github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/kbfs/kbfscrypto/root_certs.go (about)

     1  // Copyright 2016 Keybase Inc. All rights reserved.
     2  // Use of this source code is governed by a BSD
     3  // license that can be found in the LICENSE file.
     4  
     5  package kbfscrypto
     6  
     7  import (
     8  	"net"
     9  	"os"
    10  )
    11  
    12  // TestRootCert is a CA cert which can be used for testing TLS support.
    13  // 127.0.0.1 is the only supported address.
    14  const TestRootCert = `Certificate:
    15      Data:
    16          Version: 3 (0x2)
    17          Serial Number:
    18              df:57:8e:02:e8:e3:a2:04:e4:3f:ab:a4:3c:50:42:53
    19          Signature Algorithm: sha256WithRSAEncryption
    20          Issuer: O=Keybase, Inc. **TEST CA**
    21          Validity
    22              Not Before: Aug  4 03:36:58 2015 GMT
    23              Not After : Aug  1 03:36:58 2025 GMT
    24          Subject: O=Keybase, Inc. **TEST CA**
    25          Subject Public Key Info:
    26              Public Key Algorithm: rsaEncryption
    27              RSA Public Key: (2048 bit)
    28                  Modulus (2048 bit):
    29                      00:dc:aa:08:3a:f9:03:11:58:aa:d0:81:e4:ca:11:
    30                      97:ef:42:fb:c6:83:e2:de:df:c0:63:ae:0e:79:f6:
    31                      be:eb:70:8d:f0:1b:73:fb:f2:99:af:04:56:ff:f2:
    32                      c3:26:7c:fb:eb:fc:fc:fd:23:3e:9d:e5:c2:67:de:
    33                      59:29:42:71:24:f8:3f:e8:91:82:4d:64:81:90:a4:
    34                      30:46:ed:c4:25:76:3d:ba:4e:70:06:b1:ee:78:ac:
    35                      48:95:f1:e8:94:7d:f4:9b:b7:1e:cd:9d:9c:fd:48:
    36                      59:50:eb:f1:29:1f:b6:34:e4:e7:d1:85:11:67:bb:
    37                      08:fa:3b:c4:29:a1:a7:10:8a:0e:44:85:be:88:9f:
    38                      e8:e0:af:87:33:21:ea:a6:d1:24:c4:b2:8f:59:f5:
    39                      02:4f:b2:59:67:e3:ad:be:7e:ee:3b:ee:71:23:e1:
    40                      6e:66:7c:18:16:c3:18:f5:68:1d:42:f9:32:2e:67:
    41                      e4:08:66:8a:2e:d2:f5:26:98:70:4b:c4:14:ef:77:
    42                      2e:95:4b:fc:0b:32:03:f1:5f:d7:ba:06:e9:71:c4:
    43                      dc:a3:6a:d1:4c:f5:6a:cd:7c:96:82:df:ad:b2:9d:
    44                      14:26:d1:dd:dd:40:59:1f:dd:86:34:45:0e:91:51:
    45                      2c:42:76:57:42:61:82:c2:02:f1:c7:b0:47:06:f8:
    46                      f8:63
    47                  Exponent: 65537 (0x10001)
    48          X509v3 extensions:
    49              X509v3 Key Usage: critical
    50                  Digital Signature, Key Encipherment, Certificate Sign
    51              X509v3 Extended Key Usage: 
