github.com/mtsmfm/go/src@v0.0.0-20221020090648-44bdcb9f8fde/crypto/tls/boring_test.go (about) 1 // Copyright 2017 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 //go:build boringcrypto 6 7 package tls 8 9 import ( 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/internal/boring/fipstls" 13 "crypto/rand" 14 "crypto/rsa" 15 "crypto/x509" 16 "crypto/x509/pkix" 17 "encoding/pem" 18 "fmt" 19 "math/big" 20 "net" 21 "runtime" 22 "strings" 23 "testing" 24 "time" 25 ) 26 27 func TestBoringServerProtocolVersion(t *testing.T) { 28 test := func(name string, v uint16, msg string) { 29 t.Run(name, func(t *testing.T) { 30 serverConfig := testConfig.Clone() 31 serverConfig.MinVersion = VersionSSL30 32 clientHello := &clientHelloMsg{ 33 vers: v, 34 random: make([]byte, 32), 35 cipherSuites: allCipherSuites(), 36 compressionMethods: []uint8{compressionNone}, 37 supportedVersions: []uint16{v}, 38 } 39 testClientHelloFailure(t, serverConfig, clientHello, msg) 40 }) 41 } 42 43 test("VersionTLS10", VersionTLS10, "") 44 test("VersionTLS11", VersionTLS11, "") 45 test("VersionTLS12", VersionTLS12, "") 46 test("VersionTLS13", VersionTLS13, "") 47 48 fipstls.Force() 49 defer fipstls.Abandon() 50 test("VersionSSL30", VersionSSL30, "client offered only unsupported versions") 51 test("VersionTLS10", VersionTLS10, "client offered only unsupported versions") 52 test("VersionTLS11", VersionTLS11, "client offered only unsupported versions") 53 test("VersionTLS12", VersionTLS12, "") 54 test("VersionTLS13", VersionTLS13, "client offered only unsupported versions") 55 } 56 57 func isBoringVersion(v uint16) bool { 58 return v == VersionTLS12 59 } 60 61 func isBoringCipherSuite(id uint16) bool { 62 switch id { 63 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 64 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 65 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 66 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 67 TLS_RSA_WITH_AES_128_GCM_SHA256, 68 TLS_RSA_WITH_AES_256_GCM_SHA384: 69 return true 70 } 71 return false 72 } 73 74 func isBoringCurve(id CurveID) bool { 75 switch id { 76 case CurveP256, CurveP384, CurveP521: 77 return true 78 } 79 return false 80 } 81 82 func isECDSA(id uint16) bool { 83 for _, suite := range cipherSuites { 84 if suite.id == id { 85 return suite.flags&suiteECSign == suiteECSign 86 } 87 } 88 panic(fmt.Sprintf("unknown cipher suite %#x", id)) 89 } 90 91 func isBoringSignatureScheme(alg SignatureScheme) bool { 92 switch alg { 93 default: 94 return false 95 case PKCS1WithSHA256, 96 ECDSAWithP256AndSHA256, 97 PKCS1WithSHA384, 98 ECDSAWithP384AndSHA384, 99 PKCS1WithSHA512, 100 ECDSAWithP521AndSHA512, 101 PSSWithSHA256, 102 PSSWithSHA384, 103 PSSWithSHA512: 104 // ok 105 } 106 return true 107 } 108 109 func TestBoringServerCipherSuites(t *testing.T) { 110 serverConfig := testConfig.Clone() 111 serverConfig.CipherSuites = allCipherSuites() 112 serverConfig.Certificates = make([]Certificate, 1) 113 114 for _, id := range allCipherSuites() { 115 if isECDSA(id) { 116 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 117 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 118 } else { 119 serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} 120 serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey 121 } 122 serverConfig.BuildNameToCertificate() 123 t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) { 124 clientHello := &clientHelloMsg{ 125 vers: VersionTLS12, 126 random: make([]byte, 32), 127 cipherSuites: []uint16{id}, 128 compressionMethods: []uint8{compressionNone}, 129 supportedCurves: defaultCurvePreferences, 130 supportedPoints: []uint8{pointFormatUncompressed}, 131 } 132 133 testClientHello(t, serverConfig, clientHello) 134 t.Run("fipstls", func(t *testing.T) { 135 fipstls.Force() 136 defer fipstls.Abandon() 137 msg := "" 138 if !isBoringCipherSuite(id) { 139 msg = "no cipher suite supported by both client and server" 140 } 141 testClientHelloFailure(t, serverConfig, clientHello, msg) 142 }) 143 }) 144 } 145 } 146 147 func TestBoringServerCurves(t *testing.T) { 148 serverConfig := testConfig.Clone() 149 serverConfig.Certificates = make([]Certificate, 1) 150 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 151 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 152 serverConfig.BuildNameToCertificate() 153 154 for _, curveid := range defaultCurvePreferences { 155 t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) { 156 clientHello := &clientHelloMsg{ 157 vers: VersionTLS12, 158 random: make([]byte, 32), 159 cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 160 compressionMethods: []uint8{compressionNone}, 161 supportedCurves: []CurveID{curveid}, 162 supportedPoints: []uint8{pointFormatUncompressed}, 163 } 164 165 testClientHello(t, serverConfig, clientHello) 166 167 // With fipstls forced, bad curves should be rejected. 168 t.Run("fipstls", func(t *testing.T) { 169 fipstls.Force() 170 defer fipstls.Abandon() 171 msg := "" 172 if !isBoringCurve(curveid) { 173 msg = "no cipher suite supported by both client and server" 174 } 175 testClientHelloFailure(t, serverConfig, clientHello, msg) 176 }) 177 }) 178 } 179 } 180 181 func boringHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) { 182 c, s := localPipe(t) 183 client := Client(c, clientConfig) 184 server := Server(s, serverConfig) 185 done := make(chan error, 1) 186 go func() { 187 done <- client.Handshake() 188 c.Close() 189 }() 190 serverErr = server.Handshake() 191 s.Close() 192 clientErr = <-done 193 return 194 } 195 196 func TestBoringServerSignatureAndHash(t *testing.T) { 197 defer func() { 198 testingOnlyForceClientHelloSignatureAlgorithms = nil 199 }() 200 201 for _, sigHash := range defaultSupportedSignatureAlgorithms { 202 t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) { 203 serverConfig := testConfig.Clone() 204 serverConfig.Certificates = make([]Certificate, 1) 205 206 testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash} 207 208 sigType, _, _ := typeAndHashFromSignatureScheme(sigHash) 209 switch sigType { 210 case signaturePKCS1v15, signatureRSAPSS: 211 serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256} 212 serverConfig.Certificates[0].Certificate = [][]byte{testRSA2048Certificate} 213 serverConfig.Certificates[0].PrivateKey = testRSA2048PrivateKey 214 case signatureEd25519: 215 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} 216 serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate} 217 serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey 218 case signatureECDSA: 219 serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} 220 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 221 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 222 } 223 serverConfig.BuildNameToCertificate() 224 // PKCS#1 v1.5 signature algorithms can't be used standalone in TLS 225 // 1.3, and the ECDSA ones bind to the curve used. 226 serverConfig.MaxVersion = VersionTLS12 227 228 clientErr, serverErr := boringHandshake(t, testConfig, serverConfig) 229 if clientErr != nil { 230 t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr) 231 } 232 233 // With fipstls forced, bad curves should be rejected. 234 t.Run("fipstls", func(t *testing.T) { 235 fipstls.Force() 236 defer fipstls.Abandon() 237 clientErr, _ := boringHandshake(t, testConfig, serverConfig) 238 if isBoringSignatureScheme(sigHash) { 239 if clientErr != nil { 240 t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr) 241 } 242 } else { 243 if clientErr == nil { 244 t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash) 245 } 246 } 247 }) 248 }) 249 } 250 } 251 252 func TestBoringClientHello(t *testing.T) { 253 // Test that no matter what we put in the client config, 254 // the client does not offer non-FIPS configurations. 255 fipstls.Force() 256 defer fipstls.Abandon() 257 258 c, s := net.Pipe() 259 defer c.Close() 260 defer s.Close() 261 262 clientConfig := testConfig.Clone() 263 // All sorts of traps for the client to avoid. 264 clientConfig.MinVersion = VersionSSL30 265 clientConfig.MaxVersion = VersionTLS13 266 clientConfig.CipherSuites = allCipherSuites() 267 clientConfig.CurvePreferences = defaultCurvePreferences 268 269 go Client(c, clientConfig).Handshake() 270 srv := Server(s, testConfig) 271 msg, err := srv.readHandshake() 272 if err != nil { 273 t.Fatal(err) 274 } 275 hello, ok := msg.(*clientHelloMsg) 276 if !ok { 277 t.Fatalf("unexpected message type %T", msg) 278 } 279 280 if !isBoringVersion(hello.vers) { 281 t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12) 282 } 283 for _, v := range hello.supportedVersions { 284 if !isBoringVersion(v) { 285 t.Errorf("client offered disallowed version %#x", v) 286 } 287 } 288 for _, id := range hello.cipherSuites { 289 if !isBoringCipherSuite(id) { 290 t.Errorf("client offered disallowed suite %#x", id) 291 } 292 } 293 for _, id := range hello.supportedCurves { 294 if !isBoringCurve(id) { 295 t.Errorf("client offered disallowed curve %d", id) 296 } 297 } 298 for _, sigHash := range hello.supportedSignatureAlgorithms { 299 if !isBoringSignatureScheme(sigHash) { 300 t.Errorf("client offered disallowed signature-and-hash %v", sigHash) 301 } 302 } 303 } 304 305 func TestBoringCertAlgs(t *testing.T) { 306 // NaCl, arm and wasm time out generating keys. Nothing in this test is architecture-specific, so just don't bother on those. 307 if runtime.GOOS == "nacl" || runtime.GOARCH == "arm" || runtime.GOOS == "js" { 308 t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH) 309 } 310 311 // Set up some roots, intermediate CAs, and leaf certs with various algorithms. 