Skip to content

Commit

Permalink
Add OCSP support
Browse files Browse the repository at this point in the history 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
  • Loading branch information
@nsurfer @wallyqs
nsurfer authored and wallyqs committed May 22, 2021
1 parent 774df9f commit 908946b
Show file tree
Hide file tree
Showing 17 changed files with 2,115 additions and 0 deletions.
454 changes: 454 additions & 0 deletions server/ocsp.go
View file

Large diffs are not rendered by default.

28 changes: 28 additions & 0 deletions server/opts.go
View file
Expand Up @@ -268,6 +268,10 @@ type Options struct {
// and used as a filter criteria for some system requests
Tags jwt.TagList `json:"-"`

// OCSPConfig enables OCSP Stapling in the server.
OCSPConfig *OCSPConfig
tlsConfigOpts *TLSConfigOpts

// private fields, used to know if bool options are explicitly
// defined in config and/or command line params.
inConfig map[string]bool
Expand Down Expand Up @@ -485,6 +489,15 @@ type TLSConfigOpts struct {
PinnedCerts PinnedCertSet
}

// OCSPConfig represents the options of OCSP stapling options.
type OCSPConfig struct {
// Mode defines the policy for OCSP stapling.
Mode OCSPMode

// OverrideURLs is the http URL endpoint used to get OCSP staples.
OverrideURLs []string
}

var tlsUsage = `
TLS configuration is specified in the tls section of a configuration file:
Expand Down Expand Up @@ -841,6 +854,21 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error
o.TLSTimeout = tc.Timeout
o.TLSMap = tc.Map
o.TLSPinnedCerts = tc.PinnedCerts

// Need to keep track of path of the original TLS config
// and certs path for OCSP Stapling monitoring.
o.tlsConfigOpts = tc
case "ocsp":
switch v.(type) {
case bool:
// Default is Auto which honors Must Staple status request
// but does not shutdown the server in case it is revoked,
// letting the client choose whether to trust or not the server.
o.OCSPConfig = &OCSPConfig{Mode: OCSPModeAuto}
default:
*errors = append(*errors, &configErr{tk, fmt.Sprintf("error parsing ocsp config: unsupported type %T", v)})
return
}
case "allow_non_tls":
o.AllowNonTLS = v.(bool)
case "write_deadline":
Expand Down
1 change: 1 addition & 0 deletions server/opts_test.go
View file
Expand Up @@ -149,6 +149,7 @@ func TestTLSConfigFile(t *testing.T) {
t.Fatal("Expected opts.TLSConfig to be non-nil")
}
opts.TLSConfig = nil
opts.tlsConfigOpts = nil
checkOptionsEqual(t, golden, opts)

// Now check TLSConfig a bit more closely
Expand Down
62 changes: 62 additions & 0 deletions server/reload.go
View file
Expand Up @@ -50,6 +50,9 @@ type option interface {
// IsAuthChange indicates if this option requires reloading authorization.
IsAuthChange() bool

// IsTLSChange indicates if this option requires reloading TLS.
IsTLSChange() bool

// IsClusterPermsChange indicates if this option requires reloading
// cluster permissions.
IsClusterPermsChange() bool
Expand All @@ -74,6 +77,10 @@ func (n noopOption) IsAuthChange() bool {
return false
}

func (n noopOption) IsTLSChange() bool {
return false
}

func (n noopOption) IsClusterPermsChange() bool {
return false
}
Expand Down Expand Up @@ -202,6 +209,10 @@ func (t *tlsOption) Apply(server *Server) {
server.Noticef("Reloaded: tls = %s", message)
}

