github.com/JimmyHuang454/JLS-go@v0.0.0-20230831150107-90d536585ba0/tls/boring_test.go (about) 1 // Copyright 2017 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 //go:build boringcrypto 6 7 package tls 8 9 import ( 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/internal/boring/fipstls" 13 "crypto/rand" 14 "crypto/rsa" 15 "crypto/x509" 16 "crypto/x509/pkix" 17 "encoding/pem" 18 "fmt" 19 "internal/obscuretestdata" 20 "math/big" 21 "net" 22 "runtime" 23 "strings" 24 "testing" 25 "time" 26 ) 27 28 func TestBoringServerProtocolVersion(t *testing.T) { 29 test := func(name string, v uint16, msg string) { 30 t.Run(name, func(t *testing.T) { 31 serverConfig := testConfig.Clone() 32 serverConfig.MinVersion = VersionSSL30 33 clientHello := &clientHelloMsg{ 34 vers: v, 35 random: make([]byte, 32), 36 cipherSuites: allCipherSuites(), 37 compressionMethods: []uint8{compressionNone}, 38 supportedVersions: []uint16{v}, 39 } 40 testClientHelloFailure(t, serverConfig, clientHello, msg) 41 }) 42 } 43 44 test("VersionTLS10", VersionTLS10, "") 45 test("VersionTLS11", VersionTLS11, "") 46 test("VersionTLS12", VersionTLS12, "") 47 test("VersionTLS13", VersionTLS13, "") 48 49 fipstls.Force() 50 defer fipstls.Abandon() 51 test("VersionSSL30", VersionSSL30, "client offered only unsupported versions") 52 test("VersionTLS10", VersionTLS10, "client offered only unsupported versions") 53 test("VersionTLS11", VersionTLS11, "client offered only unsupported versions") 54 test("VersionTLS12", VersionTLS12, "") 55 test("VersionTLS13", VersionTLS13, "client offered only unsupported versions") 56 } 57 58 func isBoringVersion(v uint16) bool { 59 return v == VersionTLS12 60 } 61 62 func isBoringCipherSuite(id uint16) bool { 63 switch id { 64 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 65 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 66 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 67 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 68 TLS_RSA_WITH_AES_128_GCM_SHA256, 69 TLS_RSA_WITH_AES_256_GCM_SHA384: 70 return true 71 } 72 return false 73 } 74 75 func isBoringCurve(id CurveID) bool { 76 switch id { 77 case CurveP256, CurveP384, CurveP521: 78 return true 79 } 80 return false 81 } 82 83 func isECDSA(id uint16) bool { 84 for _, suite := range cipherSuites { 85 if suite.id == id { 86 return suite.flags&suiteECSign == suiteECSign 87 } 88 } 89 panic(fmt.Sprintf("unknown cipher suite %#x", id)) 90 } 91 92 func isBoringSignatureScheme(alg SignatureScheme) bool { 93 switch alg { 94 default: 95 return false 96 case PKCS1WithSHA256, 97 ECDSAWithP256AndSHA256, 98 PKCS1WithSHA384, 99 ECDSAWithP384AndSHA384, 100 PKCS1WithSHA512, 101 ECDSAWithP521AndSHA512, 102 PSSWithSHA256, 103 PSSWithSHA384, 104 PSSWithSHA512: 105 // ok 106 } 107 return true 108 } 109 110 func TestBoringServerCipherSuites(t *testing.T) { 111 serverConfig := testConfig.Clone() 112 serverConfig.CipherSuites = allCipherSuites() 113 serverConfig.Certificates = make([]Certificate, 1) 114 115 for _, id := range allCipherSuites() { 116 if isECDSA(id) { 117 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 118 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 119 } else { 120 serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} 121 serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey 122 } 123 serverConfig.BuildNameToCertificate() 124 t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) { 125 clientHello := &clientHelloMsg{ 126 vers: VersionTLS12, 127 random: make([]byte, 32), 128 cipherSuites: []uint16{id}, 129 compressionMethods: []uint8{compressionNone}, 130 supportedCurves: defaultCurvePreferences, 131 supportedPoints: []uint8{pointFormatUncompressed}, 132 } 133 134 testClientHello(t, serverConfig, clientHello) 135 t.Run("fipstls", func(t *testing.T) { 136 fipstls.Force() 137 defer fipstls.Abandon() 138 msg := "" 139 if !isBoringCipherSuite(id) { 140 msg = "no cipher suite supported by both client and server" 141 } 142 testClientHelloFailure(t, serverConfig, clientHello, msg) 143 }) 144 }) 145 } 146 } 147 148 func TestBoringServerCurves(t *testing.T) { 149 serverConfig := testConfig.Clone() 150 serverConfig.Certificates = make([]Certificate, 1) 151 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 152 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 153 serverConfig.BuildNameToCertificate() 154 155 for _, curveid := range defaultCurvePreferences { 156 t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) { 157 clientHello := &clientHelloMsg{ 158 vers: VersionTLS12, 159 random: make([]byte, 32), 160 cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 161 compressionMethods: []uint8{compressionNone}, 162 supportedCurves: []CurveID{curveid}, 163 supportedPoints: []uint8{pointFormatUncompressed}, 164 } 165 166 testClientHello(t, serverConfig, clientHello) 167 168 // With fipstls forced, bad curves should be rejected. 