312 // X_Y is X signed by Y. 313 R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) 314 R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA) 315 316 M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) 317 M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) 318 319 I_R1 := boringCert(t, "I_R1", boringRSAKey(t, 3072), R1, boringCertCA|boringCertFIPSOK) 320 I_R2 := boringCert(t, "I_R2", I_R1.key, R2, boringCertCA|boringCertFIPSOK) 321 I_M1 := boringCert(t, "I_M1", I_R1.key, M1_R1, boringCertCA|boringCertFIPSOK) 322 I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK) 323 324 L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK) 325 L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf) 326 327 // client verifying server cert 328 testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { 329 clientConfig := testConfig.Clone() 330 clientConfig.RootCAs = pool 331 clientConfig.InsecureSkipVerify = false 332 clientConfig.ServerName = "example.com" 333 334 serverConfig := testConfig.Clone() 335 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} 336 serverConfig.BuildNameToCertificate() 337 338 clientErr, _ := boringHandshake(t, clientConfig, serverConfig) 339 340 if (clientErr == nil) == ok { 341 if ok { 342 t.Logf("%s: accept", desc) 343 } else { 344 t.Logf("%s: reject", desc) 345 } 346 } else { 347 if ok { 348 t.Errorf("%s: BAD reject (%v)", desc, clientErr) 349 } else { 350 t.Errorf("%s: BAD accept", desc) 351 } 352 } 353 } 354 355 // server verifying client cert 356 testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { 357 clientConfig := testConfig.Clone() 358 clientConfig.ServerName = "example.com" 359 clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} 360 361 serverConfig := testConfig.Clone() 362 serverConfig.ClientCAs = pool 363 serverConfig.ClientAuth = RequireAndVerifyClientCert 364 365 _, serverErr := boringHandshake(t, clientConfig, serverConfig) 366 367 if (serverErr == nil) == ok { 368 if ok { 369 t.Logf("%s: accept", desc) 370 } else { 371 t.Logf("%s: reject", desc) 372 } 373 } else { 374 if ok { 375 t.Errorf("%s: BAD reject (%v)", desc, serverErr) 376 } else { 377 t.Errorf("%s: BAD accept", desc) 378 } 379 } 380 } 381 382 // Run simple basic test with known answers before proceeding to 383 // exhaustive test with computed answers. 384 r1pool := x509.NewCertPool() 385 r1pool.AddCert(R1.cert) 386 testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) 387 testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) 388 fipstls.Force() 389 testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) 390 testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) 391 fipstls.Abandon() 392 393 if t.Failed() { 394 t.Fatal("basic test failed, skipping exhaustive test") 395 } 396 397 if testing.Short() { 398 t.Logf("basic test passed; skipping exhaustive test in -short mode") 399 return 400 } 401 402 for l := 1; l <= 2; l++ { 403 leaf := L1_I 404 if l == 2 { 405 leaf = L2_I 406 } 407 for i := 0; i < 64; i++ { 408 reachable := map[string]bool{leaf.parentOrg: true} 409 reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK} 410 list := [][]byte{leaf.der} 411 listName := leaf.name 412 addList := func(cond int, c *boringCertificate) { 413 if cond != 0 { 414 list = append(list, c.der) 415 listName += "," + c.name 416 if reachable[c.org] { 417 reachable[c.parentOrg] = true 418 } 419 if reachableFIPS[c.org] && c.fipsOK { 420 reachableFIPS[c.parentOrg] = true 421 } 422 } 423 } 424 addList(i&1, I_R1) 425 addList(i&2, I_R2) 426 