func (t *tlsOption) IsTLSChange() bool {
return true
}

// tlsTimeoutOption implements the option interface for the tls `timeout`
// setting.
type tlsTimeoutOption struct {
Expand Down Expand Up @@ -803,6 +814,7 @@ func imposeOrder(value interface{}) error {
sort.Strings(value.AllowedOrigins)
case string, bool, int, int32, int64, time.Duration, float64, nil, LeafNodeOpts, ClusterOpts, *tls.Config, PinnedCertSet,
*URLAccResolver, *MemAccResolver, *DirAccResolver, *CacheDirAccResolver, Authentication, MQTTOpts, jwt.TagList:
*OCSPConfig:
// explicitly skipped types
default:
// this will fail during unit tests
Expand Down Expand Up @@ -1201,6 +1213,7 @@ func (s *Server) applyOptions(ctx *reloadContext, opts []option) {
reloadClientTrcLvl = false
reloadJetstream = false
jsEnabled = false
reloadTLS = false
)
for _, opt := range opts {
opt.Apply(s)
Expand All @@ -1213,6 +1226,9 @@ func (s *Server) applyOptions(ctx *reloadContext, opts []option) {
if opt.IsAuthChange() {
reloadAuth = true
}
if opt.IsTLSChange() {
reloadTLS = true
}
if opt.IsClusterPermsChange() {
reloadClusterPerms = true
}
Expand Down Expand Up @@ -1256,9 +1272,55 @@ func (s *Server) applyOptions(ctx *reloadContext, opts []option) {
s.updateRemoteLeafNodesTLSConfig(newOpts)
}

if reloadTLS {
// Restart OCSP monitoring.
if err := s.reloadOCSP(); err != nil {
s.Warnf("Can't restart OCSP Stapling: %v", err)
}
}

s.Noticef("Reloaded server configuration")
}

func (s *Server) reloadOCSP() error {
opts := s.getOpts()

s.mu.Lock()
ocsps := s.ocsps
s.mu.Unlock()

// Stop all OCSP Stapling monitors in case there were any running.
for _, oc := range ocsps {
oc.stop()
}

// Restart the monitors under the new configuration.
ocspm := make([]*OCSPMonitor, 0)
if config := opts.TLSConfig; config != nil {
tc, mon, err := s.NewOCSPMonitor(config)
if err != nil {
return err
}
// Check if an OCSP stapling monitor is required for this certificate.
if mon != nil {
ocspm = append(ocspm, mon)

// Override the TLS config with one that follows OCSP.
s.optsMu.Lock()
s.opts.TLSConfig = tc
s.optsMu.Unlock()
s.startGoRoutine(func() { mon.run() })
}
s.Noticef("OCSP Stapling enabled for client connections")
}
// Replace stopped monitors with the new ones.
s.mu.Lock()
s.ocsps = ocspm
s.mu.Unlock()

return nil
}

// Update all cached debug and trace settings for every client
func (s *Server) reloadClientTraceLevel() {
opts := s.getOpts()
Expand Down
33 changes: 33 additions & 0 deletions server/server.go
View file
Expand Up @@ -236,6 +236,9 @@ type Server struct {
// MQTT structure
mqtt srvMQTT

// OCSP monitoring
ocsps []*OCSPMonitor

// exporting account name the importer experienced issues with
incompleteAccExporterMap sync.Map

Expand Down Expand Up @@ -1467,6 +1470,29 @@ func (s *Server) fetchAccount(name string) (*Account, error) {
return acc, nil
}

func (s *Server) enableOCSP() error {
opts := s.getOpts()

// Start OCSP Stapling for client connections.
if config := opts.TLSConfig; config != nil {
tc, mon, err := s.NewOCSPMonitor(config)
if err != nil {
return err
}
// Check if an OCSP stapling monitor is required for this certificate.
if mon != nil {
s.ocsps = append(s.ocsps, mon)
// Override the TLS config with one that follows OCSP.
opts.TLSConfig = tc
s.startGoRoutine(func() { mon.run() })
}
s.Noticef("OCSP Stapling enabled for client connections")
}
// FIXME: Add support for leafnodes, routes, MQTT, WebSocket

return nil
}

// Start up the server, this will block.
// Start via a Go routine if needed.
func (s *Server) Start() {
Expand Down Expand Up @@ -1619,6 +1645,13 @@ func (s *Server) Start() {
})
}

// Setup OCSP Stapling. This will abort server from starting if there
// are no valid staples and OCSP policy is to Always or MustStaple.
if err := s.enableOCSP(); err != nil {
s.Fatalf("Can't enable OCSP Stapling: %v", err)
return
}

// Start monitoring if needed
if err := s.StartMonitoring(); err != nil {
s.Fatalf("Can't start monitoring: %v", err)
Expand Down
34 changes: 34 additions & 0 deletions test/configs/certs/ocsp/ca-cert.pem
View file
@@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIUOZOobSCn5WL7fGjMTas5i191p8kwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZy
YW5jaXNjbzEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UECwwHbmF0cy5pbzEVMBMG
A1UEAwwMbG9jYWxob3N0IGNhMRwwGgYJKoZIhvcNAQkBFg1kZXJla0BuYXRzLmlv
MB4XDTIxMDUxMTIwMTEzM1oXDTIxMDYxMDIwMTEzM1owgYsxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UECgwH
U3luYWRpYTEQMA4GA1UECwwHbmF0cy5pbzEVMBMGA1UEAwwMbG9jYWxob3N0IGNh
MRwwGgYJKoZIhvcNAQkBFg1kZXJla0BuYXRzLmlvMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAs1szTYUBy7GPQnDaH5863bEVldI2xxNa5xZalaNywI+H
z058zxuvsDeR2gmcgfZM4kuLW7eDL0IjPHmJfklS8GhoN5ZuzFSY5EHGqBKTfX0Z
vvl1aNZo2GGaPgnR+EbC9NjxdsVcEkfkW9pWC2NXqdCISHiv3uh5IjyfAjxDS/t7
sngSyrYF+L4HCJ7rbOnfCpzfYD48Rw5l76wGzN05dAjElU8Y/0mbX6H8GPKQ7mZZ
K8z5OIHwioQmHf9KxKl870pZQKm+u3pDIhBNweH8TNr6AuI8n2YbCfC+HyjjV041
Xprh26Y145xqQvlIoPHZtEPK94mF0w92sE79jX8mZ1LbQlDcBzpvqXaC/YwaRYgf
82/51UNY/xSYxg2vkmie6l7dDMIVMmmFUs2ZOOFxuwo3ikls8Tx0FlnIUkBjobuA
cc1MN9Opva1G9j977UocmTe0T23hEOcqYdoLJ5WM/l6b29h8+74xhws2SFkQh2Lb
CLLFfelK3wpIyequ4DzHwLfyLhqasRWE4ac9Q04G5NR+T3QKMuVCxcTEREsLk/5S
hwqZoFc8zyIT/9cVRuUtTzM/EOQq4c7CKKcE4NGJb0a+hR6drvWmYi9Zsgt1sRC3
bSsxXUaAPQE8/tVdEBW97TNA3yK9THfHPV1MUQNCbw3FIW+qIYBQISjKatvGJD8C
AwEAAaNTMFEwHQYDVR0OBBYEFCPCNWQ7F7gS6gt1zIprz5405GmQMB8GA1UdIwQY
MBaAFCPCNWQ7F7gS6gt1zIprz5405GmQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAEI3tPoBKh026z1V2zNLNP9L+ZNcrbA1Yw74DOIOVs6InnuM
Grxjy9zYdNXQs5UOtDsPvH8e2u1mpS/es24GnTXA0LLkS0gCcKaaDdzTnEr4zCOn
khogeOZphY7UCX1SAi7qVrwcRXOWdSxSrAaQY17gl7Ln+W4QTWjIyNpweZIKAMu4
60kIJYteNCnXgE5WppW7qICYdHapJz8/sJzqrtlPTR2PnmW1+aiWF86KeEFnXAai
