f:a1:65:c0: + bf:11:a7:44:27:a3:8b:06:4f:08:2a:2d:4c:c9:aa: + d5:3d:03:24:66:e6:03:9b:9c:98:1a:5f:45:e8:b9: + 1d:f1:05:40:d8:3e:ed:40:05:1e:fa:8a:58:c5:a2: + f2:2a:a1:cb:25:7e:61:8c:0e:3c:cc:5b:43:3a:7c: + 8b:a7:64:b8:c5:2b:6b:16:59:06:ad:ec:19:b5:1d: + 73:44:2f:f4:6c:31:f1:6e:f4:55:f6:44:37:ee:db: + 20:fe:54:92:43:28:f8:44:cb:9f:9f:b6:2c:aa:61: + 1f:2f:1a:15:15:cc:61:f3:b9:6f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 34:7b:38:92:d9:c1:ba:ed:c7:b3:61:63:e6:d2:11:4e:0c:83: + 8f:97:3a:11:97:51:3e:8d:9b:49:bb:f5:2c:92:d1:c2:e4:3b: + ad:db:69:cc:1f:cf:58:3d:4f:51:97:d1:09:19:2f:22:b5:3d: + e1:0d:e5:65:40:2a:54:19:55:22:11:85:18:1a:08:31:97:d8: + fe:cf:4c:9b:ec:8b:8f:9c:cd:cf:5b:a1:56:e4:1d:e0:79:4b: + ee:6b:1c:0b:60:a8:d8:fd:5c:a8:9d:dc:74:4f:ce:b8:f8:19: + a4:00:db:93:7b:ae:34:55:c6:fb:35:1b:9e:bc:d0:5f:da:8d: + 77:0e:1f:45:89:d4:dd:f1:a9:4e:48:64:d2:4e:b6:4b:57:a0: + 87:cf:a8:30:35:6e:09:91:56:59:9b:01:af:8a:f7:11:8c:d8: + 2e:56:89:eb:a5:a0:6c:d2:56:0c:da:13:4d:36:92:28:50:b1: + e5:cd:64:60:ac:93:f4:98:d7:eb:df:7b:42:89:da:c0:6d:6e: + 75:ae:45:28:9b:e8:de:00:dc:eb:df:ba:4f:63:2a:61:e5:42: + f3:e0:8f:aa:bd:f7:f6:9b:67:1b:ed:1e:a6:ae:4c:81:a2:62: + ff:a8:8f:94:da:a8:9d:27:fa:a4:46:44:2e:13:f2:05:2b:c4: + a6:57:d3:95:1c:ca:f8:e3:d2:0f:28:70:8a:1b:37:4f:b7:c1: + b3:fd:4b:85:ca:9d:8a:bb:62:85:47:66:c7:31:b8:db:c4:5d: + 66:9d:6e:7b:94:07:fa:09:ae:5b:5b:23:31:ba:c8:40:82:4b: + 6a:48:d2:83:0c:5f:b9:62:64:06:16:05:dd:e8:a8:02:eb:d7: + 7a:9b:d9:49:d6:87:0e:16:ca:d6:4e:46:46:e5:37:e4:0d:68: + b7:d2:d6:78:c4:ee:c1:3b:38:8e:83:df:1f:39:63:1c:65:7a: + e0:26:1f:96:8a:57:9d:6b:27:62:6e:40:86:83:29:fd:1f:a1: + 69:2a:92:cf:ab:db +-----BEGIN CERTIFICATE----- +MIIEnjCCAwagAwIBAgIJAMzBGAgmMuGMMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yMjEyMDcxMTU1NTRaFw0yMjEyMDgx +MTU1NTRaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAyLWV4cGlyZWQuZXhhbXBsZS5u +aWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDOADZuuD/b/pD33uHt +Q0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z8Jso +SRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp27snl +kGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B3Eb1 +hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeBoE/2 +LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1/Dq0 +iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0XouR3x +BUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNEL/Rs +MfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAaN0MHIwMAYD +VR0RBCkwJ4Ifc3J2MDIuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5pbIcECjUAAjAd +BgNVHQ4EFgQUp4pt6hC0a7gTFmu6oCbDmuemcX4wHwYDVR0jBBgwFoAUfInoXOvl +H3JIBMWP+5IInPVgJjkwDQYJKoZIhvcNAQELBQADggGBADR7OJLZwbrtx7NhY+bS +EU4Mg4+XOhGXUT6Nm0m79SyS0cLkO63bacwfz1g9T1GX0QkZLyK1PeEN5WVAKlQZ +VSIRhRgaCDGX2P7PTJvsi4+czc9boVbkHeB5S+5rHAtgqNj9XKid3HRPzrj4GaQA +25N7rjRVxvs1G5680F/ajXcOH0WJ1N3xqU5IZNJOtktXoIfPqDA1bgmRVlmbAa+K +9xGM2C5WieuloGzSVgzaE002kihQseXNZGCsk/SY1+vfe0KJ2sBtbnWuRSib6N4A +3Ovfuk9jKmHlQvPgj6q99/abZxvtHqauTIGiYv+oj5TaqJ0n+qRGRC4T8gUrxKZX +05Ucyvjj0g8ocIobN0+3wbP9S4XKnYq7YoVHZscxuNvEXWadbnuUB/oJrltbIzG6 +yECCS2pI0oMMX7liZAYWBd3oqALr13qb2UnWhw4WytZORkblN+QNaLfS1njE7sE7 +OI6D3x85YxxleuAmH5aKV51rJ2JuQIaDKf0foWkqks+r2w== +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem b/bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem new file mode 100644 index 0000000000..ca558fc483 --- /dev/null +++ b/bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem @@ -0,0 +1,100 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + