logstash-filter-elasticsearch 3.12.0 → 3.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ecfb3d5b15acecc9b301e27f77f5170ead83708c2722db56324807e3663cc08
-  data.tar.gz: bd8798a9f82792afb79b1be85936bdf51967dd74c91d6b45bb24b7cadec16e1b
+  metadata.gz: aa249a04a85198ffab82e97a53f15c8c1ce3792b0d7f737962979aaccf0b8a78
+  data.tar.gz: 1501f7b558ead54e7701b0048b5f1f9847d250e96ebdf4cd2875000f733ad8c0
 SHA512:
-  metadata.gz: b76de8e2722b3b1c5cf11efd0a29cc827042e48d584215e14fb9272349bc5cb50aa04b763a52ff26800ad36f64f2c1870cab27a38dbf94776fde5a25f75a7e08
-  data.tar.gz: 9304e6e00443b13fe5888ae62d0f9c0610cb6917cf148b21373afae460602548172a61efa4fed287e085421c7e9ef26bcebaf7a8ec1aee70a12449942b226a3e
+  metadata.gz: c31a11c7588de85b8bbdb922c8938946a651230080202b2442dcea5fc3ef686e499aa74b3f10df9df172713b4b007e0e3ba539b7dff838fccb33da116c3aacbf
+  data.tar.gz: 3bcd227e3ba31712287bb27367959b8a5e032a7e9fa5a907f1ae7018e4422db6b3275bbcb3f88d83d6d623d5f015c2ae80a66a148e2bcb3a84181a801e486640

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 3.14.0
+  - Added support for configurable retries with new `retry_on_failure` and `retry_on_status` options [#160](https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/160)
+
+## 3.13.0
+  - Added support for this plugin identifying itself to Elasticsearch with an SSL/TLS client certificate using a new `keystore` option [#162](https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/162)
+
 ## 3.12.0
   - Added support for `ca_trusted_fingerprint` when run on Logstash 8.3+ [#158](https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/158)
 

data/docs/index.asciidoc

@@ -110,6 +110,7 @@ Authentication to a secure Elasticsearch cluster is possible using _one_ of the
 * <<plugins-{type}s-{plugin}-user>> AND <<plugins-{type}s-{plugin}-password>>
 * <<plugins-{type}s-{plugin}-cloud_auth>>
 * <<plugins-{type}s-{plugin}-api_key>>
+* <<plugins-{type}s-{plugin}-keystore>> and/or <<plugins-{type}s-{plugin}-keystore_password>>
 
 [id="plugins-{type}s-{plugin}-autz"]
 ==== Authorization
@@ -141,8 +142,12 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-query>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-query_template>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-result_size>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-retry_on_failure>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-result_on_status_>> |<<number,number list>>|No
 | <<plugins-{type}s-{plugin}-sort>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-tag_on_failure>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
 |=======================================================================
@@ -327,11 +332,30 @@ the {ref}/query-dsl.html[Elasticsearch query documentation].
 [id="plugins-{type}s-{plugin}-result_size"]
 ===== `result_size` 
 
-  * Value type is <<number,number>>
-  * Default value is `1`
+* Value type is <<number,number>>
+* Default value is `1`
 
 How many results to return
 
+[id="plugins-{type}s-{plugin}-retry_on_failure"]
+===== `retry_on_failure`
+
+* Value type is <<number,number>>
+* Default value is `0` (retries disabled)
+
+How many times to retry an individual failed request.
+
+When enabled, retry requests that result in connection errors or an HTTP status code included in <<plugins-{type}s-{plugin}-retry_on_status>>
+
+[id="plugins-{type}s-{plugin}-retry_on_status"]
+===== `retry_on_status`
+
+* Value type is <<number,number list>>
+* Default value is an empty list `[]`
+
+Which HTTP Status codes to consider for retries (in addition to connection errors) when using <<plugins-{type}s-{plugin}-retry_on_failure>>,
+
+
 [id="plugins-{type}s-{plugin}-sort"]
 ===== `sort` 
 
@@ -348,6 +372,22 @@ Comma-delimited list of `<field>:<direction>` pairs that define the sort order
 
 SSL
 
+[id="plugins-{type}s-{plugin}-keystore"]
+===== `keystore` 
+
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+The keystore used to present a certificate to the server. It can be either .jks or .p12
+
+[id="plugins-{type}s-{plugin}-keystore_password"]
+===== `keystore_password` 
+
+  * Value type is <<password,password>>
+  * There is no default value for this setting.
+
+Set the keystore password
+
 [id="plugins-{type}s-{plugin}-tag_on_failure"]
 ===== `tag_on_failure` 
 

data/lib/logstash/filters/elasticsearch/client.rb

@@ -12,6 +12,8 @@ module LogStash
 
       def initialize(logger, hosts, options = {})
         ssl = options.fetch(:ssl, false)
+        keystore = options.fetch(:keystore, nil)
+        keystore_password = options.fetch(:keystore_password, nil)
         user = options.fetch(:user, nil)
         password = options.fetch(:password, nil)
         api_key = options.fetch(:api_key, nil)
@@ -32,9 +34,23 @@ module LogStash
         # set ca_file even if ssl isn't on, since the host can be an https url
         ssl_options.update(ssl: true, ca_file: options[:ca_file]) if options[:ca_file]
         ssl_options.update(ssl: true, trust_strategy: options[:ssl_trust_strategy]) if options[:ssl_trust_strategy]
+        if keystore
+          ssl_options[:keystore] = keystore
+          logger.debug("Keystore for client certificate", :keystore => keystore)
+          ssl_options[:keystore_password] = keystore_password.value if keystore_password
+        end
+
+        client_options = {
+                       hosts: hosts,
+             transport_class: ::Elasticsearch::Transport::Transport::HTTP::Manticore,
+           transport_options: transport_options,
+                         ssl: ssl_options,
+            retry_on_failure: options[:retry_on_failure],
+             retry_on_status: options[:retry_on_status]
+        }
 
         logger.info("New ElasticSearch filter client", :hosts => hosts)
-        @client = ::Elasticsearch::Client.new(hosts: hosts, transport_options: transport_options, transport_class: ::Elasticsearch::Transport::Transport::HTTP::Manticore, :ssl => ssl_options)
+        @client = ::Elasticsearch::Client.new(client_options)
       end
 
       def search(params)

data/lib/logstash/filters/elasticsearch.rb

@@ -66,6 +66,13 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
   # SSL Certificate Authority file
   config :ca_file, :validate => :path
 
+  # The keystore used to present a certificate to the server.
+  # It can be either .jks or .p12
+  config :keystore, :validate => :path
+
+  # Set the keystore password
+  config :keystore_password, :validate => :password
+
   # Whether results should be sorted or not
   config :enable_sort, :validate => :boolean, :default => true
 