169 t.Run("fipstls", func(t *testing.T) { 170 fipstls.Force() 171 defer fipstls.Abandon() 172 msg := "" 173 if !isBoringCurve(curveid) { 174 msg = "no cipher suite supported by both client and server" 175 } 176 testClientHelloFailure(t, serverConfig, clientHello, msg) 177 }) 178 }) 179 } 180 } 181 182 func boringHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) { 183 c, s := localPipe(t) 184 client := Client(c, clientConfig) 185 server := Server(s, serverConfig) 186 done := make(chan error, 1) 187 go func() { 188 done <- client.Handshake() 189 c.Close() 190 }() 191 serverErr = server.Handshake() 192 s.Close() 193 clientErr = <-done 194 return 195 } 196 197 func TestBoringServerSignatureAndHash(t *testing.T) { 198 defer func() { 199 testingOnlyForceClientHelloSignatureAlgorithms = nil 200 }() 201 202 for _, sigHash := range defaultSupportedSignatureAlgorithms { 203 t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) { 204 serverConfig := testConfig.Clone() 205 serverConfig.Certificates = make([]Certificate, 1) 206 207 testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash} 208 209 sigType, _, _ := typeAndHashFromSignatureScheme(sigHash) 210 switch sigType { 211 case signaturePKCS1v15, signatureRSAPSS: 212 serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256} 213 serverConfig.Certificates[0].Certificate = [][]byte{testRSA2048Certificate} 214 serverConfig.Certificates[0].PrivateKey = testRSA2048PrivateKey 215 case signatureEd25519: 216 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} 217 serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate} 218 serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey 219 case signatureECDSA: 220 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} 221 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 222 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 223 } 224 serverConfig.BuildNameToCertificate() 225 // PKCS#1 v1.5 signature algorithms can't be used standalone in TLS 226 // 1.3, and the ECDSA ones bind to the curve used. 227 serverConfig.MaxVersion = VersionTLS12 228 229 clientErr, serverErr := boringHandshake(t, testConfig, serverConfig) 230 if clientErr != nil { 231 t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr) 232 } 233 234 // With fipstls forced, bad curves should be rejected. 235 t.Run("fipstls", func(t *testing.T) { 236 fipstls.Force() 237 defer fipstls.Abandon() 238 clientErr, _ := boringHandshake(t, testConfig, serverConfig) 239 if isBoringSignatureScheme(sigHash) { 240 if clientErr != nil { 241 t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr) 242 } 243 } else { 244 if clientErr == nil { 245 t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash) 246 } 247 } 248 }) 249 }) 250 } 251 } 252 253 func TestBoringClientHello(t *testing.T) { 254 // Test that no matter what we put in the client config, 255 // the client does not offer non-FIPS configurations. 256 fipstls.Force() 257 defer fipstls.Abandon() 258 259 c, s := net.Pipe() 260 defer c.Close() 261 defer s.Close() 262 263 clientConfig := testConfig.Clone() 264 // All sorts of traps for the client to avoid. 265 clientConfig.MinVersion = VersionSSL30 266 clientConfig.MaxVersion = VersionTLS13 267 clientConfig.CipherSuites = allCipherSuites() 268 clientConfig.CurvePreferences = defaultCurvePreferences 269 270 go Client(c, clientConfig).Handshake() 271 srv := Server(s, testConfig) 272 msg, err := srv.readHandshake(nil) 273 if err != nil { 274 t.Fatal(err) 275 } 276 hello, ok := msg.(*clientHelloMsg) 277 if !ok { 278 t.Fatalf("unexpected message type %T", msg) 279 } 280 281 if !isBoringVersion(hello.vers) { 282 t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12) 283 } 284 for _, v := range hello.supportedVersions { 285 if !isBoringVersion(v) { 286 t.Errorf("client offered disallowed version %#x", v) 287 } 288 } 289 for _, id := range hello.cipherSuites { 290 if !isBoringCipherSuite(id) { 291 t.Errorf("client offered disallowed suite %#x", id) 292 } 293 } 294 for _, id := range hello.supportedCurves { 295 if !isBoringCurve(id) { 296 t.Errorf("client offered disallowed curve %d", id) 297 } 298 } 299 for _, sigHash := range hello.supportedSignatureAlgorithms { 300 if !isBoringSignatureScheme(sigHash) { 301 t.Errorf("client offered disallowed signature-and-hash %v", sigHash) 302 } 303 } 304 } 305 306 func TestBoringCertAlgs(t *testing.T) { 307 // NaCl, arm and wasm time out generating keys. Nothing in this test is architecture-specific, so just don't bother on those. 308 if runtime.GOOS == "nacl" || runtime.GOARCH == "arm" || runtime.GOOS == "js" { 309 t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH) 310 } 311 312 // Set up some roots, intermediate CAs, and leaf certs with various algorithms. 