cc:c1:18:08:26:32:e1:8d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Dec 8 11:58:45 2022 GMT + Not After : Nov 30 11:58:45 2052 GMT + Subject: CN=srv04.crt01.example.nil + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (3072 bit) + Modulus: + 00:8d:e6:8a:10:6f:06:8f:b2:e5:f4:de:14:4d:d4: + 3c:1a:21:03:fe:32:02:d6:6d:0a:25:35:3d:50:00: + 71:d6:7b:75:d1:e0:04:36:20:da:39:db:9d:df:19: + fe:5b:c3:e2:d0:72:c4:0d:be:57:d8:c2:3f:30:a8: + 99:b1:c3:1a:c8:96:a5:8a:0c:7a:e6:e9:2b:3e:c9: + f9:f5:46:b2:cc:14:4c:e6:d1:65:25:19:fb:2c:2b: + e4:6d:00:ba:7c:7f:f6:07:24:17:30:42:cb:04:e9: + 94:36:e3:18:8b:60:77:6c:68:d3:9e:62:81:82:64: + 24:2c:e9:ba:b8:d0:40:2f:e6:fd:e9:fa:aa:14:83: + 6f:26:16:c1:b7:b3:6d:fd:4a:3f:8f:a1:a9:e6:7b: + bd:c1:60:a1:6b:ff:02:93:cc:08:93:9e:1e:0c:a3: + 31:29:20:74:e5:37:46:d8:41:10:c7:11:f4:d8:e7: + 43:7c:4d:bc:fb:fd:39:3a:79:8e:c2:0b:fe:21:df: + 16:c2:fc:10:b3:9b:da:cc:80:d3:64:56:6f:09:af: + f6:73:8b:cb:64:e4:fe:c5:4c:85:4e:c3:ed:a4:0a: + 0a:53:f6:be:8d:5e:7a:42:4f:cd:b0:21:a4:8e:e4: + 45:fe:28:f6:4d:29:58:db:4a:b4:70:7a:3f:0b:db: + 64:3e:23:a5:99:47:11:7b:2c:66:83:a9:79:27:09: + 45:72:ac:4a:fa:35:6f:1f:64:d4:ab:cf:09:90:92: + 71:4a:d1:02:80:b1:ab:b0:19:ec:01:c6:a7:31:2b: + 4b:dc:3b:09:00:ad:9a:12:ca:e9:cd:54:bd:96:23: + a3:14:2e:40:58:33:58:2f:70:05:c9:c6:28:f1:3e: + d4:94:13:db:09:b3:63:78:6f:57:72:e8:1f:28:6f: + 7c:b6:25:76:4e:ab:11:c9:a5:d7:ca:32:00:5f:5e: + 14:ae:53:65:13:37:2b:d2:98:3c:d4:47:74:40:cf: + ff:1b:ad:59:35:c1:d1:d3:a6:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv04.crt01.example.nil, IP Address:10.53.0.4 + X509v3 Subject Key Identifier: + CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 6f:24:c5:ba:8e:62:5d:58:50:a5:25:a1:fc:41:fc:18:cb:7c: + 11:02:0a:ad:7f:13:2a:20:07:92:5a:82:c0:92:9d:35:40:b0: + c9:85:5a:23:26:fb:55:b7:99:7a:18:a7:ae:b4:6e:a2:29:f8: + 25:70:fa:3e:bf:b0:ec:91:d7:46:55:55:ab:fd:22:a6:c1:b4: + 50:92:27:ea:d8:a1:71:ec:14:84:69:0a:c9:de:3f:c1:63:94: + 17:5e:78:e7:85:34:80:bf:c3:58:f1:4d:fb:0c:b4:2e:2b:9c: + 66:15:1f:e3:d6:3a:c1:95:b1:f5:f2:9c:dc:99:cb:d5:39:35: + 6a:bf:bc:f4:81:9d:7c:4c:c1:76:f8:4d:26:ab:f4:f0:50:b2: + f9:41:65:6c:df:9d:16:57:e3:dc:7d:85:0a:14:5f:20:ea:08: + 5e:ab:3c:75:ae:f6:7e:55:62:3b:4c:4a:c7:48:4f:24:f2:78: + e6:99:52:76:87:6e:b3:08:7c:d6:4e:41:72:8f:ed:f1:5a:1a: + 20:e7:c2:cd:a0:6f:04:6c:f1:71:87:21:00:49:29:c1:fb:bd: + 08:a7:51:34:bb:e0:f1:f7:59:3d:b8:9e:c6:48:06:fe:e6:ea: + 30:8b:65:8f:d2:31:c5:d6:4e:a8:22:7e:fc:85:05:3d:e4:7c: + 38:54:07:46:cc:94:8e:a5:d3:4c:09:71:6e:60:63:e4:6a:8e: + aa:c2:81:df:31:37:2a:96:b3:53:36:a2:76:44:59:18:33:81: + 6c:24:84:a3:61:68:63:a2:02:bd:fd:b2:9c:db:0f:cc:a6:44: + 54:c6:2d:13:fb:96:80:63:e7:e9:2e:36:3c:00:34:3e:62:5d: + fe:59:95:cb:b2:d0:cc:9a:69:ce:00:cc:59:c3:f7:79:3a:4f: + 95:e9:64:c9:ad:28:96:e2:80:dd:59:45:29:6c:ed:0d:6e:4e: + 50:69:6e:ef:50:32:4e:5c:af:63:39:57:90:08:0f:b9:4e:ba: + b2:24:ae:bb:78:39 +-----BEGIN CERTIFICATE----- +MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGNMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTU4NDVaGA8yMDUyMTEz +MDExNTg0NVowIjEgMB4GA1UEAwwXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWwwggGi +MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCN5ooQbwaPsuX03hRN1DwaIQP+ +MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8wqJmxwxrIlqWK +DHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ24xiLYHdsaNOe +YoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr/wKTzAiTnh4M +ozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rMgNNkVm8Jr/Zz +i8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRwej8L22Q+I6WZ +RxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcxK0vcOwkArZoS +yunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2JXZOqxHJpdfK +MgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAaNsMGowKAYDVR0RBCEw +H4IXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAQwHQYDVR0OBBYEFMqDBvs+ +V1Dd/b8AWmDibZhxzSzyMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQBvJMW6jmJdWFClJaH8QfwYy3wRAgqtfxMqIAeS +WoLAkp01QLDJhVojJvtVt5l6GKeutG6iKfglcPo+v7DskddGVVWr/SKmwbRQkifq +2KFx7BSEaQrJ3j/BY5QXXnjnhTSAv8NY8U37DLQuK5xmFR/j1jrBlbH18pzcmcvV +OTVqv7z0gZ18TMF2+E0mq/TwULL5QWVs350WV+PcfYUKFF8g6gheqzx1rvZ+VWI7 +TErHSE8k8njmmVJ2h26zCHzWTkFyj+3xWhog58LNoG8EbPFxhyEASSnB+70Ip1E0 +u+Dx91k9uJ7GSAb+5uowi2WP0jHF1k6oIn78hQU95Hw4VAdGzJSOpdNMCXFuYGPk +ao6qwoHfMTcqlrNTNqJ2RFkYM4FsJISjYWhjogK9/bKc2w/MpkRUxi0T+5aAY+fp +LjY8ADQ+Yl3+WZXLstDMmmnOAMxZw/d5Ok+V6WTJrSiW4oDdWUUpbO0Nbk5QaW7v +UDJOXK9jOVeQCA+5TrqyJK67eDk= +-----END CERTIFICATE----- diff --git a/bin/tests/system/forward/CA/private/CA.key b/bin/tests/system/forward/CA/private/CA.key new file mode 100644 index 0000000000..2d5419d89a --- /dev/null +++ b/bin/tests/system/forward/CA/private/CA.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC +aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D +lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm +PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy +VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy +nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH +EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp +Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL +wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc +bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI +r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC +GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9 +DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x +E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB +wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8 +V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC +SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke +s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx +HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx +r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp +tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk +AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx +LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa +IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn +RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf +ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv +NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao +ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev +dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr +q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj +bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw +HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3 +nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9 +r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c +j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn +HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd +B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw== +-----END RSA PRIVATE KEY----- diff --git a/bin/tests/system/forward/CA/serial b/bin/tests/system/forward/CA/serial new file mode 100644 index 0000000000..2e4ab4f074 --- /dev/null +++ b/bin/tests/system/forward/CA/serial @@ -0,0 +1 @@ +CCC118082632E18E diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh index 6d76bb013c..716f04cebf 100644 --- a/bin/tests/system/forward/clean.sh +++ b/bin/tests/system/forward/clean.sh @@ -19,6 +19,7 @@ rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run ./*/named.run.prev ./*/ans.run rm -f ./*/named_dump.db +rm -f ./ans*/query.log rm -f ./ns*/named.lock rm -f ./ns*/managed-keys.bind* rm -f ./ns1/root.db ./ns1/root.db.signed diff --git a/bin/tests/system/forward/dhparam3072.pem b/bin/tests/system/forward/dhparam3072.pem new file mode 100644 index 0000000000..9c2e0aa42b --- /dev/null +++ b/bin/tests/system/forward/dhparam3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K +3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab +EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os +O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H +0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR +JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp +eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ +vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX +GKz9+uk5eS6jAgEC +-----END DH PARAMETERS----- diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in index f871fd6b29..eff6e84cad 100644 --- a/bin/tests/system/forward/ns1/named.conf.in +++ b/bin/tests/system/forward/ns1/named.conf.in @@ -66,6 +66,16 @@ zone "example6" { type forward; }; +zone "example8." { + type primary; + file "example.db"; +}; + +zone "example9." { + type primary; + file "example.db"; +}; + zone "diditwork.net" { type primary; file "diditwork.net.db"; diff --git a/bin/tests/system/forward/ns2/named.conf.in b/bin/tests/system/forward/ns2/named.conf.in index f9a081a2d0..c8e5cb59f8 100644 --- a/bin/tests/system/forward/ns2/named.conf.in +++ b/bin/tests/system/forward/ns2/named.conf.in @@ -11,6 +11,34 @@ * information regarding copyright ownership. */ +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01.example.nil.key"; + cert-file "../CA/certs/srv02.crt01.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01.example.nil.key"; + cert-file "../CA/certs/srv02.crt01.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt02-expired.example.nil.key"; + cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; +}; + options { query-source address 10.53.0.2; query-source-v6 address fd92:7065:b8e:ffff::2; @@ -19,8 +47,13 @@ options { transfer-source 10.53.0.2; transfer-source-v6 fd92:7065:b8e:ffff::2; port @PORT@; + tls-port @TLSPORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; + listen-on tls ephemeral { 10.53.0.2; }; + listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; + listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; }; + listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; }; listen-on-v6 { fd92:7065:b8e:ffff::2; }; recursion no; dnssec-validation no; @@ -56,6 +89,16 @@ zone "example7." { file "example.db"; }; +zone "example8." { + type primary; + file "example.db"; +}; + +zone "example9." { + type primary; + file "example.db"; +}; + zone "grafted." { type primary; file "example.db"; diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in index c97823dee0..098b58a12c 100644 --- a/bin/tests/system/forward/ns4/named.conf.in +++ b/bin/tests/system/forward/ns4/named.conf.in @@ -16,6 +16,7 @@ options { notify-source 10.53.0.4; transfer-source 10.53.0.4; port @PORT@; + tls-port @TLSPORT@; pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; @@ -29,15 +30,57 @@ zone "." { file "root.db"; }; +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-forward-secrecy-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02.crt01.example.nil"; +}; + +tls tls-forward-secrecy-bad-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02-bad.crt01.example.nil"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + key-file "../CA/certs/srv04.crt01.example.nil.key"; + cert-file "../CA/certs/srv04.crt01.example.nil.