Skip to content

Commit

Permalink
crypto: add cert check to CNNIC Whitelist
Browse files Browse the repository at this point in the history
When client connect to the server with certification issued by either
CNNIC Root CA or CNNIC EV Root CA, check hash of server
certification in the list of CNNICHashWhitelist.inc. If it's not,
CERT_REVOKED error returns.

See for details in
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

PR-URL: #1895
Reviewed-By: Ben Noordhuis <[email protected]>
  • Loading branch information
Shigeki Ohtsu committed Jun 16, 2015
1 parent 96165f9 commit 3beb880
Show file tree
Hide file tree
Showing 14 changed files with 6,092 additions and 44 deletions.
5,727 changes: 5,727 additions & 0 deletions src/CNNICHashWhitelist.inc

Large diffs are not rendered by default.

160 changes: 117 additions & 43 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@
#include "util.h"
#include "util-inl.h"
#include "v8.h"
// CNNIC Hash WhiteList is taken from
// https://hg.mozilla.org/mozilla-central/raw-file/98820360ab66/security/
// certverifier/CNNICHashWhitelist.inc
#include "CNNICHashWhitelist.inc"

#include <errno.h>
#include <stdlib.h>
Expand Down Expand Up @@ -84,6 +88,34 @@ using v8::V8;
using v8::Value;


// Subject DER of CNNIC ROOT CA and CNNIC EV ROOT CA are taken from
// https://hg.mozilla.org/mozilla-central/file/98820360ab66/security/
// certverifier/NSSCertDBTrustDomain.cpp#l672
// C = CN, O = CNNIC, CN = CNNIC ROOT
static const uint8_t CNNIC_ROOT_CA_SUBJECT_DATA[] =
"\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30"
"\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06"
"\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54";
static const uint8_t* cnnic_p = CNNIC_ROOT_CA_SUBJECT_DATA;
static X509_NAME* cnnic_name =
d2i_X509_NAME(nullptr, &cnnic_p, sizeof(CNNIC_ROOT_CA_SUBJECT_DATA)-1);

// C = CN, O = China Internet Network Information Center, CN = China
// Internet Network Information Center EV Certificates Root
static const uint8_t CNNIC_EV_ROOT_CA_SUBJECT_DATA[] =
"\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32"
"\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x43\x68\x69\x6E\x61\x20\x49\x6E\x74"
"\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F"
"\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x31\x47\x30\x45"
"\x06\x03\x55\x04\x03\x0C\x3E\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72"
"\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D"
"\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x20\x45\x56\x20\x43\x65"
"\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x52\x6F\x6F\x74";
static const uint8_t* cnnic_ev_p = CNNIC_EV_ROOT_CA_SUBJECT_DATA;
static X509_NAME *cnnic_ev_name =
d2i_X509_NAME(nullptr, &cnnic_ev_p,
sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1);

// Forcibly clear OpenSSL's error stack on return. This stops stale errors
// from popping up later in the lifecycle of crypto operations where they
// would cause spurious failures. It's a rather blunt method, though.
Expand Down Expand Up @@ -2210,49 +2242,91 @@ void Connection::Initialize(Environment* env, Handle<Object> target) {
}