addList(i&4, I_M1) 427 addList(i&8, I_M2) 428 addList(i&16, M1_R1) 429 addList(i&32, M2_R1) 430 431 for r := 1; r <= 3; r++ { 432 pool := x509.NewCertPool() 433 rootName := "," 434 shouldVerify := false 435 shouldVerifyFIPS := false 436 addRoot := func(cond int, c *boringCertificate) { 437 if cond != 0 { 438 rootName += "," + c.name 439 pool.AddCert(c.cert) 440 if reachable[c.org] { 441 shouldVerify = true 442 } 443 if reachableFIPS[c.org] && c.fipsOK { 444 shouldVerifyFIPS = true 445 } 446 } 447 } 448 addRoot(r&1, R1) 449 addRoot(r&2, R2) 450 rootName = rootName[1:] // strip leading comma 451 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify) 452 testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify) 453 fipstls.Force() 454 testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS) 455 testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS) 456 fipstls.Abandon() 457 } 458 } 459 } 460 } 461 462 const ( 463 boringCertCA = iota 464 boringCertLeaf 465 boringCertFIPSOK = 0x80 466 ) 467 468 func boringRSAKey(t *testing.T, size int) *rsa.PrivateKey { 469 k, err := rsa.GenerateKey(rand.Reader, size) 470 if err != nil { 471 t.Fatal(err) 472 } 473 return k 474 } 475 476 func boringECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey { 477 k, err := ecdsa.GenerateKey(curve, rand.Reader) 478 if err != nil { 479 t.Fatal(err) 480 } 481 return k 482 } 483 484 type boringCertificate struct { 485 name string 486 org string 487 parentOrg string 488 der []byte 489 cert *x509.Certificate 490 key interface{} 491 fipsOK bool 492 } 493 494 func boringCert(t *testing.T, name string, key interface{}, parent *boringCertificate, mode int) *boringCertificate { 495 org := name 496 parentOrg := "" 497 if i := strings.Index(org, "_"); i >= 0 { 498 org = org[:i] 499 parentOrg = name[i+1:] 500 } 501 tmpl := &x509.Certificate{ 502 SerialNumber: big.NewInt(1), 503 Subject: pkix.Name{ 504 Organization: []string{org}, 505 }, 506 NotBefore: time.Unix(0, 0), 507 NotAfter: time.Unix(0, 0), 508 509 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 510 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, 511 BasicConstraintsValid: true, 512 } 513 if mode&^boringCertFIPSOK == boringCertLeaf { 514 tmpl.DNSNames = []string{"example.com"} 515 } else { 516 tmpl.IsCA = true 517 tmpl.KeyUsage |= x509.KeyUsageCertSign 518 } 519 520 var pcert *x509.Certificate 521 var pkey interface{} 522 if parent != nil { 523 pcert = parent.cert 524 pkey = parent.key 525 } else { 526 pcert = tmpl 527 pkey = key 528 } 529 530 var pub interface{} 531 switch k := key.(type) { 532 case *rsa.PrivateKey: 533 pub = &k.PublicKey 534 case *ecdsa.PrivateKey: 535 pub = &k.PublicKey 536 default: 537 t.Fatalf("invalid key %T", key) 538 } 539 540 der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey) 541 if err != nil { 542 t.Fatal(err) 543 } 544 cert, err := x509.ParseCertificate(der) 545 if err != nil { 546 t.Fatal(err) 547 } 548 549 fipsOK := mode&boringCertFIPSOK != 0 550 return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK} 551 } 552 553 // A self-signed test certificate with an RSA key of size 2048, for testing 554 // RSA-PSS with SHA512. SAN of example.golang. 