60PNHojVbd7/U2425x4oZQRGoZ1/5azs8w2X/bidshwtz/kYtHPBP4Xzt3c6M92v
HDwpa9wIrvRoQxmUGWjPcZkVvm53ZIU/YYxQ+ueJkuS3Eloh4bP1kNKDDXKZWzmT
Oo8q3K0lnPlTAjeX5nVgkDuKq1WG+DdCp5VVAsVsOnl/fRN6N7230PfNTudazgSR
UjOLE6HsZDGYemdZJaydmQNvCWjBwRAlqd7IdmCtBSZVtxTZ88VLT6R85QzOWn9G
eCxNaJLeBBanR8HG/dFtMf1kzJ0csTwWnituG4inhE+90J2UmaBSrLbUJdbwrG66
j1njHQH6WpEswg48XtLB8OuYh8YJs7+yCX7S1l8q/NaPUGZadg1nPR5mokcf4VvW
rrEcTc9ma9VUszgm518FE+Ibb5zQeK6YFhBU29JjcdATUK4RzglWt7mtrfxr
-----END CERTIFICATE-----
51 changes: 51 additions & 0 deletions test/configs/certs/ocsp/ca-key.pem
View file
@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAs1szTYUBy7GPQnDaH5863bEVldI2xxNa5xZalaNywI+Hz058
zxuvsDeR2gmcgfZM4kuLW7eDL0IjPHmJfklS8GhoN5ZuzFSY5EHGqBKTfX0Zvvl1
aNZo2GGaPgnR+EbC9NjxdsVcEkfkW9pWC2NXqdCISHiv3uh5IjyfAjxDS/t7sngS
yrYF+L4HCJ7rbOnfCpzfYD48Rw5l76wGzN05dAjElU8Y/0mbX6H8GPKQ7mZZK8z5
OIHwioQmHf9KxKl870pZQKm+u3pDIhBNweH8TNr6AuI8n2YbCfC+HyjjV041Xprh
26Y145xqQvlIoPHZtEPK94mF0w92sE79jX8mZ1LbQlDcBzpvqXaC/YwaRYgf82/5
1UNY/xSYxg2vkmie6l7dDMIVMmmFUs2ZOOFxuwo3ikls8Tx0FlnIUkBjobuAcc1M
N9Opva1G9j977UocmTe0T23hEOcqYdoLJ5WM/l6b29h8+74xhws2SFkQh2LbCLLF
felK3wpIyequ4DzHwLfyLhqasRWE4ac9Q04G5NR+T3QKMuVCxcTEREsLk/5ShwqZ
oFc8zyIT/9cVRuUtTzM/EOQq4c7CKKcE4NGJb0a+hR6drvWmYi9Zsgt1sRC3bSsx
XUaAPQE8/tVdEBW97TNA3yK9THfHPV1MUQNCbw3FIW+qIYBQISjKatvGJD8CAwEA
AQKCAgAUmLaNgmawY5WWBaum0fxKlRlreRZ9SgW4X+LLKFf3MQRhlBvVFNLaI6eG
KHBmpEgz/ITmZW6VML0nJrXZYMY7gWHmcEoNAPIF1F/h0TBKyuD4A2GuRmEH6D10
PmB0aHve7kLcZtGp78OToMEc0a2xfJcJ64IW0Q+IFPoVoaIAycJsvkk6KikJZZkd
LlLO0RSh/V3RiZQWfNrL6S9mu0jrwE4C73BpcKR9GPcATmrCVdKLqyA7kwByh7Zw
325Qoz4LpLgXKucSVHn9IW4sg60bjlIDnsNjcrBMNe8/WMyyq/KJCLRDKxUpLD8v
rbzfbqaXgul9/7b0g+QXXxrS8vUP2z5EtAA56oJCDpT396vw5dLPnbuh9pW2XKDt
D8qxja3LK3B2c2gPMS9uwDYILcyXHPRpWhjdYnSCfMzCZOGalt5xIakN+xokxKPR
6wvStua7mb4g8LzJvFFkFA43MAKf9GQnvaj87O1HnPK8u6g/D8tAnZ5DIrqz7Otl
bEuEmgat0eE/j4P37AZ/dh75bC7LBE1eT2dux7ivN37lxXAjP6TN4ON5D5I1Emks