@@ -75,6 +82,12 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
   # Tags the event on failure to look up geo information. This can be used in later analysis.
   config :tag_on_failure, :validate => :array, :default => ["_elasticsearch_lookup_failure"]
 
+  # How many times to retry on failure?
+  config :retry_on_failure, :validate => :number, :default => 0
+
+  # What status codes to retry on?
+  config :retry_on_status, :validate => :number, :list => true, :default => [500, 502, 503, 504]
+
   # config :ca_trusted_fingerprint, :validate => :sha_256_hex
   include LogStash::PluginMixins::CATrustedFingerprintSupport
 
@@ -109,6 +122,10 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
       @query_dsl = file.read
     end
 
+    if @keystore_password && !@keystore
+      fail "`keystore_password` was provided, without a `keystore`"
+    end
+
     validate_authentication
     fill_user_password_from_cloud_auth
     fill_hosts_from_cloud_id
@@ -204,6 +221,10 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
       :proxy => @proxy,
       :ssl => @ssl,
       :ca_file => @ca_file,
+      :retry_on_failure => @retry_on_failure,
+      :retry_on_status => @retry_on_status,
+      :keystore => @keystore,
+      :keystore_password => @keystore_password,
       :ssl_trust_strategy => trust_strategy_for_ca_trusted_fingerprint
     }
   end

data/logstash-filter-elasticsearch.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-filter-elasticsearch'
-  s.version         = '3.12.0'
+  s.version         = '3.14.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Copies fields from previous log events in Elasticsearch to current events "
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -29,4 +29,3 @@ Gem::Specification.new do |s|
 
   s.add_development_dependency 'logstash-devutils'
 end
-

data/spec/filters/elasticsearch_spec.rb

@@ -301,6 +301,15 @@ describe LogStash::Filters::Elasticsearch do
       end
     end
 
+    context 'with client-level retries' do
+      let(:config) do
+        super().merge(
+          "retry_on_failure" => 3,
+          "retry_on_status" => [500]
+        )
+      end
+    end
+
     context "if query is on nested field" do
       let(:config) do
         {
@@ -559,6 +568,28 @@ describe LogStash::Filters::Elasticsearch do
         end
       end
     end
+
+    describe "retry_on_failure" do
+      let(:config) { super().merge("retry_on_failure" => 3) }
+
+      it 'propagates to the client' do
+        plugin.register
+
+        client = plugin.send(:get_client).client
+        expect( extract_transport(client).options[:retry_on_failure] ).to eq(3)
+      end
+    end
+
+    describe "retry_on_status" do
+      let(:config) { super().merge("retry_on_status" => [500, 502, 503, 504]) }
+
+      it 'propagates to the client' do
+        plugin.register
+
+        client = plugin.send(:get_client).client
+        expect( extract_transport(client).options[:retry_on_status] ).to eq([500, 502, 503, 504])
+      end
+    end
   end
 
   describe "ca_trusted_fingerprint" do
@@ -593,6 +624,42 @@ describe LogStash::Filters::Elasticsearch do
     end
   end
 
+  describe "keystore and keystore_password" do
+    let(:keystore_path) { Pathname.new("fixtures/test_certs/ls.chain.p12").expand_path(__dir__).cleanpath.to_s }
+    let(:keystore_password) { '12345678' }
+
+    let(:config) do
+      {
+        'keystore' => keystore_path,
+        'keystore_password' => keystore_password,
+      }
+    end
+
+    subject(:plugin) { described_class.new(config) }
+
+    before(:each) { allow(plugin).to receive(:test_connection!) }
+
+    it 'is passed to the Manticore client' do
+      expect(Manticore::Client).to receive(:new)
+                                     .with(
+                                       a_hash_including(
+                                         ssl: a_hash_including(
+                                           keystore: keystore_path,
+                                           keystore_password: keystore_password
+                                         )
+                                       )
+                                     ).and_call_original
+
+      allow(plugin.logger).to receive(:debug).and_call_original
+      expect(plugin.logger).to receive(:debug).with(a_string_including('Keystore for client certificate'), anything)
+
+      plugin.register
+
+      # the client is built lazily, so we need to get it explicitly
+      plugin.send(:get_client).client
+    end
+  end
+
   describe "defaults" do
 
     let(:config) { Hash.new }

data/spec/filters/fixtures/generate_test_certs.openssl.cnf

@@ -0,0 +1,47 @@
+[ req ]
+distinguished_name= req_distinguished_name
+attributes= req_attributes
+
+[ req_distinguished_name ]
+countryName= Country Name (2 letter code)
+countryName_min= 2
+countryName_max= 2
+stateOrProvinceName= State or Province Name (full name)
+localityName= Locality Name (eg, city)
+0.organizationName= Organization Name (eg, company)
+organizationalUnitName= Organizational Unit Name (eg, section)
+commonName= Common Name (eg, fully qualified host name)
+commonName_max= 64
+emailAddress= Email Address
+emailAddress_max= 64
+
+[ req_attributes ]
+challengePassword= A challenge password
+challengePassword_min= 4
+challengePassword_max= 20
+
+[ certificate_authority ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ elasticsearch_server ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = "DNS:elasticsearch"
+
+[ logstash_client ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = "DNS:logstash, DNS:localhost, IP:127.0.0.1"