int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
// Quoting SSL_set_verify(3ssl):
//
// The VerifyCallback function is used to control the behaviour when
// the SSL_VERIFY_PEER flag is set. It must be supplied by the
// application and receives two arguments: preverify_ok indicates,
// whether the verification of the certificate in question was passed
// (preverify_ok=1) or not (preverify_ok=0). x509_ctx is a pointer to
// the complete context used for the certificate chain verification.
//
// The certificate chain is checked starting with the deepest nesting
// level (the root CA certificate) and worked upward to the peer's
// certificate. At each level signatures and issuer attributes are
// checked. Whenever a verification error is found, the error number is
// stored in x509_ctx and VerifyCallback is called with preverify_ok=0.
// By applying X509_CTX_store_* functions VerifyCallback can locate the
// certificate in question and perform additional steps (see EXAMPLES).
// If no error is found for a certificate, VerifyCallback is called
// with preverify_ok=1 before advancing to the next level.
//
// The return value of VerifyCallback controls the strategy of the
// further verification process. If VerifyCallback returns 0, the
// verification process is immediately stopped with "verification
// failed" state. If SSL_VERIFY_PEER is set, a verification failure
// alert is sent to the peer and the TLS/SSL handshake is terminated. If
// VerifyCallback returns 1, the verification process is continued. If
// VerifyCallback always returns 1, the TLS/SSL handshake will not be
// terminated with respect to verification failures and the connection
// will be established. The calling process can however retrieve the
// error code of the last verification error using
// SSL_get_verify_result(3) or by maintaining its own error storage
// managed by VerifyCallback.
//
// If no VerifyCallback is specified, the default callback will be
// used. Its return value is identical to preverify_ok, so that any
// verification failure will lead to a termination of the TLS/SSL
// handshake with an alert message, if SSL_VERIFY_PEER is set.
//
// Since we cannot perform I/O quickly enough in this callback, we ignore
// all preverify_ok errors and let the handshake continue. It is
// imparative that the user use Connection::VerifyError after the
// 'secure' callback has been made.
return 1;
inline int compar(const void* a, const void* b) {
return memcmp(a, b, CNNIC_WHITELIST_HASH_LEN);
}


inline int IsSelfSigned(X509* cert) {
return X509_NAME_cmp(X509_get_subject_name(cert),
X509_get_issuer_name(cert)) == 0;
}


inline X509* FindRoot(STACK_OF(X509)* sk) {
for (int i = 0; i < sk_X509_num(sk); i++) {
X509* cert = sk_X509_value(sk, i);
if (IsSelfSigned(cert))
return cert;
}
return nullptr;
}


// Whitelist check for certs issued by CNNIC. See
// https://blog.mozilla.org/security/2015/04/02
// /distrusting-new-cnnic-certificates/
inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
unsigned char hash[CNNIC_WHITELIST_HASH_LEN];
unsigned int hashlen = CNNIC_WHITELIST_HASH_LEN;

STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(ctx);
CHECK_NE(chain, nullptr);
CHECK_GT(sk_X509_num(chain), 0);

// Take the last cert as root at the first time.
X509* root_cert = sk_X509_value(chain, sk_X509_num(chain)-1);
X509_NAME* root_name = X509_get_subject_name(root_cert);

if (!IsSelfSigned(root_cert)) {
root_cert = FindRoot(chain);
CHECK_NE(root_cert, nullptr);
root_name = X509_get_subject_name(root_cert);
}

// When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
// ROOT CA, check a hash of its leaf cert if it is in the whitelist.
if (X509_NAME_cmp(root_name, cnnic_name) == 0 ||
X509_NAME_cmp(root_name, cnnic_ev_name) == 0) {
X509* leaf_cert = sk_X509_value(chain, 0);
int ret = X509_digest(leaf_cert, EVP_sha256(), hash,
&hashlen);
CHECK(ret);

void* result = bsearch(hash, WhitelistedCNNICHashes,
ARRAY_SIZE(WhitelistedCNNICHashes),
CNNIC_WHITELIST_HASH_LEN, compar);
if (result == nullptr) {
sk_X509_pop_free(chain, X509_free);
return CHECK_CERT_REVOKED;
}
}

sk_X509_pop_free(chain, X509_free);
return CHECK_OK;
}


inline int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx) {
// Failure on verification of the cert is handled in
// Connection::VerifyError.
if (preverify_ok == 0)
return 1;

// Server does not need to check the whitelist.
SSL* ssl = static_cast<SSL*>(
X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));

if (SSL_is_server(ssl))
return 1;

// Client needs to check if the server cert is listed in the
// whitelist when it is issued by the specific rootCAs.
CheckResult ret = CheckWhitelistedServerCert(ctx);
if (ret == CHECK_CERT_REVOKED)
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);

return ret;
}


Expand Down
5 changes: 5 additions & 0 deletions src/node_crypto.h
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@
namespace node {
namespace crypto {

enum CheckResult {
CHECK_CERT_REVOKED = 0,
CHECK_OK = 1
};

extern int VerifyCallback(int preverify_ok, X509_STORE_CTX* ctx);

extern X509_STORE* root_cert_store;
Expand Down
43 changes: 42 additions & 1 deletion test/fixtures/keys/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ ca3-key.pem:

ca3-csr.pem: ca3.cnf ca3-key.pem
openssl req -new \
-extensions v3_ca -config ca3.cnf -key ca3-key.pem -out ca3-csr.pem
-extensions v3_ca \
-config ca3.cnf \
-key ca3-key.pem \
-out ca3-csr.pem

ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
openssl x509 -req \
Expand All @@ -40,6 +43,20 @@ ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
-CAcreateserial \
-out ca3-cert.pem

#
# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root
#

fake-cnnic-root-key.pem:
openssl genrsa -out fake-cnnic-root-key.pem 2048

fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem
openssl req -x509 -new \
-key fake-cnnic-root-key.pem \
-days 1024 \
-out fake-cnnic-root-cert.pem \
-config fake-cnnic-root.cnf

#
# agent1 is signed by ca1.
#
Expand Down Expand Up @@ -204,6 +221,30 @@ agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem
agent6-verify: agent6-cert.pem ca3-cert.pem
openssl verify -CAfile ca3-cert.pem agent6-cert.pem

#
# agent7 is signed by fake-cnnic-root.
#

agent7-key.pem:
openssl genrsa -out agent7-key.pem 2048

agent7-csr.pem: agent1.cnf agent7-key.pem
openssl req -new -config agent7.cnf -key agent7-key.pem -out agent7-csr.pem

agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem
openssl x509 -req \
-extfile agent7.cnf \
-days 9999 \
-passin "pass:password" \
-in agent7-csr.pem \
-CA fake-cnnic-root-cert.pem \
-CAkey fake-cnnic-root-key.pem \
-CAcreateserial \
-out agent7-cert.pem

agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem
openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem

ec-key.pem:
openssl ecparam -genkey -out ec-key.pem -name prime256v1

Expand Down
19 changes: 19 additions & 0 deletions test/fixtures/keys/agent7-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIJAKpGbw//YhvMMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV
BAYTAkNOMQ4wDAYDVQQKEwVDTk5JQzETMBEGA1UEAxMKQ05OSUMgUk9PVDAeFw0x
NTA2MTAwNDI4MTNaFw00MjEwMjUwNDI4MTNaMF0xCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTELMAkGA1UEBxMCU0YxDTALBgNVBAoTBElPSlMxETAPBgNVBAsTCGlv
anMub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCur6nhJBpxAmWKVbTKvEDn8YJ7ebkpNSwNVMzSycmvo3XOIogw
ZngRJ/dL8YM/+p5CvAheJ6IqThgRw6+Se42O5ywlYpaHaY7n1oaFJC+2RUoPwdS7
Rz0dl30kXwUnKlllqkGDdFwMUD5NlXBLsGgiW1gkPHCvlOYxfuv50z3yIMgxfVGP
a7FeAYIHkRWQ5VrvugT70YaZMhLoMnj8c6RcIe81PV3eCS5Pp4ce8SGUkzAV9AFu
f4yVlEnPqqy/VrinT+xNrRKt+2YijIb54i75p+2AVveOhpLcCcB2K65Zgc5LnZB8
EY7W8/Qfh0DOAZibOd2vrUl2pkkOlR+qkYX/AgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAIiPC5SMDJAbUwkEWZxSleKfliLnycwaRfzF/B+8CUMd+hrVdrKe/u1aPDEV
FgWq4Vd3K3jtGZxwfW8VMjtF3aj7vd/Lx6XUbZv+VUKURlDRktBuZTDdYu5mECV1
+iDd64robqeYbZ04w1pnwArT50+oZdmQ9BgbQom1B4FoMhoeSX7A0gITH5BHW1xs
SRiqI7tDoDqhhn6X8pWoiq9QpXCSjXqUDNlxmiL5+e9j6DUv+e4z/bWY0s/COmY6
2gGSZDJGDcpwx8RgEy+1gDNMMApqLZxH0b/RwtE/9R9OiPm272pCuz2zkdQM48a0
9/GbQ68v2fmDZRF2WnYrkTSzF0Y=
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions test/fixtures/keys/agent7-csr.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
EwJTRjENMAsGA1UEChMESU9KUzERMA8GA1UECxMIaW9qcy5vcmcxEjAQBgNVBAMT
CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6vqeEk
GnECZYpVtMq8QOfxgnt5uSk1LA1UzNLJya+jdc4iiDBmeBEn90vxgz/6nkK8CF4n
oipOGBHDr5J7jY7nLCVilodpjufWhoUkL7ZFSg/B1LtHPR2XfSRfBScqWWWqQYN0
XAxQPk2VcEuwaCJbWCQ8cK+U5jF+6/nTPfIgyDF9UY9rsV4BggeRFZDlWu+6BPvR
hpkyEugyePxzpFwh7zU9Xd4JLk+nhx7xIZSTMBX0AW5/jJWUSc+qrL9WuKdP7E2t
Eq37ZiKMhvniLvmn7YBW946GktwJwHYrrlmBzkudkHwRjtbz9B+HQM4BmJs53a+t
SXamSQ6VH6qRhf8CAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
YXNzd29yZDANBgkqhkiG9w0BAQsFAAOCAQEAgT89dg/uj55YDT0wqNH2spt6JBK+
gF7Y8R7MBgGEJSbJnjAkJSUpKKPE3ph6mJ9naYl1U3zqt+xoQKdp8kn8649u5Hjq
TmmlsCExf0cznpMHINB9FG1aOoKdrsHf4o4eSXBAOacrpgnCpPAnaywE8F6Rc1a0
3RDogwETUOFzTKvyl8XJQ2jUQt4qs9+fmkR12IVNe8IFPe2I8j5wMmQ81nUmFDpC