Aa9YEAwtkVb06YZsG9S0a0XRyvY+J1OU6ufaMkleQT4MKRQoFbjAfDzD6K3+N0v3
5n20Vd3zwaY3/1SSaU7uSjDFWt2H3PmMemivhTTaDllO/mLxEQKCAQEA3nPazMNv
tzkg2ue+Mi90lAdlR3EFi6ONnbIFDQhMgb0qMGJP7nwuvT1R6ImY64ycLEQ3axOf
FNlOqtEW/cvmBK6f2j+MyKODbN8TrLP0VimFh4uILrXQKRteeKhIM03eHe9eJw95
0DMI/vxS37BQzF9qo3W4ypD54AUUrsmQhZX5bAwWXKOsCZbuxpukUG06nDomJAy+
3/0YVNSDxED1KeIV4QzMRaBBs8WBfRaL07hX0tLFM2/Xj46KQ8j6Fgc1SxJNtsT+
z/WvnojEBM+JxH6X+hOjTM1xg/R64DZZNb8qsEXrjZV93ThlgtFF6ESKbCKLxuZn
MNkLGYx+gJLpfQKCAQEAzmeK0JlghMWVTRBgu4tq6k8z/73RV8vcdyEz80J5QKL/
Vxs53yVGB1pxKGKKiVwTUTX7xZQMlRHes4ynk9JTaCQRwkPadIkw+QV+VaFWz5Jj
VgcUbqnpA1f/LmvPdPYhTnr1xhWXf5K2ktj1MEcEcp61F7eyCaRgCqc5s1NsPGxb
uIH4bAD4qkp89YCBbQcEhwho07TbqQpkBp701LCb+t/1+Au1JbSdDpQ2AXDlIcav
Nly1Qf/DfHhA2JQ8smQv3HSgfyeiZnhq6JDMCk/Z0JTfFzjMOf2qli0gWEkcHpLg
L8eIPs4VSrZQkex3Wtez+N7g5xv3VnWuv3adhNZRawKCAQEA0PJVlHwGVT2t5LBE
cHMut1RzBzXcFZuci4EJSYKACmUaWbQejE3MwSf15cxI/QdoMhQpUcRuanDreXtI
cz+wYLl9oMyMenFMI1kt68xkNwJtUDH5ypYwXkw84mx+1OHRPqD1+Q6KRsuJKajs
VvwQCMefLMaIuoyOiKN9F+hwfWmvjJOV9ZIvKBrDUX4kSv8uTEw6QyZNq6rZzeSH
mDHDloGsN2WEAepTjH558HrbABVpOLeNT5FAErG6oY0HiuVeY5Nft8s15TRKr0ib
hkFCkHSwX89OVferJlzfhfbGuLtFZ6llZeoC/WXZw5S6az7mHkgcrskAKFvWFztm
H3LfKQKCAQAqVa5xLqRPVz9SOSO+E9BwEqK1t7cybMvhW1wObvnzufrpYNoz3K9K
XtCK2ftURSBpLctgMQeLo8irxxOwDBmzaIKD9+rcsC7tRKUu5xKpLHtXb8hPEmaK
mwfp+47njHw0Xp/+avtR3UO5RuqzZj2RTOAT50eLFr3kMXxyPZAbrJX7eBz9+g0G
0JRkvmDNffz9vUnS8muDdnAhs4TAAyFbCYinwa779tmn3dpd3UwB64CQg99hlBYC
d5/FTFJOvKHcc8dfjT+QCO7UmK5hBxPD5mUDnFC3LEJK3yKdORGda76zzhcx2o8f
bdmEtJ2eclOlngE/JctLXoPjHW8did/VAoIBAQCLOF230GM/QCYMWPzvbOAQ21IV
+HCB6tWl5rKTY9YXf+x5Xe/BqyrdW4AIHbGIcV2IbakRN0rcQhylNXSxVxkJ13+s
oBrX0hyRD6rlmoOcckrafezyFBO75AZN2St8Ef2eFQOyDfftL45RLIUuYgHHEqzO
xtDXl+KLLUMLVDfnuDizN9WJIwG2Nke7FwJtigDuilbjvFGgHu1Ni8t3t1PkbwDA
Uskxl8IAfIYlKgyEeQ4U7NW5G0d6o2r1whoXKA7mSxNeTsXreWEfaEss+vI/Zp8C
YxLMP2Z6zvsgoieioKZqk/nMoq3GynC9DhHXFpmao4nQk71zM408Zvisvz1S