data/spec/filters/fixtures/generate_test_certs.sh

@@ -0,0 +1,45 @@
+# warning: do not use the certificates produced by this tool in production.
+# This is for testing purposes only
+set -e
+
+script_dir="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+openssl_ext_file="${script_dir}/generate_test_certs.openssl.cnf"
+
+rm -rf "${script_dir}/test_certs"
+mkdir "${script_dir}/test_certs"
+cd "${script_dir}/test_certs"
+
+echo "GENERATED CERTIFICATES FOR TESTING ONLY." >> ./README.txt
+echo "DO NOT USE THESE CERTIFICATES IN PRODUCTION" >> ./README.txt
+
+# certificate authority
+openssl genrsa -out ca.key 4096
+openssl req -new -x509 -days 1826 -extensions "certificate_authority" -key "ca.key" -out "ca.crt" -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=root" -config "${openssl_ext_file}"
+openssl x509 -in "ca.crt" -outform der | sha256sum | awk '{print $1}' > "ca.der.sha256"
+
+# es from ca
+openssl genrsa -out "es.key" 4096
+openssl req -new -key "es.key" -out "es.csr" -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=server" -config "${openssl_ext_file}"
+openssl x509 -req -extensions "elasticsearch_server" -extfile "${openssl_ext_file}" -days 1096 -in "es.csr" -CA "ca.crt" -CAkey "ca.key" -set_serial 03 -sha256 -out "es.crt"
+cat "es.crt" "ca.crt" > "es.chain.crt"
+openssl x509 -in "es.crt" -outform der | sha256sum | awk '{print $1}' > "es.der.sha256"
+
+# ls from ca
+openssl genrsa -out "ls.key" 4096
+openssl req -new -key "ls.key" -out "ls.csr" -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=server" -config "${openssl_ext_file}"
+openssl x509 -req -extensions "logstash_client" -extfile "${openssl_ext_file}" -days 1096 -in "ls.csr" -CA "ca.crt" -CAkey "ca.key" -set_serial 03 -sha256 -out "ls.crt"
+cat "ls.crt" "ca.crt" > "ls.chain.crt"
+openssl x509 -in "ls.crt" -outform der | sha256sum | awk '{print $1}' > "ls.der.sha256"
+
+# verify :allthethings
+openssl verify -CAfile "ca.crt" "es.crt"
+openssl verify -CAfile "ca.crt" "ls.crt"
+
+# create pkcs12 keystores (pass:12345678)
+openssl pkcs12 -export -in "ls.chain.crt" -inkey ls.key -out "ls.chain.p12" -name "logstash" -passout 'pass:12345678'
+
+# use java keytool to convert all pkcs12 keystores to jks-format keystores (pass:12345678)
+keytool -importkeystore -srckeystore "ls.chain.p12" -srcstoretype "pkcs12" -srcstorepass "12345678" -destkeystore "ls.chain.jks" -deststorepass "12345678" -alias logstash
+
+# cleanup csr, we don't need them
+rm -rf *.csr

data/spec/filters/fixtures/test_certs/README.txt

@@ -0,0 +1,2 @@
+GENERATED CERTIFICATES FOR TESTING ONLY.
+DO NOT USE THESE CERTIFICATES IN PRODUCTION

data/spec/filters/fixtures/test_certs/ca.crt

@@ -1,20 +1,32 @@
 -----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUUcAg9c8B8jiliCkOEJyqoAHrmccwDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMjEwODEyMDUxNDU1WhcNMjQwODExMDUxNDU1WjA0MTIwMAYD
-VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HuusRuGNsztd4EQvqwcMr
-8XvnNNaalerpMOorCGySEFrNf0HxDIVMGMCrOv1F8SvlcGq3XANs2MJ4F2xhhLZr
-PpqVHx+QnSZ66lu5R89QVSuMh/dCMxhNBlOA/dDlvy+EJBl9H791UGy/ChhSgaBd
-OKVyGkhjErRTeMIq7rR7UG6GL/fV+JGy41UiLrm1KQP7/XVD9UzZfGq/hylFkTPe
-oox5BUxdxUdDZ2creOID+agtIYuJVIkelKPQ+ljBY3kWBRexqJQsvyNUs1gZpjpz
-YUCzuVcXDRuJXYQXGqWXhsBPfJv+ZcSyMIBUfWT/G13cWU1iwufPy0NjajowPZsC
-AwEAAaNTMFEwHQYDVR0OBBYEFMgkye5+2l+TE0I6RsXRHjGBwpBGMB8GA1UdIwQY
-MBaAFMgkye5+2l+TE0I6RsXRHjGBwpBGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBAIgtJW8sy5lBpzPRHkmWSS/SCZIPsABW+cHqQ3e0udrI3CLB
-G9n7yqAPWOBTbdqC2GM8dvAS/Twx4Bub/lWr84dFCu+t0mQq4l5kpJMVRS0KKXPL
-DwJbUN3oPNYy4uPn5Xi+XY3BYFce5vwJUsqIxeAbIOxVTNx++k5DFnB0ESAM23QL
-sgUZl7xl3/DkdO4oHj30gmTRW9bjCJ6umnHIiO3JoJatrprurUIt80vHC4Ndft36
-NBQ9mZpequ4RYjpSZNLcVsxyFAYwEY4g8MvH0MoMo2RRLfehmMCzXnI/Wh2qEyYz
-emHprBii/5y1HieKXlX9CZRb5qEPHckDVXW3znw=
+MIIFiDCCA3CgAwIBAgIJAMPwu3Hm/yaUMA0GCSqGSIb3DQEBCwUAMFExCzAJBgNV
+BAYTAkxTMQswCQYDVQQIDAJOQTETMBEGA1UEBwwKSHR0cCBJbnB1dDERMA8GA1UE
+CgwITG9nc3Rhc2gxDTALBgNVBAMMBHJvb3QwHhcNMjIxMDE0MTkxOTM2WhcNMjcx
+MDE0MTkxOTM2WjBRMQswCQYDVQQGEwJMUzELMAkGA1UECAwCTkExEzARBgNVBAcM
+Ckh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0YXNoMQ0wCwYDVQQDDARyb290MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsqSxx9bax+BGxDZ3qzkt0WAY
+6/UXqv8ay5q3ejrDsYqEopQzvpIfVqZvjAx4aGc+FsYs1ophg3RKBZz84+2DQIDD
+cwrP9/ggDs7C7c/9PEV77tLpkcvvhzW6JxsvY0BjGhPNNKl5KObxeVnLXyDjiYeC
+ON1U8ve4p0K6nczCbvPtyXgjYKLXGSOB6JRDDJa8exAPhO3HoSv0ZuVFLuSzle8z
+ZH1+P5wRGxGobi4NmhFTfYSSL5j21631P8n5N4xHVIhYr8vQNlWVGKkAIQeVneaD
+RsJ+NNRG+tP07X7sv5/QdgjEWXXF33sLeVusK+jWnGep//3Nr8d69ep230rnFQJv
+16HXkGhUUpCWyzE7n7sXS+Z7luOtQtPxHYAh40QKLUQMZVW7rS35KmeLOQMeIGEX
+xSZGRN7kYBqCV7FP8O7uvnBIXUcp66s9lSyaFJAZZgFb7VV2POZ0fBKRjvZVPjRa
+q0qwiSz2H/YbaszK8h22KYvYePzcBJ649w0G3siQ8pz5aFb1dT0H/CrKzdRTN3bE
+nuwk1HsiiM+9Jm0FSjQW5QMmwL+dWorVU1mTNB5wCO8fbmAoNZp3e5PkqkoOP/4q
+I+e0nKOHVqcmCw4WiLa2C05Le4VHlBdPzp2Zm/8b1VgDfIf+9LPcgwACzxkF5KTD
+cLvemYMVIJ+mveMitS8CAwEAAaNjMGEwHQYDVR0OBBYEFMMkkLxa8RHjAG+Pizya
+L/goJNw8MB8GA1UdIwQYMBaAFMMkkLxa8RHjAG+PizyaL/goJNw8MA8GA1UdEwEB
+/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAUmBX5
+pUi4PJIB/Cld8T2Otgmywu4gSrTFWQpJuF++NxdryZRGg7twDxErlaH1YTuuvtwY
+X0LGF6b1XTNyRZn5o/gJJNxiYGucBxLc4Qx2qJje6CIg38fhfDTeyU8paiFnNxNj
+Fy+/5CgCrxEGd310XIU2gHJ8SWjhHNtJBeeDU6iXl6ITDTBI+Vf7gDyuR4fSi5rK
+Jl3oxxZLwk9u8qAQ/qzRadIQK1yRjUnZI6ClFLULXKGBu5DG9Uh9S3FGUPWCd4dl
+gU6dfhnxdy6PMUbkhdK426dm7U7W0NpbqxfCQWvnaiwihyfN2/gM0GfuNHkp8kA4
+W76xOC6aM6PjjyNWeIx7+Rm4/rCzWlL0aue9ZTWkxQlTbwms70KEGS12qriX6lPC
+mwIWvkN88JnbPlHvGCtxn+GBYb2qwtWmPdBl3t0EivpfJMG+gEuyoY7i/zf+2bvD
+h5A8r0PBhtliZDFX5ZY1UMvoh6Jag2QxzHCr+oDbjljMbR2M76ezfWOCntRGlkVa
+1Ah+vs7/kS2TwSL0X8EY2gXl7iGIhpJ7B6npz3KfvaRysHwP4xMxIUdy9Aj8niFf
+5OMCF2rYrXSu4tK7uvwp/V3Xuk3H4YM1wFXapE2o+DCuFhOwHbku1r/ALH//KgFb
+4O26CUzCDyhhBy+/wiuG6Fk37YskQBCgs37Mww==
 -----END CERTIFICATE-----