    52                  TLS Web Server Authentication
    53              X509v3 Basic Constraints: critical
    54                  CA:TRUE
    55              X509v3 Subject Alternative Name: 
    56                  IP Address:127.0.0.1
    57      Signature Algorithm: sha256WithRSAEncryption
    58          03:72:7e:8f:b8:72:e1:ce:1e:67:92:71:e8:f7:9d:cd:ce:cc:
    59          e1:6f:29:69:3d:17:59:66:95:11:23:6a:eb:82:76:c9:b4:83:
    60          c2:50:e5:5a:55:2b:fd:c4:92:56:db:91:42:2a:29:56:30:5f:
    61          ae:6b:ae:69:a6:61:98:51:c2:c4:88:d6:58:11:4b:e5:05:ae:
    62          5d:29:74:0f:1f:05:5e:f9:33:3a:3a:98:dc:a1:0f:71:b2:8b:
    63          74:fd:fb:f2:c7:38:93:0b:22:80:ac:08:d1:3f:8f:bf:32:93:
    64          8a:a0:85:9a:e7:1d:d9:af:fa:94:e0:9f:6f:b4:e6:e6:98:91:
    65          b8:a1:b2:f4:6d:9c:29:8b:3e:fc:f5:61:7b:e1:6d:ad:2f:fd:
    66          8e:1e:ad:6d:f7:6c:75:29:48:b5:5b:01:cc:4a:a1:06:b9:03:
    67          19:7f:a9:b6:7f:86:94:32:4c:5f:59:3c:b8:74:b6:aa:63:80:
    68          44:59:3d:d9:61:35:01:75:52:0a:2c:ff:f5:fe:df:13:e5:d9:
    69          79:3a:77:d9:d9:11:b4:40:e0:8a:b1:df:a4:19:52:1f:f1:bb:
    70          3b:ac:35:96:17:de:78:dc:ed:b8:79:a1:2f:f9:9d:31:1b:9e:
    71          6c:93:17:b7:fe:f1:fe:a4:00:45:eb:85:f8:82:85:6f:0d:93:
    72          93:f0:d3:8c
    73  -----BEGIN CERTIFICATE-----
    74  MIIDGDCCAgKgAwIBAgIRAN9XjgLo46IE5D+rpDxQQlMwCwYJKoZIhvcNAQELMCQx
    75  IjAgBgNVBAoTGUtleWJhc2UsIEluYy4gKipURVNUIENBKiowHhcNMTUwODA0MDMz
    76  NjU4WhcNMjUwODAxMDMzNjU4WjAkMSIwIAYDVQQKExlLZXliYXNlLCBJbmMuICoq
    77  VEVTVCBDQSoqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3KoIOvkD
    78  EViq0IHkyhGX70L7xoPi3t/AY64Oefa+63CN8Btz+/KZrwRW//LDJnz76/z8/SM+
    79  neXCZ95ZKUJxJPg/6JGCTWSBkKQwRu3EJXY9uk5wBrHueKxIlfHolH30m7cezZ2c
    80  /UhZUOvxKR+2NOTn0YURZ7sI+jvEKaGnEIoORIW+iJ/o4K+HMyHqptEkxLKPWfUC
    81  T7JZZ+Otvn7uO+5xI+FuZnwYFsMY9WgdQvkyLmfkCGaKLtL1JphwS8QU73culUv8
    82  CzID8V/XugbpccTco2rRTPVqzXyWgt+tsp0UJtHd3UBZH92GNEUOkVEsQnZXQmGC
    83  wgLxx7BHBvj4YwIDAQABo0kwRzAOBgNVHQ8BAf8EBAMCAKQwEwYDVR0lBAwwCgYI
    84  KwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHREECDAGhwR/AAABMAsGCSqG
    85  SIb3DQEBCwOCAQEAA3J+j7hy4c4eZ5Jx6Pedzc7M4W8paT0XWWaVESNq64J2ybSD
    86  wlDlWlUr/cSSVtuRQiopVjBfrmuuaaZhmFHCxIjWWBFL5QWuXSl0Dx8FXvkzOjqY
    87  3KEPcbKLdP378sc4kwsigKwI0T+PvzKTiqCFmucd2a/6lOCfb7Tm5piRuKGy9G2c
    88  KYs+/PVhe+FtrS/9jh6tbfdsdSlItVsBzEqhBrkDGX+ptn+GlDJMX1k8uHS2qmOA
    89  RFk92WE1AXVSCiz/9f7fE+XZeTp32dkRtEDgirHfpBlSH/G7O6w1lhfeeNztuHmh
    90  L/mdMRuebJMXt/7x/qQAReuF+IKFbw2Tk/DTjA==
    91  -----END CERTIFICATE-----`
    92  
    93  // TestRootKey can be used with the above cert+public key to test TLS support.