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + zone "example1." { type forward; forward first; - forwarders { 10.53.0.2; }; + forwarders { 10.53.0.2 tls ephemeral; }; }; zone "example3." { type forward; - forwarders { 10.53.0.2; }; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; +}; + +zone "example4." { + type forward; + forward only; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; }; }; zone "example5." { @@ -46,10 +89,22 @@ zone "example5." { forwarders { 10.53.0.2; }; }; +zone "example8." { + type forward; + forward only; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; }; +}; + +zone "example9." { + type forward; + forward only; + forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; }; +}; + zone "1.0.10.in-addr.arpa" { type forward; forward only; - forwarders { 10.53.0.2; }; + forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; }; }; zone "grafted" { diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 914b30c65f..42e3ca9031 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -71,11 +71,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that a forward zone works ($n)" +echo_i "checking that DoT expired certificate does not work ($n)" ret=0 +nextpart ns4/named.run >/dev/null +dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 +wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that a forward zone works (DoT insecure) ($n)" +ret=0 +nextpart ns4/named.run >/dev/null dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1 dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 +wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -89,11 +102,35 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) -echo_i "checking that a forward zone with no specified policy works ($n)" +echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)" ret=0 +nextpart ns4/named.run >/dev/null dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1 dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1 +wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that DoT remote-hostname works ($n)" +ret=0 +nextpart ns4/named.run >/dev/null +dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1 +wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that DoT bad remote-hostname does not work ($n)" +ret=0 +nextpart ns4/named.run >/dev/null +dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1 +dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1 +digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1 +wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -120,14 +157,14 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) check_override() ( - dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && + dig_with_opts 1.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 && grep "status: NOERROR" dig.out.$n.f2 > /dev/null && - dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 && + dig_with_opts 2.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 && grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null ) n=$((n+1)) -echo_i "checking that forward only zone overrides empty zone ($n)" +echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)" ret=0 # retry loop in case the server restart above causes transient failure retry_quiet 10 check_override || ret=1