data/spec/filters/fixtures/test_certs/ca.der.sha256

@@ -0,0 +1 @@
+241943c7ea305d5489fce87550f53c0655b2419dcd0e8e4c7a164abc8e82808c

data/spec/filters/fixtures/test_certs/ca.key

@@ -1,27 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUe66xG4Y2zO13gRC+rBwyvxe+c01pqV6ukw6isIbJIQWs1/
-QfEMhUwYwKs6/UXxK+VwardcA2zYwngXbGGEtms+mpUfH5CdJnrqW7lHz1BVK4yH
-90IzGE0GU4D90OW/L4QkGX0fv3VQbL8KGFKBoF04pXIaSGMStFN4wirutHtQboYv
-99X4kbLjVSIuubUpA/v9dUP1TNl8ar+HKUWRM96ijHkFTF3FR0NnZyt44gP5qC0h
-i4lUiR6Uo9D6WMFjeRYFF7GolCy/I1SzWBmmOnNhQLO5VxcNG4ldhBcapZeGwE98
-m/5lxLIwgFR9ZP8bXdxZTWLC58/LQ2NqOjA9mwIDAQABAoIBABmBC0P6Ebegljkk
-lO26GdbOKvbfqulDS3mN5QMyXkUMopea03YzMnKUJriE+2O33a1mUcuDPWnLpYPK
-BTiQieYHlulNtY0Bzf+R69igRq9+1WpZftGnzrlu7NVxkOokRqWJv3546ilV7QZ0
-f9ngmu+tiN7hEnlBC8m613VMuGGb3czwbCizEVZxlZX0Dk2GExbH7Yf3NNs/aOP/
-8x6CqgL+rhrtOQ80xwRrOlEF8oSSjXCzypa3nFv21YO3J2lVo4BoIwnHgOzyz46A
-b37gekqXXajIYQ0HAB+NDgVoCRFFJ7Xe16mgB3DpyUpUJzwiMedJkeQ0TprIownQ
-+1mPe9ECgYEA/K4jc0trr3sk8KtcZjOYdpvwrhEqSSGEPeGfFujZaKOb8PZ8PX6j
-MbCTV12nEgm8FEhZQ3azxLnO17gbJ2A+Ksm/IIwnTWlqvvMZD5qTQ7L3qZuCtbWQ
-+EGC/H1SDjhiwvjHcXP61/tYL/peApBSoj0L4kC+U/VaNyvicudKk08CgYEAr46J
-4VJBJfZ4ZaUBRy53+fy+mknOfaj2wo8MnD3u+/x4YWTapqvDOPN2nJVtKlIsxbS4
-qCO+fzUV17YHlsQmGULNbtFuXWJkP/RcLVbe8VYg/6tmk0dJwNAe90flagX2KJov
-8eDX129nNpuUqrNNWsfeLmPmH6vUzpKlga+1zfUCgYBrbUHHJ96dmbZn2AMNtIvy
-iXP3HXcj5msJwB3aKJ8eHMkU1kaWAnwxiQfrkfaQ9bCP0v6YbyQY1IJ7NlvdDs7/
-dAydMtkW0WW/zyztdGN92d3vrx0QUiRTV87vt/wl7ZUXnZt1wcB5CPRCWaiUYHWx
-YlDmHW6N1XdIk5DQF0OegwKBgEt7S8k3Zo9+A5IgegYy8p7njsQjy8a3qTFJ9DAR
-aPmrOc8WX/SdkVihRXRZwxAZOOrgoyyYAcYL+xI+T9EBESh3UoC9R2ibb2MYG7Ha
-0gyN7a4/8eCNHCbs1QOZRAhr+8TFVqv28pbMbWJLToZ+hVns6Zikl0MyzFLtNoAm
-HlMpAoGBAIOkqnwwuRKhWprL59sdcJfWY26os9nvuDV4LoKFNEFLJhj2AA2/3UlV
-v85gqNSxnMNlHLZC9l2HZ3mKv/mfx1aikmFvyhJAnk5u0f9KkexmCPLjQzS5q3ba
-yFuxK2DXwN4x46RgQPFlLjOTCX0BG6rkEu4JdonF8ETSjoCtGEU8
+MIIJKAIBAAKCAgEAsqSxx9bax+BGxDZ3qzkt0WAY6/UXqv8ay5q3ejrDsYqEopQz
+vpIfVqZvjAx4aGc+FsYs1ophg3RKBZz84+2DQIDDcwrP9/ggDs7C7c/9PEV77tLp
+kcvvhzW6JxsvY0BjGhPNNKl5KObxeVnLXyDjiYeCON1U8ve4p0K6nczCbvPtyXgj
+YKLXGSOB6JRDDJa8exAPhO3HoSv0ZuVFLuSzle8zZH1+P5wRGxGobi4NmhFTfYSS
+L5j21631P8n5N4xHVIhYr8vQNlWVGKkAIQeVneaDRsJ+NNRG+tP07X7sv5/QdgjE
+WXXF33sLeVusK+jWnGep//3Nr8d69ep230rnFQJv16HXkGhUUpCWyzE7n7sXS+Z7
+luOtQtPxHYAh40QKLUQMZVW7rS35KmeLOQMeIGEXxSZGRN7kYBqCV7FP8O7uvnBI
+XUcp66s9lSyaFJAZZgFb7VV2POZ0fBKRjvZVPjRaq0qwiSz2H/YbaszK8h22KYvY
+ePzcBJ649w0G3siQ8pz5aFb1dT0H/CrKzdRTN3bEnuwk1HsiiM+9Jm0FSjQW5QMm
+wL+dWorVU1mTNB5wCO8fbmAoNZp3e5PkqkoOP/4qI+e0nKOHVqcmCw4WiLa2C05L
+e4VHlBdPzp2Zm/8b1VgDfIf+9LPcgwACzxkF5KTDcLvemYMVIJ+mveMitS8CAwEA