313 // X_Y is X signed by Y. 314 R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) 315 R2 := boringCert(t, "R2", boringRSAKey(t, 512), nil, boringCertCA) 316 317 M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) 318 M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) 319 320 I_R1 := boringCert(t, "I_R1", boringRSAKey(t, 3072), R1, boringCertCA|boringCertFIPSOK) 321 I_R2 := boringCert(t, "I_R2", I_R1.key, R2, boringCertCA|boringCertFIPSOK) 322 I_M1 := boringCert(t, "I_M1", I_R1.key, M1_R1, boringCertCA|boringCertFIPSOK) 323 I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK) 324 325 L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK) 326 L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf) 327 328 // client verifying server cert 329 testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { 330 clientConfig := testConfig.Clone() 331 clientConfig.RootCAs = pool 332 clientConfig.InsecureSkipVerify = false 333 clientConfig.ServerName = "example.com" 334 335 serverConfig := testConfig.Clone() 336 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} 337 serverConfig.BuildNameToCertificate() 338 339 clientErr, _ := boringHandshake(t, clientConfig, serverConfig) 340 341 if (clientErr == nil) == ok { 342 if ok { 343 t.Logf("%s: accept", desc) 344 } else { 345 t.Logf("%s: reject", desc) 346 } 347 } else { 348 if ok { 349 t.Errorf("%s: BAD reject (%v)", desc, clientErr) 350 } else { 351 t.Errorf("%s: BAD accept", desc) 352 } 353 } 354 } 355 356 // server verifying client cert 357 testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { 358 clientConfig := testConfig.Clone() 359 clientConfig.ServerName = "example.com" 360 clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} 361 362 serverConfig := testConfig.Clone() 363 serverConfig.ClientCAs = pool 364 serverConfig.ClientAuth = RequireAndVerifyClientCert 365 366 _, serverErr := boringHandshake(t, clientConfig, serverConfig) 367 368 if (serverErr == nil) == ok { 369 if ok { 370 t.Logf("%s: accept", desc) 371 } else { 372 t.Logf("%s: reject", desc) 373 } 374 } else { 375 if ok { 376 t.Errorf("%s: BAD reject (%v)", desc, serverErr) 377 } else { 378 t.Errorf("%s: BAD accept", desc) 379 } 380 } 381 } 382 383 // Run simple basic test with known answers before proceeding to 384 // exhaustive test with computed answers. 385 r1pool := x509.NewCertPool() 386 r1pool.AddCert(R1.cert) 387 testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) 388 testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) 389 fipstls.Force() 390 testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) 391 testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) 392 fipstls.Abandon() 393 394 if t.Failed() { 395 t.Fatal("basic test failed, skipping exhaustive test") 396 } 397 398 if testing.Short() { 399 t.Logf("basic test passed; skipping exhaustive test in -short mode") 400 return 401 } 402 403 for l := 1; l <= 2; l++ { 404 leaf := L1_I 405 if l == 2 { 406 leaf = L2_I 407 } 408 for i := 0; i < 64; i++ { 409 reachable := map[string]bool{leaf.parentOrg: true} 410 reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK} 411 list := [][]byte{leaf.der} 412 listName := leaf.name 413 addList := func(cond int, c *boringCertificate) { 414 if cond != 0 { 415 list = append(list, c.der) 416 listName += "," + c.name 417 if reachable[c.org] { 418 reachable[c.parentOrg] = true 419 } 420 if reachableFIPS[c.org] && c.fipsOK { 421 reachableFIPS[c.parentOrg] = true 422 } 423 } 424 } 425 addList(i&1, I_R1) 426 addList(i&2, I_R2) 427 addList(i&4, I_M1) 428 addList(i&8, I_M2) 429 addList(i&16, M1_R1) 430 addList(i&32, M2_R1) 431 432 for r := 1; r <= 3; r++ { 433 pool := x509.NewCertPool() 434 rootName := "," 435 shouldVerify := false 436 shouldVerifyFIPS := false 437 addRoot := func(cond int, c *boringCertificate) { 438 if cond != 0 { 439 rootName += "," + c.name 440 pool.AddCert(c.cert) 441 if reachable[c.org] { 442 shouldVerify = true 443 } 444 if reachableFIPS[c.org] && c.fipsOK { 445 shouldVerifyFIPS = true 446 } 447 } 448 } 449 addRoot(r&1, R1) 450 addRoot(r&2, R2) 451 rootName = rootName[1:] // strip leading comma 452 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify) 453 testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify) 454 fipstls.Force() 455 testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS) 456 testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS) 457 fipstls.Abandon() 458 } 459 } 460 } 461 } 462 463 const ( 464 boringCertCA = iota 465 boringCertLeaf 466 boringCertFIPSOK = 0x80 467 ) 468 469 func boringRSAKey(t *testing.T, size int) *rsa.PrivateKey { 470 k, err := rsa.GenerateKey(rand.Reader, size) 471 if err != nil { 472 t.Fatal(err) 473 } 474 return k 475 } 476 477 func boringECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey { 478 k, err := ecdsa.GenerateKey(curve, rand.Reader) 479 if err != nil { 480 t.Fatal(err) 