NHy35vXjs+7N15FEkkvbr7jxZzMzXAhdZLUEOwIcNZsfpgCCqRmM/j5w8qXLFShd
NUZn6Psex2Jkq2rcNwJ25739ORS69nWqhZrUvaaMP6IqjFcJBVWIyRwltQ==
-----END CERTIFICATE REQUEST-----
27 changes: 27 additions & 0 deletions test/fixtures/keys/agent7-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArq+p4SQacQJlilW0yrxA5/GCe3m5KTUsDVTM0snJr6N1ziKI
MGZ4ESf3S/GDP/qeQrwIXieiKk4YEcOvknuNjucsJWKWh2mO59aGhSQvtkVKD8HU
u0c9HZd9JF8FJypZZapBg3RcDFA+TZVwS7BoIltYJDxwr5TmMX7r+dM98iDIMX1R
j2uxXgGCB5EVkOVa77oE+9GGmTIS6DJ4/HOkXCHvNT1d3gkuT6eHHvEhlJMwFfQB
bn+MlZRJz6qsv1a4p0/sTa0SrftmIoyG+eIu+aftgFb3joaS3AnAdiuuWYHOS52Q
fBGO1vP0H4dAzgGYmzndr61JdqZJDpUfqpGF/wIDAQABAoIBAQCNIXcKYnTKYLlQ
rjXGpZl6yvA0ef9Sf5b7nkts8YJ02IdQ5y1IjUDr+3IcdR8pDX3XRLst9q9ZpoZj
s8mhexi/H53XBnO/K1U9kWBVKQszI3/Wgy8vrzp9Mer0+5/aKKjZLliHr/a+LAZq
ABYd0IQRXeM0Q3B3KsFfs79Ks5QUjXjrOPCkFCKmLwZin0Oujbb88WDeqSHAYB0A
35lUDuQtg1rCNkTirBCdFAYFkfaRRwDGwdQ7L9cijidxMONYx1EapDbyqGL2BXJl
99ZVebokUKeKQrvsghQZhmcph1mHABsOMfRw4x8TGxMJJSRM264OYCn66EK1tBh4
tA0oU5GBAoGBAOTZEF1cQWjHHLvMUSP4B/6ZxvcP9ZdQaPISrq2j9oaArnCxxYvm
XHTZRK0YAXzPnmhBXL46FoslDwUKu+T2gajl1NOBKk9C8uao9Xqm+IDKuA+ebf8V
1B31Sf5bxnBI9jMaORGZg5/KFGvl3IzBrJODPTFToLHoqlS+lGhHoMYPAoGBAMNp
g0+w8m/CsKapOhKZ6+91pT3sHsVUQ7JhTKpajpk+JOB7JaF1eZzuShTykkpDWmGw
VesgbpBx+/JnjxW3Lnq24FUp4t+9OZ5r3gr2uFPHkmr4laT8S1WSqspmck0jZMgM
zAIrLV7miAxVefrDjoqf5VkMaqwGoZavXU5UzLERAoGAK+vFCkYEf7mHODvUbtTR
o/mbiBtWBT53hc40HDtVuybDU/mqclk58WsplRcAYhXuzw+MXy4C2Z25LjyLJzxw
UhwaJqWpmyC8Qay3wFx/YSiG/uhnMAfeeAl1tA2lHjPCnLgxr8EI1AgSt0qcc59Q
IdeUTP1B4CNJXY5eKU1l+90CgYEAuU0aybzfiH80CDY87VqsUnxa32dCnpiTQVnm
2zvYMRSu33enbX36foewFEEZ2/YWhMA0GSy965dK9Mii9FKqbo9wFxILI2NKeiGL
gxYGINwEyg9DyBm+Tj0wW5HeHavMa69G3V+YPH+azydW7iX2yxlo4JJXrRz0qfFN
J3ReTiECgYEA4CIpRG5XzW6BEscqDBBQZ46RVy8wsnwxt62V2g2CImDwzKslcHK8
oQurwl5WLKmvb0amMTedmVeIey3GOy23G8HrpHjEZjLi3wr3s3xJlPVajDBWw5Og
dgU9acdKHcbzv9dnsyC6eO1hr0TlEJqMkPuoNr3RihEuhv88rQbmGas=
-----END RSA PRIVATE KEY-----
17 changes: 17 additions & 0 deletions test/fixtures/keys/agent7.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[ req ]
default_bits = 2048
days = 999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
C = US
ST = CA
L = SF
O = IOJS
OU = iojs.org
CN = localhost