+AQKCAgAf90Z0muaVI3WmQJTTR60CLS7ocfflOjbCPhIcxg0kZMPtD5XewOjoqWmG
+ZujYzbiXfKijTym5ywI/1OKPqn10+lV+7W1fUr/xxl+tDC2lLk3J42W2GAbpa9y+
+iKfHG8tf7DEo/jZW8lQ9QasZf5oXju7nW/uKandZPqCEAhK8pdtj1KKH9TuGHQtu
+4bDJvONHJg2Q3Ld/CI14KAhkJrpX1vCcR7Rij3ukG1nHNWhrrDQDXsiFydpJp7Ad
+1PdKUEinQKqV8mN0hYXjXsJOJrxH/+p3q+/HZkC5O1o1cSPN+jvkExeHZoKcxbi8
+44GAbe6RGB+cVf8LOCexf138ALwugmSI+b4DqWdB2AAn9/3LeUWxXm3JKhqn5y1o
+nVA1/+6fZtGKjQGRuYAkMxQfSUp+a8UXM72LmU0Vb32RYAJziU3EMslrQheMWCxN
+xH2x5ftdGnhH6biWOK8MG1JpktPSAQb05cdpaRlDiaj+3rg5WcfcWxCNLROLOXPn
+XZZY4wTjDv7R5T9PNGElUxW0Y8W4nc+R31fnLjHZO+6PjI19t+IrQaYXZk6DkoBm
+19P5nLc7ad3y3jqjuxC9yZaMXoSslWnztvF3UjC9twlJ+bnqf+/EHKyNPa9lWWE/
+zsxobGKTBxQp2mE002UUXMcwpfGge6yOSnVhjqMZEcOTrSaTeQKCAQEA6fJCiVKn
+7uuZCuYxu9OxBIP8bV9DTzY7MYlTDH5FOe1udM8qg7PMz+zhz4fT7kqyFPYZnxcj
+tkFJhGvEkZ1X5Dn2aH6Dg3NPHURMvVZcRaOq6uZ7JhdDTrX3VHmF3H5HV8wpydQT
+yYXbcS9pyy5kiH0sK5MsF+uiRvEwkBF5dB1FtVryrYky3ObrYTFbrgseLHbA1PYS
+PaiAYwIjjajm/wY2FubcNyTvmUawjH7KZuHCKYCcPA9o5vMhO2ke5UaixZWIYIkK
+P/4pg+lq8dkz54vbtgU6kFBqJjbdUUZhEzsgJY9SoejOX6uN40Te1JG7ejjnw+Pv
+uY8hdrRaqNoSxQKCAQEAw3vT9cQebcaFzSlBHAoNsD25FXQXgZuYSIvm8iXIV8UM
+Dl9oTVh6gdof9qOea24f0Bq09lkJIJa3ZSU0Jp8dEyXT6mnoLtZSKgWj11b3JXll
+eWfWbZ6AXXPMk7BS2/FynnOGkt037Qo4cuwfkxACnP1Nu9l0gIFk4A/iOSk1tfMN
+MwW3vVljaTl/8M4tPma9VLDwV6EuE/ov8RcOxHGUGSWoqWB2QuDa3Y+94xabsUtB
+cXrUO5i+9G3T3ajuEEv9I9SRB7N6u42LXFJ0g/paHfyrXHIiQkBhe2u9UeisWrr6
+A0DSMimjr2u1C2AESFVfCTS44pfLg5wNJ+201YLXYwKCAQAJXenMFcMjjctS5GSZ
+YKB1zdMNjgLj6Qf1s8nfdi7PYvJJOwI4w7ovmQxxgr65i8QVksTz2blUUsjexHHa
+YrJiMO/svyQE31kLkvB/pDWNlEADp7bGj6fiPuboOvVhHq08lrAVpKgmKXXf0kYq
+HHFqBZj/JaVeT9DvhjirjAeQ3psr57hPum6O6bAC9Db3gPp0TUzrOe8BCP4a+Lrz
+sQ+OpnED+bpXeuMc//eRqIHyHJfpkXyv6u4IUTPDbTIPfASIZLRRKSt/5G1FGtNt
+W4T4gGELqKnvnUiivw+dcXPxkSx4VIS6dtfMfNHxh5BkcnFPM3gUH8w5YcG1PwNi
+P1kBAoIBAQCZrUIvhjMpt5S+eb0ezuR99bgIHpDQKkLoXVt8Z6l9HoJg1i5IB9Of
+O5w/J9fFuvg1gJlcxRgAz5tzX3EFH7cas3VKZmHKWGCVeoOYKVz3z9yvOat/18gw
+L3XXcRlioQirekSENnbd2VgROIGF+mMjiZrPn58P2ykzYClHKJd5544r20XcDGaz
+dSmYZG17Dgevib4YFbUErX18+dR5KJT1w/440YWHA//riDIOUVqqYXAcRySLiYQs
+4h5ZtpEYrLRfs58kP7uvsBGrzYKdsnWf91+7uFooXTaFcWiO+OxuE2mynwXfu45b
+vL/CJoSXXM3ujcz/DbhHSamqBxxPcaHjAoIBAAVsTdPSz64Hr2xHyj4H5FqPDvY/
+lgD9GPZyXAIp4cBmguRiWJyq1oH39Sb2noueHZBmGke2wyA9IWYVAUx1FH5oNA0z
+I8lD1kO5Gl4QFQNfnW4NNOitp2smdsVEN7uvQIsli7A/UHZjTzpxwuRW8tLTu0WW
+UQs6zWUB55aYtjS01TpnLwiP83naC+jPbpS/5s0JsWf+Qb818EBUqrFSmm4D75/A
+C3C9vA3tHUltYNm8kg241iO3aGpjaI5T1gK6bMnMpxrpk3XTFJoDPw+XPySjE9aa
+nWn6eMAflovgvLpj+OYd3tf0iUO8GsfNf5JPqCrxXjbAhD+PYBsSSzv7PHs=
 -----END RSA PRIVATE KEY-----