481 } 482 return k 483 } 484 485 type boringCertificate struct { 486 name string 487 org string 488 parentOrg string 489 der []byte 490 cert *x509.Certificate 491 key interface{} 492 fipsOK bool 493 } 494 495 func boringCert(t *testing.T, name string, key interface{}, parent *boringCertificate, mode int) *boringCertificate { 496 org := name 497 parentOrg := "" 498 if i := strings.Index(org, "_"); i >= 0 { 499 org = org[:i] 500 parentOrg = name[i+1:] 501 } 502 tmpl := &x509.Certificate{ 503 SerialNumber: big.NewInt(1), 504 Subject: pkix.Name{ 505 Organization: []string{org}, 506 }, 507 NotBefore: time.Unix(0, 0), 508 NotAfter: time.Unix(0, 0), 509 510 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 511 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, 512 BasicConstraintsValid: true, 513 } 514 if mode&^boringCertFIPSOK == boringCertLeaf { 515 tmpl.DNSNames = []string{"example.com"} 516 } else { 517 tmpl.IsCA = true 518 tmpl.KeyUsage |= x509.KeyUsageCertSign 519 } 520 521 var pcert *x509.Certificate 522 var pkey interface{} 523 if parent != nil { 524 pcert = parent.cert 525 pkey = parent.key 526 } else { 527 pcert = tmpl 528 pkey = key 529 } 530 531 var pub interface{} 532 switch k := key.(type) { 533 case *rsa.PrivateKey: 534 pub = &k.PublicKey 535 case *ecdsa.PrivateKey: 536 pub = &k.PublicKey 537 default: 538 t.Fatalf("invalid key %T", key) 539 } 540 541 der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey) 542 if err != nil { 543 t.Fatal(err) 544 } 545 cert, err := x509.ParseCertificate(der) 546 if err != nil { 547 t.Fatal(err) 548 } 549 550 fipsOK := mode&boringCertFIPSOK != 0 551 return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK} 552 } 553 554 // A self-signed test certificate with an RSA key of size 2048, for testing 555 // RSA-PSS with SHA512. SAN of example.golang. 556 var ( 557 testRSA2048Certificate []byte 558 testRSA2048PrivateKey *rsa.PrivateKey 559 ) 560 561 func init() { 562 block, _ := pem.Decode(obscuretestdata.Rot13([]byte(` 563 -----ORTVA PREGVSVPNGR----- 564 ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj 565 RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0 566 ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj 567 ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R 568 4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq 569 ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF 570 +RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P 571 vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS 572 MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS 573 bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP 574 QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU 575 qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e 576 I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe 577 7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt 578 aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f 579 m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju 580 TAnR 581 -----RAQ PREGVSVPNGR-----`))) 582 testRSA2048Certificate = block.Bytes 583 584 block, _ = pem.Decode(obscuretestdata.Rot13([]byte(` 585 -----ORTVA EFN CEVINGR XRL----- 586 ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY 587 EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M 588 v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr 589 m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj 590 AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7 591 I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u 592 UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi 593 98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd 594 ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G 595 6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS 596 Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e 597 zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR 598 wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl 599 CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM 600 p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX 601 Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C 602 /5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu 603 hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB 604 38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe 605 pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm 606 8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut 607 Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS 608 HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc 609 bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE 610 9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD== 611 -----RAQ EFN CEVINGR XRL-----`))) 612 var err error 613 testRSA2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes) 614 if err != nil { 615 panic(err) 616 } 617 }