-----END RSA PRIVATE KEY-----
34 changes: 34 additions & 0 deletions test/configs/certs/ocsp/client-cert.pem
View file
@@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF2TCCA8GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdT
eW5hZGlhMRAwDgYDVQQLDAduYXRzLmlvMRUwEwYDVQQDDAxsb2NhbGhvc3QgY2Ex
HDAaBgkqhkiG9w0BCQEWDWRlcmVrQG5hdHMuaW8wHhcNMjEwNTExMjAxMTM1WhcN
MjkxMDE0MjAxMTM1WjCBjzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYD
VQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdTeW5hZGlhMRAwDgYDVQQLDAdu
YXRzLmlvMRkwFwYDVQQDDBBsb2NhbGhvc3QgY2xpZW50MRwwGgYJKoZIhvcNAQkB
Fg1kZXJla0BuYXRzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
ul+i7nMo02miq32kfFzYeexKola5b4Cc1CY62x0IGbPgiFUoVGZAmDZGdiiERxOH
GJDODvZIjXZVdFwiZQGfL/t2gs+A0A61o2RDKcfe57mW9FGLyjiPMAGaeYddiSOx
/CK0/gDjRrcloQkRDiXbyjAUNgoMW7W7g4ArpOpZkpJIqrTq7aZXJzhbdU6tHbTN
lkPgzNsLmMUrmg10gesoajIXVJc6aQ2qdfuskXrtAEVDCFmIAV9cZqt2uWs3erEK
lIgYffjlyTGoXF8jQLkSChEGYtyZ0ov1e+wBjltpgw+GRwrBM+NIeRuTilpB4Agb
yEkAXkryzfuGePhwB1qGG7Qy73qKdHctwiO0vBpqylBQNgyl4IaD33NLkDUtLly7
Ti9VxBlV7H3HWofpx1/AUtCfxfGg3pz+wZQuUWZPhQTV8zxDJOOtWZyDKKT9W6Tm
2XF7CoNhzGtc+NtatqJ4xDuzco9Mvh3q5ERXYqycNbmNldrVtkzMm258UuLITu7m
zAMqh4CnDM/8UIOWc1Ovrv1vJmxI0ZGSywSlXX0j0jE63QqVlWwsQBdOdK86R7X3
Db6sNY/gnnOjY9Q9N/bEgRKm0zFlFvvGbmnbEbq1ShOXeNc3DmK3N/qJpuxJzMVu
fIQ8kcwz4fX0efZbayq0WOMeargM/2IVOZ7rsbam1KkCAwEAAaNCMEAwCQYDVR0T
BAIwADALBgNVHQ8EBAMCBeAwJgYDVR0RBB8wHYIJbG9jYWxob3N0ghBjbGllbnQu
bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4ICAQAZsO7juFWr0tMY2Bm1Y0gSfcMZ
seDv+XBvKLX3lKYE2TgQrY3IJz9wL/6okzb8wlwA6GOYoir4TMFRDsaItvkkFZc+
Z2xGiI+RyhVPxPo39DY4/p8fWVGuAGzNsSIsk9Qu9OBAhWizmzAh5+t7vo9vpHOu
sZlFO9QSCpfQksCOLwCFz3wjJxFtDUhY/+i0rOOddylbjwPJNO2j8f0eukjXY37k
7AAUB9nDRl+t8pmm8s5R46LZgiWvZm8COeCG6aESfkBBex7peCPG5pr7n46oK2gu
CrWFbuTJ6JDs0RvKw04kQi9C7dR71i0qPDmusnV9y/E3gyXgwNYcDlC2hRW1vRPt