data/spec/filters/fixtures/test_certs/es.chain.crt

@@ -0,0 +1,68 @@
+-----BEGIN CERTIFICATE-----
+MIIGWjCCBEKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJMUzEL
+MAkGA1UECAwCTkExEzARBgNVBAcMCkh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0
+YXNoMQ0wCwYDVQQDDARyb290MB4XDTIyMTAxNDE5MTkzN1oXDTI1MTAxNDE5MTkz
+N1owUzELMAkGA1UEBhMCTFMxCzAJBgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElu
+cHV0MREwDwYDVQQKDAhMb2dzdGFzaDEPMA0GA1UEAwwGc2VydmVyMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsET/D1QzwBLiia72AnPxCSf5AdOxsKkD
+IKaUJvYGI0GQcIU+CzKzZRtyOIKLK5qSfg2+yfd1cBmHQgwvH5P4pXb8AbZVgJbF
+bD7mIfP494IBKwF4GfM8hHF9gFPlqs745fqAtzDKoszs075/rVE8YvQvCGqclKW2
+5oyvJOhXIh0K038anQk0RMekg001V+3bEqC26oIeaS4hj80RGCKngamLcZ8upZ5W
+gItLvH4s53kM23eYdjjDpOc2RWDmev4dLaV6cE3i+joBO7XBIvR3pXOyav2FV+05
+IiOqCiC4EZZuGCIh8DN7J3Y2LKtwZ/XQjpu7OdkIDJN/wP5+kZ4JM79Iih+fA1gn
+znHcuZVuNkh5UxguNToDNW/yE9j95k1dIc9Gp/tx0FIYSM2jmoq3DSTDQ9jp7gcq
+nbGCMMw8IuZG7U+H1t0hWbYu0iIDBOMFUwi3fPLxTiIOn/zH7NU+DtgIi6Qb9Czx
+2ElFKBJKrGa/OBxIle+vvMvkzsy2P/x9sa5LjXD9G/QpvG9J10KJOT6xjoqI3X4/
+Wfowwh51y/Wjk4Zr0kRjgsrkBNd3fr2ouHHPd5QBzC2W/+tM2XD51vbhCwjSmz6F
+stZXBwadUrBpi5UTSMGzo9LeVPiIaD7z+fuBUD/4J9ZyOF6OjqayJ6Zf95ASGvlw
+3iND8UPvteMCAwEAAaOCATkwggE1MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQD
+AgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2Vy
+dGlmaWNhdGUwHQYDVR0OBBYEFPAAwJfHTF5gg2fvpwLvBwIukKJGMIGBBgNVHSME
+ejB4gBTDJJC8WvER4wBvj4s8mi/4KCTcPKFVpFMwUTELMAkGA1UEBhMCTFMxCzAJ
+BgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElucHV0MREwDwYDVQQKDAhMb2dzdGFz
+aDENMAsGA1UEAwwEcm9vdIIJAMPwu3Hm/yaUMA4GA1UdDwEB/wQEAwIFoDATBgNV
+HSUEDDAKBggrBgEFBQcDATAYBgNVHREEETAPgg1lbGFzdGljc2VhcmNoMA0GCSqG
+SIb3DQEBCwUAA4ICAQAt1ooqoFiyUF6t9SsdgNMuJ/JVJKXHBgccB0xdTz65aFof
+H5gBO2AFhDhcufm3WoF34FPweEi3y+xpzQ5EQHM+wDqe4Y+wfs682Giu4k3Nzy/c
+Ly3VNJALQOntGISpEci7tyDUu59wKGpe1/JmXlm+2nyqbPLjVGLfr46oUk1854XW
+E1n4qIDgTbxm03KaVyH0q2jGPBBqRAUYS3r8JL8iqMfuV0TlaP0CB1e243nupUCa
+JolOKpk2U4y2vkhBRIrQ/3SwIS5lAztqKH/PKenQN285DnBMvt5mw19dlCc+KJ5+
+GhqB84YwIXfRl8FGvrl1EP/VF5PiIsd9du/CNXL3pzH1awt1QH2DNk/eW90Htp13
+e13nMmYFnb52/UPdimZemBc1qO4TcY3dDBPO5DasJu5xR7p5Jq6jk/6tXfsYa7YM
+FpniuD3bP/sUMbBkU2+CRIzED1nVTX4wBjptK1VzQb46UooH+RoCo2Dpku4vuXMO
+wORcFlDXFzGUsfkJlrszDsN+r6pOFC2OgqV7jJb6FSf585hh0FPhgKtbfkNOgoHc
+fv3xCeGhdCG36IA78fIl+3PFs/kjFiQSwYFkAJK3CU9HmgNg3CNLbRic5iPsCwr7
+gb4y1Ouct1Dbp62YafF8gdi3Od2aadl87171I7Cu/BNOFNLEpduivUpYxhlTBQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFiDCCA3CgAwIBAgIJAMPwu3Hm/yaUMA0GCSqGSIb3DQEBCwUAMFExCzAJBgNV
+BAYTAkxTMQswCQYDVQQIDAJOQTETMBEGA1UEBwwKSHR0cCBJbnB1dDERMA8GA1UE
+CgwITG9nc3Rhc2gxDTALBgNVBAMMBHJvb3QwHhcNMjIxMDE0MTkxOTM2WhcNMjcx
+MDE0MTkxOTM2WjBRMQswCQYDVQQGEwJMUzELMAkGA1UECAwCTkExEzARBgNVBAcM
+Ckh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0YXNoMQ0wCwYDVQQDDARyb290MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsqSxx9bax+BGxDZ3qzkt0WAY
+6/UXqv8ay5q3ejrDsYqEopQzvpIfVqZvjAx4aGc+FsYs1ophg3RKBZz84+2DQIDD
+cwrP9/ggDs7C7c/9PEV77tLpkcvvhzW6JxsvY0BjGhPNNKl5KObxeVnLXyDjiYeC
+ON1U8ve4p0K6nczCbvPtyXgjYKLXGSOB6JRDDJa8exAPhO3HoSv0ZuVFLuSzle8z
+ZH1+P5wRGxGobi4NmhFTfYSSL5j21631P8n5N4xHVIhYr8vQNlWVGKkAIQeVneaD
+RsJ+NNRG+tP07X7sv5/QdgjEWXXF33sLeVusK+jWnGep//3Nr8d69ep230rnFQJv
+16HXkGhUUpCWyzE7n7sXS+Z7luOtQtPxHYAh40QKLUQMZVW7rS35KmeLOQMeIGEX
+xSZGRN7kYBqCV7FP8O7uvnBIXUcp66s9lSyaFJAZZgFb7VV2POZ0fBKRjvZVPjRa
+q0qwiSz2H/YbaszK8h22KYvYePzcBJ649w0G3siQ8pz5aFb1dT0H/CrKzdRTN3bE
+nuwk1HsiiM+9Jm0FSjQW5QMmwL+dWorVU1mTNB5wCO8fbmAoNZp3e5PkqkoOP/4q
+I+e0nKOHVqcmCw4WiLa2C05Le4VHlBdPzp2Zm/8b1VgDfIf+9LPcgwACzxkF5KTD
+cLvemYMVIJ+mveMitS8CAwEAAaNjMGEwHQYDVR0OBBYEFMMkkLxa8RHjAG+Pizya
+L/goJNw8MB8GA1UdIwQYMBaAFMMkkLxa8RHjAG+PizyaL/goJNw8MA8GA1UdEwEB
+/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAUmBX5
+pUi4PJIB/Cld8T2Otgmywu4gSrTFWQpJuF++NxdryZRGg7twDxErlaH1YTuuvtwY
+X0LGF6b1XTNyRZn5o/gJJNxiYGucBxLc4Qx2qJje6CIg38fhfDTeyU8paiFnNxNj
+Fy+/5CgCrxEGd310XIU2gHJ8SWjhHNtJBeeDU6iXl6ITDTBI+Vf7gDyuR4fSi5rK
+Jl3oxxZLwk9u8qAQ/qzRadIQK1yRjUnZI6ClFLULXKGBu5DG9Uh9S3FGUPWCd4dl
+gU6dfhnxdy6PMUbkhdK426dm7U7W0NpbqxfCQWvnaiwihyfN2/gM0GfuNHkp8kA4
+W76xOC6aM6PjjyNWeIx7+Rm4/rCzWlL0aue9ZTWkxQlTbwms70KEGS12qriX6lPC
+mwIWvkN88JnbPlHvGCtxn+GBYb2qwtWmPdBl3t0EivpfJMG+gEuyoY7i/zf+2bvD
+h5A8r0PBhtliZDFX5ZY1UMvoh6Jag2QxzHCr+oDbjljMbR2M76ezfWOCntRGlkVa
+1Ah+vs7/kS2TwSL0X8EY2gXl7iGIhpJ7B6npz3KfvaRysHwP4xMxIUdy9Aj8niFf
+5OMCF2rYrXSu4tK7uvwp/V3Xuk3H4YM1wFXapE2o+DCuFhOwHbku1r/ALH//KgFb
+4O26CUzCDyhhBy+/wiuG6Fk37YskQBCgs37Mww==
+-----END CERTIFICATE-----