    94  const TestRootKey = `-----BEGIN RSA PRIVATE KEY-----
    95  MIIEpQIBAAKCAQEA3KoIOvkDEViq0IHkyhGX70L7xoPi3t/AY64Oefa+63CN8Btz
    96  +/KZrwRW//LDJnz76/z8/SM+neXCZ95ZKUJxJPg/6JGCTWSBkKQwRu3EJXY9uk5w
    97  BrHueKxIlfHolH30m7cezZ2c/UhZUOvxKR+2NOTn0YURZ7sI+jvEKaGnEIoORIW+
    98  iJ/o4K+HMyHqptEkxLKPWfUCT7JZZ+Otvn7uO+5xI+FuZnwYFsMY9WgdQvkyLmfk
    99  CGaKLtL1JphwS8QU73culUv8CzID8V/XugbpccTco2rRTPVqzXyWgt+tsp0UJtHd
   100  3UBZH92GNEUOkVEsQnZXQmGCwgLxx7BHBvj4YwIDAQABAoIBAQCBB+P8J/PFRuXL
   101  Osk/533CaJa1BBW7YXcsUnEgnEoTfiNhTYxKvRdkodMFozy92sOswKhmlR9eUSWW
   102  ewwD9lgW2Br2sW9SNf0VSQz5zLqvdS6vLIKRR6Y8ZfGjzGrFuck47KFUdl+AM7gW
   103  e4DvHR38XAW6HGeLEnEzcZNJDL+WCS4XP0ylbAoQsasBZz9xWEhQ7CXV0rC2r00b
   104  E30WNnDkTAvMQlErwgDBAcqziIOejSbj2qkjJjPY4IO91718qchOwBwXKl8bP/Zs
   105  7eQmtYdBLGCPXGf9ngcJWB9Fu/kVZbIh1yg/Pxlz9anZ9a0PeTlCiSkzPxjl7H5d
   106  L0dQfiJhAoGBAPcOe5c9N0PHfUqHvMuV6DB/SNgr5IeXvE0jt8VfRVGQpzdrWmzM
   107  NA68ENHGueSdLJw56Y9N2ENxPIbEfhw1Aj8yzTsmR/zJS+/niMk1NOF09TamhkmE
   108  FzQdVKbfcmhQ6irbN7A4+bONJHLhPxfN1awfHHWelD5KZLuw7h0OmZ05AoGBAOSm
   109  92jSpvmVzDtW9IN+JaPEKSA/M80F9Z8s7wXft0KFYbSOEShH3by5qLNXAfhqr/HU
   110  Czy8DnoNCjjmG5a92R2gSI+Rp/69J8KxpT3dRNaFu1DGyilCV2AYrjs/CpJebwen
   111  RfCfKcv9o6xbkFTd+W5zT4rLR7BAsnopo6HGa957AoGAb8TEkxJluys3+ozYE754
   112  8d/Tw8Bvvgwea0Oacxd707++dqsBmLD1aCka7tyZ4txcfz0P9f4Atdo3yLyCVR6C
   113  Krc/89+It8sVqK41ytlgWBNCkHvbysyQdspCLtBuANWCausMEZRlGx7ie3p9wbYk
   114  UZ8tj+SzKk8brXII92pQgrkCgYEAm6dmKX+tl554J7UsQw9vBCsXbBJaaymxaain
   115  FrKTCL/QIZ/M4kT6F+2zgFKszrWiDNgyxienG0MhQFa1VUrsMJTakJGxcWLHXGye
   116  dpzYrcjgGT8ahDfbT1m90is6QSX0I5ulqwZO58VE1KKIgJ2TnbL15SA5Lyz70tnh
   117  wNFYwV0CgYEAqD+ojYP6i7shKJal7U8mi1pPrytjIx6DyMlqY4fl3MQ3IMGdZ1nI
   118  aOOhUtJxzorYWSCcNZKCUFu1esbmDO4PlkfnzaBVCqPZ3CThPnmUBZ2wg9rpZu2S
   119  7Q0sQ3FFXg9WqcsduaKRy5d8LKH8ikRooQw/Q5BpZ1tfKJStU6Xjf9U=
   120  -----END RSA PRIVATE KEY-----`
   121  
   122  const (
   123  	// EnvTestRootCertPEM is the environment variable name for the
   124  	// CA cert PEM the client uses to verify the KBFS servers when
   125  	// testing. Any certificate present here overrides any
   126  	// certificate inferred from a server address.
   127  	EnvTestRootCertPEM = "KEYBASE_TEST_ROOT_CERT_PEM"
   128  )
   129  
   130  // GetRootCerts returns a byte array with the appropriate root certs
   131  // for the given host:port string.
   132  func GetRootCerts(serverAddr string,
   133  	certGetter func(host string) (certsBundle []byte, ok bool)) []byte {
   134  	// Use the environment variable, if set.
   135  	envTestRootCert := os.Getenv(EnvTestRootCertPEM)
   136  	if len(envTestRootCert) != 0 {
   137  		return []byte(envTestRootCert)
   138  	}
   139  
   140  	if host, _, err := net.SplitHostPort(serverAddr); err == nil {
   141  		if rootCA, ok := certGetter(host); ok {
   142  			return rootCA
   143  		}
   144  	}
   145  
   146  	// Fall back to the test cert.
   147  	return []byte(TestRootCert)
   148  }