hp6KCLdc+l4bs8sqbNvusi5GjJ+EhORY8mfzN5w6/gCEYzrnXIzJfqXjsKMC62xB
sToTXpG9Hcdt7KrlYL+GXvmEWHwu4p6MyjmyFAmqjAWfr5tbYlK4XgzeUX6MCrXW
tMe6OxOI0+jqevziFf1ITWvwz+4G/x6NuBQf1pgajxvFfm5Mtvu+/J+jP8TCDjl3
55ZJkfSiPiGFCO/yYd17CTzsgWiMzn/J50Gd9/k39CiMtPXAils08v4BM7RmdPSi
2y/c//FO+J9YSI7i2mdd0JoDsx4gH//SGVSbrAZeTNCXoiqG2G7dsBpVEOKbFPIn
NejC2QUTFLwq9vfjyA==
-----END CERTIFICATE-----
51 changes: 51 additions & 0 deletions test/configs/certs/ocsp/client-key.pem
View file
@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAul+i7nMo02miq32kfFzYeexKola5b4Cc1CY62x0IGbPgiFUo
VGZAmDZGdiiERxOHGJDODvZIjXZVdFwiZQGfL/t2gs+A0A61o2RDKcfe57mW9FGL
yjiPMAGaeYddiSOx/CK0/gDjRrcloQkRDiXbyjAUNgoMW7W7g4ArpOpZkpJIqrTq
7aZXJzhbdU6tHbTNlkPgzNsLmMUrmg10gesoajIXVJc6aQ2qdfuskXrtAEVDCFmI
AV9cZqt2uWs3erEKlIgYffjlyTGoXF8jQLkSChEGYtyZ0ov1e+wBjltpgw+GRwrB
M+NIeRuTilpB4AgbyEkAXkryzfuGePhwB1qGG7Qy73qKdHctwiO0vBpqylBQNgyl
4IaD33NLkDUtLly7Ti9VxBlV7H3HWofpx1/AUtCfxfGg3pz+wZQuUWZPhQTV8zxD
JOOtWZyDKKT9W6Tm2XF7CoNhzGtc+NtatqJ4xDuzco9Mvh3q5ERXYqycNbmNldrV
tkzMm258UuLITu7mzAMqh4CnDM/8UIOWc1Ovrv1vJmxI0ZGSywSlXX0j0jE63QqV
lWwsQBdOdK86R7X3Db6sNY/gnnOjY9Q9N/bEgRKm0zFlFvvGbmnbEbq1ShOXeNc3
DmK3N/qJpuxJzMVufIQ8kcwz4fX0efZbayq0WOMeargM/2IVOZ7rsbam1KkCAwEA
AQKCAgBxWoGKbdhC3Vjm3MASM5YmcaTjH8QhISRBlA7v/bRTjafew4yH6LkY2sn4
S6RIZoQgWNI7H2f5QiOvZeo1bMsZL+RgozxBTvECs5R18O6OGb7KUl6nW8ca956w
k7g8FM3IAIP8iSWyeOoWC6Gn7TbEvoFMbMgfb2ThEi95Wl+oWfiAexD4Ade4LvrR
WkzIaJMx9Y7gicl/3UwrokteSVyHWnf+JwyLoJgwsiW/Rfin1Xhzt6CU1R8qAtdu
5tsTcGJy/GOJGr0HpYA0zlhuoSFrpfcwYePcvutLt7sqjkaaQ/LzeoMPwAjwP+l4
mHTAga4EHwJuVz9eMMEVCmV404IEhdwjYOaBq3tPxmIiuGojyBuP1rIJfvas4h/x
N5qwVzmQO8sFOT9KoLoDrn3pYxlaDppw1ow3XLXsK2QokC7hpTCEsgkP9uYv9TRO
9dpkVjc+DXyEdbppXKjpIRlFzMHcn8E/ebFZiUro4Kn5fRDRjrtRWGMbk14uEJK4
4fE1Qu23XNmiGmXB1Hz4ByHqslqsLFUpOHxL9hHh7RMNqjX5fY8MLAX5ucudEhpJ
/UeaePOVo7wxQ1bXOqqBKX0F6314tPn9W1D+IQ45GaulDztTaU4pvxGpMCWHkcYD