data/spec/filters/fixtures/test_certs/es.crt

@@ -1,20 +1,36 @@
 -----BEGIN CERTIFICATE-----
-MIIDNjCCAh6gAwIBAgIUF9wE+oqGSbm4UVn1y9gEjzyaJFswDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMjEwODEyMDUxNTI3WhcNMjQwODExMDUxNTI3WjANMQswCQYD
-VQQDEwJlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2S2by0lgyu
-1JfgGgZ41PNXbH2qMPMzowguVVdtZ16WM0CaEG7lnLxmMcC+2Q7NnGuFnPAVQo9T
-Q3bh7j+1PkCJVHUKZfJIeWtGc9+qXBcO1MhedfwM1osSa4bfwM85G+XKWbRNtmSt
-CoUuKArIyZkzdBAAQLBoQyPf3DIza1Au4j9Hb3zrswD6e7n2PN4ffIyil1GFduLJ
-2275qqFiOhkEDUhv7BKNftVBh/89O/5lSqAQGuQ1aDRr8TdHwhO71u4ZIU/Pn6yX
-LGBWrQG53+qpdCsxGvJTfbtIEYUDTN83CirIxDKJgc1QXOEldylztHf4xnQ7ZarJ
-tqF6pUzHbRsCAwEAAaNnMGUwHQYDVR0OBBYEFFQUK+6Cg2kExRj1xSDzEi4kkgKX
-MB8GA1UdIwQYMBaAFMgkye5+2l+TE0I6RsXRHjGBwpBGMBgGA1UdEQQRMA+CDWVs
-YXN0aWNzZWFyY2gwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAinaknZIc
-7xtQNwUwa+kdET+I4lMz+TJw9vTjGKPJqe082n81ycKU5b+a/OndG90z+dTwhShW
-f0oZdIe/1rDCdiRU4ceCZA4ybKrFDIbW8gOKZOx9rsgEx9XNELj4ocZTBqxjQmNE
-Ho91fli5aEm0EL2vJgejh4hcfDeElQ6go9gtvAHQ57XEADQSenvt69jOICOupnS+
-LSjDVhv/VLi3CAip0B+lD5fX/DVQdrJ62eRGuQYxoouE3saCO58qUUrKB39yD9KA
-qRA/sVxyLogxaU+5dLfc0NJdOqSzStxQ2vdMvAWo9tZZ2UBGFrk5SdwCQe7Yv5mX
-qi02i4q6meHGcw==
+MIIGWjCCBEKgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJMUzEL
+MAkGA1UECAwCTkExEzARBgNVBAcMCkh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0
+YXNoMQ0wCwYDVQQDDARyb290MB4XDTIyMTAxNDE5MTkzN1oXDTI1MTAxNDE5MTkz
+N1owUzELMAkGA1UEBhMCTFMxCzAJBgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElu
+cHV0MREwDwYDVQQKDAhMb2dzdGFzaDEPMA0GA1UEAwwGc2VydmVyMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsET/D1QzwBLiia72AnPxCSf5AdOxsKkD
+IKaUJvYGI0GQcIU+CzKzZRtyOIKLK5qSfg2+yfd1cBmHQgwvH5P4pXb8AbZVgJbF
+bD7mIfP494IBKwF4GfM8hHF9gFPlqs745fqAtzDKoszs075/rVE8YvQvCGqclKW2
+5oyvJOhXIh0K038anQk0RMekg001V+3bEqC26oIeaS4hj80RGCKngamLcZ8upZ5W
+gItLvH4s53kM23eYdjjDpOc2RWDmev4dLaV6cE3i+joBO7XBIvR3pXOyav2FV+05
+IiOqCiC4EZZuGCIh8DN7J3Y2LKtwZ/XQjpu7OdkIDJN/wP5+kZ4JM79Iih+fA1gn
+znHcuZVuNkh5UxguNToDNW/yE9j95k1dIc9Gp/tx0FIYSM2jmoq3DSTDQ9jp7gcq
+nbGCMMw8IuZG7U+H1t0hWbYu0iIDBOMFUwi3fPLxTiIOn/zH7NU+DtgIi6Qb9Czx
+2ElFKBJKrGa/OBxIle+vvMvkzsy2P/x9sa5LjXD9G/QpvG9J10KJOT6xjoqI3X4/
+Wfowwh51y/Wjk4Zr0kRjgsrkBNd3fr2ouHHPd5QBzC2W/+tM2XD51vbhCwjSmz6F
+stZXBwadUrBpi5UTSMGzo9LeVPiIaD7z+fuBUD/4J9ZyOF6OjqayJ6Zf95ASGvlw
+3iND8UPvteMCAwEAAaOCATkwggE1MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQD
+AgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2Vy
+dGlmaWNhdGUwHQYDVR0OBBYEFPAAwJfHTF5gg2fvpwLvBwIukKJGMIGBBgNVHSME
+ejB4gBTDJJC8WvER4wBvj4s8mi/4KCTcPKFVpFMwUTELMAkGA1UEBhMCTFMxCzAJ
+BgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElucHV0MREwDwYDVQQKDAhMb2dzdGFz
+aDENMAsGA1UEAwwEcm9vdIIJAMPwu3Hm/yaUMA4GA1UdDwEB/wQEAwIFoDATBgNV
+HSUEDDAKBggrBgEFBQcDATAYBgNVHREEETAPgg1lbGFzdGljc2VhcmNoMA0GCSqG
+SIb3DQEBCwUAA4ICAQAt1ooqoFiyUF6t9SsdgNMuJ/JVJKXHBgccB0xdTz65aFof
+H5gBO2AFhDhcufm3WoF34FPweEi3y+xpzQ5EQHM+wDqe4Y+wfs682Giu4k3Nzy/c
+Ly3VNJALQOntGISpEci7tyDUu59wKGpe1/JmXlm+2nyqbPLjVGLfr46oUk1854XW
+E1n4qIDgTbxm03KaVyH0q2jGPBBqRAUYS3r8JL8iqMfuV0TlaP0CB1e243nupUCa
+JolOKpk2U4y2vkhBRIrQ/3SwIS5lAztqKH/PKenQN285DnBMvt5mw19dlCc+KJ5+
+GhqB84YwIXfRl8FGvrl1EP/VF5PiIsd9du/CNXL3pzH1awt1QH2DNk/eW90Htp13
+e13nMmYFnb52/UPdimZemBc1qO4TcY3dDBPO5DasJu5xR7p5Jq6jk/6tXfsYa7YM
+FpniuD3bP/sUMbBkU2+CRIzED1nVTX4wBjptK1VzQb46UooH+RoCo2Dpku4vuXMO
+wORcFlDXFzGUsfkJlrszDsN+r6pOFC2OgqV7jJb6FSf585hh0FPhgKtbfkNOgoHc
+fv3xCeGhdCG36IA78fIl+3PFs/kjFiQSwYFkAJK3CU9HmgNg3CNLbRic5iPsCwr7
+gb4y1Ouct1Dbp62YafF8gdi3Od2aadl87171I7Cu/BNOFNLEpduivUpYxhlTBQ==
 -----END CERTIFICATE-----