[ req_attributes ]
challengePassword = A challenge password
18 changes: 18 additions & 0 deletions test/fixtures/keys/fake-cnnic-root-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIJAMJ5SivqSZNtMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV
BAYTAkNOMQ4wDAYDVQQKEwVDTk5JQzETMBEGA1UEAxMKQ05OSUMgUk9PVDAeFw0x
NTA2MDkxNzE1MTZaFw0xODAzMjkxNzE1MTZaMDIxCzAJBgNVBAYTAkNOMQ4wDAYD
VQQKEwVDTk5JQzETMBEGA1UEAxMKQ05OSUMgUk9PVDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMwlKdTOPb+B0bENBw5+ZgnN2KxNhLBcEd0HB174fI1o
iE7qmbRObzSXT4HCmg1j8lijq3isnI4oMH9nCJNxZcdXtY7c3YXYoGtsVWAX++ZF
wYzakXXvDnHiaGXOos9+LuIRC0PZqyoYwZb0lvfyjPzIKBLVoCAAVTw65ankLN/J
5vJ44PzyiLmBZhhr9WzyyKVYNo2X7FLMGJtg8lz0vslb4ImNxumKmGyBijv730E5
qEc6HSriNeH/GSO7HBkxpbt+1MDkg3RaY/uGABuWhtuGgT8PkYCRdsSypawG561j
NKs/Ny4gTBaQAsmnuj2wwUj0i4MQkQDute/Db/IY56UCAwEAAaMQMA4wDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEARJG19V4/zOko/8eIVYeX9L6hQRNt
a6llIYPihQG29GdQsU+d0FqXba9N3oUD5kSF21F4oty7hWzLbBWnrKl66mXKNwWI
DjcYwjc2etThNEhud3jY2SreDx6OIFu97DW2oZfvBSTYrh1xastxuDVcBmhdNk4N
76Qj8s2X9KOS7nE+FY90ANwvckmHEAiq//aD5liwzCc8AYZi/JxV00YR7JS7Niee
y0M5UZ0AAO+P9DB+fkIRZcSodtmPa4Q3m32p3RgGS7TnNHsqDvRXsnrt+7YV1kBW
xrYO/iKGhq2K4bv6Z8JWUHyGyx7JEOFCJ25oWLYgByW5cJUE3xM4UTDzuw==
-----END CERTIFICATE-----
1 change: 1 addition & 0 deletions test/fixtures/keys/fake-cnnic-root-cert.srl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
AA466F0FFF621BCC
27 changes: 27 additions & 0 deletions test/fixtures/keys/fake-cnnic-root-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzCUp1M49v4HRsQ0HDn5mCc3YrE2EsFwR3QcHXvh8jWiITuqZ
tE5vNJdPgcKaDWPyWKOreKycjigwf2cIk3Flx1e1jtzdhdiga2xVYBf75kXBjNqR
de8OceJoZc6iz34u4hELQ9mrKhjBlvSW9/KM/MgoEtWgIABVPDrlqeQs38nm8njg
/PKIuYFmGGv1bPLIpVg2jZfsUswYm2DyXPS+yVvgiY3G6YqYbIGKO/vfQTmoRzod
KuI14f8ZI7scGTGlu37UwOSDdFpj+4YAG5aG24aBPw+RgJF2xLKlrAbnrWM0qz83
LiBMFpACyae6PbDBSPSLgxCRAO6178Nv8hjnpQIDAQABAoIBAGKGtS+98lNRRnEb
BoLaQkkNDjvqldXAOebhE4+kggiFoPPlihVZnZZWSMsprswzpq1dIM73EAAUKYPz
qFHw8txI2pl+w3Nr39C40mO0b6DtncJrYrT2kZQpX5VzK2TVU69L5pHypgeFNzmy
BoLYj28Y8y5T6BpJztlo25spQvcmUAR0PZmde1NJwjWTdxAlCeER+fvgJu2UsKpn
EEEIc5UGEdedhRLkQgt0Cu1FqeDihvr+z6upH467trmNhlTyrPeN3+FqRUkuqPvA
RdR1g7+fSRTku+QzrCq/tN2zyjVDwED2GGQs1fCOYOb/vSsIydIddqGIqdSdE05r
ZtIhGEECgYEA7EtwzIJAHV1rcB2OcNgodLx7/ratPIJZg5umGDfd159MkwzxcFjz
lxiu4SjW8s+83KgZ6E6N4ZsekJLz1eI33gGGK4XqGBSHiQe+A8WnQeRJXCmT1nzx
23LjE07sJd42l2byPejF+dBRQZF71pqsjTHLvn+jJD2CakdaeozEpEkCgYEA3Stg
L7DqSjPBOaGpFR6bZqdJhYG4/FVIVN9sKTfo0CqlNHrqjIeL8RgTSu+PYJTvIF2B
NfUjTfsxGfLKKBIHR+1LRMt2rr/tYnvr1/kwAAw9zYaugNiZ/J4BPLCXtN4Ahj4t
2d2Zbyg/bD3ppmT80LGnzJ3oQhmQVC0nuv8PMH0CgYEA4zzVmEa2Q8cgWCyEXC70
EPdmQxkIVkWAshkQTQAE3qR6bnwnAAT7FNaO70doFxACLy2V5JsOxOR5K023Inwv
f9d1YQuiiU/M29HPQS9mXu6cQf5WBxIXQRQmHd5rKSue0lEVKsZdBZX5XpX7QvFy
eUJnDqcOi/5/GZfPAkW3ockCgYAa+/vUVcWAIChnG65BgWZ8c9SokVc8kjss/8V2
kfe5zjox2P1c//y3AbT445mesw0p6b6mEq6oCQnInLLFiM2SnQUd86UbVRdleLEh
vKl6mAPCW7hWyBahl7WW7gTUcHGn71YwyrS5tzNlxXgIcTHXVJWghXOc/Pl7C7dZ
PV1hEQKBgQCnJQuQ1fb+w9O+P2MKdZPD/ztrghIeIyS9X90GuFWPMCWlIO6gaF8U
JY3BNuiahAhxVLcnaG8mNCXARPGCRGYDwN11vv/jrUOH/dXbd1bwwUkHfNu00w75
LTHh1YKab/RifALc5k8mGWNIuZWE8xqjKOrpyNiX2VKwhglrJ1NK0A==
-----END RSA PRIVATE KEY-----
Loading

0 comments on commit 3beb880

Please sign in to comment.