hRC8Rs/FSISm2cvvZ4SE5UldRJr31yxmNuMbcWz0tCHy6izoAQKCAQEA2zY6G9T8
itGYrktV1hTNpDcSBe4oZ1JkjPWO+W+3YISfsNhIgQOcfHfqQmykc+TrL8D1fz/a
Kx773wNOzv0K8OE+5r6PIRelubjCwRijTgXyxaXlBxLP4hYWVGcsZbAnwCB64tlq
75Dq1KG6EyxXVd5yoQRxvQdlZaXU2+mi4yJDeHJNIeLNpF6tS6LqNe8hI2d6UGBl
x/k2q6z4/E/sh632o/jixeYS9EJIIEMVxYsjODNJi8hnJ4XjxK78sFsnqQxWlREx
M44l0/iCvRvFg7JkRcg3JUQD7jfSTdex4aKDqZn1CIj9ntWlg1guEOsTyhgBO9xe
HsOXjsO4EI7dQQKCAQEA2aadFhjYog738XtS7oarCny3FiUuxvKD3EKc9/Hsh6wC
zLiC/fKRJ5WLMPPMhQdGl2nM3pqTgYllq5v4DljcplK3qEePAP9Y0a3uufwITuRD
xExwGbE0cYZaaLl85C5pWXIkBW9fpj5RbVPrmtXKGOUpui/iTrZT0TA+VldKk9qP
g1cZ5d7pU3Fe22dcFH64ZouUfUnivgcR5p5BOQ1rM5QvUJUBXWivZkGo7RVOJKLM
f4Y5ECR6sq8WCd00xa7qkgw6Cimncfn/UYuHfxMKMmzBP29ACxSQQPK32iW++WbU
jWYd3bmUMPitfeQCTz7S+CqF7a30wHOvKHEYRTfVaQKCAQA9/X6/QiLMiusXVtyG
NsnUh3JEVQ398fHXXtW4uhvsYnTaSL9wJHpLRIntkNWMpI7RqUqDWqYyjYeCkGfn
5u0CI2BrVjYZkJtgAtyoSHRd6xa1R+2Va394GvDjm22VsBP9o/G8VumDp8KQsM9y
/pYQBWD7IcucPgwxi4y/R7m1a4oS9JfVXlLzCYcOHZsH94Cyh1+yfSArRdFtCPQ8
PcnQsKRPyGEwv5halKfa3723aFpkWTSSH/Dz30wC4c05ff2gM4oEi6ETSD5wTBWE
rubTEE6E4VKe6jYGVqjVNIrsGM4M1ynQ6RR3p0kv9G7Kf//PpawrpmzDXGJuj/Bs
VkpBAoIBAFeOSwskm6E13FBsiAQkcJIbcZubAaJO1PS6Z2LnE3vQmp+4ahm2huYh
pojeypuJPcCTczLphAVMPHY4nCVJYhoWlINBpimEjzpqeeqflMgH06sYBNCRFMPG
hIA0fiVc9kxhOlRlZVj/IMqWQ+VZs58oMQ0RTjzT5Av3GFyraPjpp2nylByA++Px
a3NftQ8ZmxzFccqk+m3vcigP6bUFzOZG6nHEP3RQNJ8yMr6NH45lX1a9rB7uTd2r
yXXWYvBTWVG/UWndL9sN8sPfGXbpNeTrEyJtopnSf+Vgvs0m+hhiYYcwWTtk+FRq
9X/7RWKTp1Ll6FKg9CCnaQMf29+cgmECggEAH35ak2ET5bnn/GvaqYmLyDHuk9bq
g1WkqbdnzZJ9yk+awpOnqLNM5mL70S9c8jru9QTpOODe6Lcgq/AvADfHttzLDDdF
O3zU2KjwDtRszQ6H75QMILuV9RoiXVmoywuUNYUFPzzl9mnAeNT6u0NsIKLmi4oU
1JKL0iZdR64dcQq9KG+6DEEv16JooLl8IqI+/59dBcMEp1pI0hexawKTpTsfPwSC
G38z23TsDBYJw65039Q+QdOe0MKKBExda2qoil1MwD2EjfSV24qFWxSIg1ena2Mn
CsHV0wKPfMDHgTXhmm+CAwQbzWjyjyXI0ov3Vr4LU9UVSY7OL9n3YF+4bQ==
-----END RSA PRIVATE KEY-----

0 comments on commit 908946b

Please sign in to comment.