555 var ( 556 testRSA2048Certificate []byte 557 testRSA2048PrivateKey *rsa.PrivateKey 558 ) 559 560 func init() { 561 block, _ := pem.Decode([]byte(` 562 -----BEGIN CERTIFICATE----- 563 MIIC/zCCAeegAwIBAgIRALHHX/kh4+4zMU9DarzBEcQwDQYJKoZIhvcNAQELBQAw 564 EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xMTAxMDExNTA0MDVaFw0yMDEyMjkxNTA0 565 MDVaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 566 ggEKAoIBAQCf8fk0N6ieCBX4IOVIfKitt4kGcOQLeimCfsjqqHcysMIVGEtFSM6E 567 4Ay141f/7IqdW0UtIqNb4PXhROID7yDxR284xL6XbCuv/t5hP3UcehYc3hmLiyVd 568 MkZQiZWtfUUJf/1qOtM+ohNg59LRWp4d+6iX0la1JL3EwCIckkNjJ9hQbF7Pb2CS 569 +ES9Yo55KAap8KOblpcR8MBSN38bqnwjfQdCXvOEOjam2HUxKzEFX5MA+fA0me4C 570 ioCcCRLWKl+GoN9F8fABfoZ+T+2eal4DLuO95rXR8SrOIVBh3XFOr/RVhjtXcNVF 571 ZKcvDt6d68V6jAKAYKm5nlj9GPpd4v+rAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIF 572 oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBkGA1UdEQQSMBCC 573 DmV4YW1wbGUuZ29sYW5nMA0GCSqGSIb3DQEBCwUAA4IBAQCOoYsVcFCBhboqe3WH 574 dC6V7XXXECmnjh01r8h80yv0NR379nSD3cw2M+HKvaXysWqrl5hjGVKw0vtwD81r 575 V4JzDu7IfIog5m8+QNC+7LqDZsz88vDKOrsoySVOmUCgmCKFXew+LA+eO/iQEJTr 576 7ensddOeXJEp27Ed5vW+kmWW3Qmglc2Gwy8wFrMDIqnrnOzBA4oCnDEgtXJt0zog 577 nRwbfEMAWi1aQRy5dT9KA3SP9mo5SeTFSzGGHiE4s4gHUe7jvsAFF2qgtD6+wH6s 578 z9b6shxnC7g5IlBKhI7SVB/Uqt2ydJ+kH1YbjMcIq6NAM5eNMKgZuJr3+zwsSgwh 579 GNaE 580 -----END CERTIFICATE-----`)) 581 testRSA2048Certificate = block.Bytes 582 583 block, _ = pem.Decode([]byte(` 584 -----BEGIN RSA PRIVATE KEY----- 585 MIIEpAIBAAKCAQEAn/H5NDeonggV+CDlSHyorbeJBnDkC3opgn7I6qh3MrDCFRhL 586 RUjOhOAMteNX/+yKnVtFLSKjW+D14UTiA+8g8UdvOMS+l2wrr/7eYT91HHoWHN4Z 587 i4slXTJGUImVrX1FCX/9ajrTPqITYOfS0VqeHfuol9JWtSS9xMAiHJJDYyfYUGxe 588 z29gkvhEvWKOeSgGqfCjm5aXEfDAUjd/G6p8I30HQl7zhDo2pth1MSsxBV+TAPnw 589 NJnuAoqAnAkS1ipfhqDfRfHwAX6Gfk/tnmpeAy7jvea10fEqziFQYd1xTq/0VYY7 590 V3DVRWSnLw7enevFeowCgGCpuZ5Y/Rj6XeL/qwIDAQABAoIBAQCNpMZifd/vg42h 591 HdCvLuZaYS0R7SunFlpoXEsltGdLFsnp0IfoJZ/ugFQBSAIIfLwMumU6oXA1z7Uv 592 98aIYV61DePrTCDVDFBsHbNmP8JAo8WtbusEbwd5zyoB7LYG2+clkJklWE73KqUq 593 rmI+UJeyScl2Gin7ZTxBXz1WPBk9VwcnwkeaXpgASIBW23fhECM9gnYEEwaBez5T 594 6Me8d1tHtYQv7vsKe7ro9w9/HKrRXejqYKK1LxkhfFriyV+m8LZJZn2nXOa6G3gF 595 Nb8Qk1Uk5PUBENBmyMFJhT4M/uuSq4YtMrrO2gi8Q+fPhuGzc5SshYKRBp0W4P5r 596 mtVCtEFRAoGBAMENBIFLrV2+HsGj0xYFasKov/QPe6HSTR1Hh2IZONp+oK4oszWE 597 jBT4VcnITmpl6tC1Wy4GcrxjNgKIFZAj+1x1LUULdorXkuG8yr0tAhG9zNyfWsSy 598 PrSovC0UVbzr8Jxxla+kQVxEQQqWQxPlEVuL8kXaIDA6Lyt1Hpua2LvPAoGBANQZ 599 c6Lq2T7+BxLxNdi2m8kZzej5kgzBp/XdVsbFWRlebIX2KrFHsrHzT9PUk3DE1vZK 600 M6pzTt94nQhWSkDgCaw1SohElJ3HFIFwcusF1SJAc3pQepd8ug6IYdlpDMLtBj/P 601 /5P6BVUtgo05E4+I/T3iYatmglQxTtlZ0RkSV2llAoGBALOXkKFX7ahPvf0WksDh 602 uTfuFOTPoowgQG0EpgW0wRdCxeg/JLic3lSD0gsttQV2WsRecryWcxaelRg10RmO 603 38BbogmhaF4xvgsSvujOfiZTE8oK1T43M+6NKsIlML3YILbpU/9aJxPWy0s2DqDr 604 cQJhZrlk+pzjBA7Bnf/URdwxAoGAKR/CNw14D+mrL3YLbbiCXiydqxVwxv5pdZdz 605 8thi3TNcsWC4iGURdcVqbfUinVPdJiXe/Kac3WGCeRJaFVgbKAOxLti1RB5MkIhg 606 D8eyupBqk4W1L1gkrxqsdj4TFlxkwMywjl2E2S4YyQ8PBt6V04DoVRZsIKzqz+PF 607 UionPq0CgYBCYXvqioJhPewkOq/Y5wrDBeZW1FQK5QD9W5M8/5zxd4rdvJtjhbJp 608 oOrtvMdrl6upy9Hz4BJD3FXwVFiPFE7jqeNqi0F21viLxBPMMD3UODF6LL5EyLiR 609 9V4xVMS8KXxvg7rxsuqzMPscViaWUL6WNVBhsD2+92dHxSXzz5EJKQ== 610 -----END RSA PRIVATE KEY-----`)) 611 var err error 612 testRSA2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes) 613 if err != nil { 614 panic(err) 615 } 616 }