data/spec/filters/fixtures/test_certs/es.der.sha256

@@ -0,0 +1 @@
+8fa8b9c3fb555544a031e5080719ab47b38c4d2d2c2dcbf01dd1555092da7e54

data/spec/filters/fixtures/test_certs/es.key

@@ -1,27 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArZLZvLSWDK7Ul+AaBnjU81dsfaow8zOjCC5VV21nXpYzQJoQ
-buWcvGYxwL7ZDs2ca4Wc8BVCj1NDduHuP7U+QIlUdQpl8kh5a0Zz36pcFw7UyF51
-/AzWixJrht/Azzkb5cpZtE22ZK0KhS4oCsjJmTN0EABAsGhDI9/cMjNrUC7iP0dv
-fOuzAPp7ufY83h98jKKXUYV24snbbvmqoWI6GQQNSG/sEo1+1UGH/z07/mVKoBAa
-5DVoNGvxN0fCE7vW7hkhT8+frJcsYFatAbnf6ql0KzEa8lN9u0gRhQNM3zcKKsjE
-MomBzVBc4SV3KXO0d/jGdDtlqsm2oXqlTMdtGwIDAQABAoIBAQCm/VBDz41ImG7p
-yu3e6iMeFi7HW5SKdlRUS5dJbHT1uBWJAm/q8TbwvnUBVdsn9cKWY06QYDPQBjAy
-0LxRSIKivjyl+aIJDZbbEUXrmk/M0zT9rHtgSc2isM8ITH6IHw5q7lmNMPLYOu6T
-IMvfTDtADBOOTV/vF+/4NKf5GCUXVt1XTzLBFMK0p/ZoI7Fsw7fhH6FR12vk0xA4
-BEC4pwRbGfHo7P31ii0by8epkve93tF4IZuFmN92A84bN1z7Kc4TYaSbua2rgguz
-FzMyWpsTxr363HzCK1xOJb6JyJOiXbq4+j2oqtne3GIvyozJeiyKRgjLIMoe/LV7
-fPPc5wlhAoGBAOD3z0JH2eyR/1RHILFsWInH2nDbKHHuCjhFIL2XloeXsJkiJZ95
-BpdjExMZCqD44tPNRW/GgWKwoVwltm6zB0aq0aW/OfOzw6fhKt1W+go47L7Tpwap
-VQgy6BFXSueUKfQDlZEWV4E2gakf8vOl0/VRQExae/CeKf1suEedQaErAoGBAMWE
-LOmNDEU2NFqghfNBAFYyFJst3YnBmSmlL7W22+OsfSK/PhxnJbuNHxMgxpg9rieW
-tVyjuZRo/i7WLVm3uG+dK1RJ9t8Y6kpYkCRKpi9G8DBOj3PSulOybBr+fdRfW9mf
-8UmqOjOkrhxXPkchc9TY4EM7/1XeKvEidlIp0gvRAoGAAurz4zYvW2QhXaR2hhaT
-p2XSLXiKM8AUndo3rH3U0/lhrvrEZicZsMj2LF88xg20U27sIaD/eJo13Y4XqaPk
-ykPY6D9srv574SeIeMpx/8PxPiBcoDd+BNc0L1VkgVBoouORAwq5I9HjKKBjdEmI
-UDw3i0X5KYvDm6fXVAZ0HXUCgYBWc4To8KiXPqNpq2sVzrSkBaWJSmj2G7u7Q6b/
-RTs3is72v3gjHG6iiaE5URY7mnu4rjlRhAP9Vnsy6uHMrCJZEBTf/sPEYHZj9iGZ
-EOduOAF3U1tsmaaebbDtm8hdhSOBvITy9kQlSIZAt1r17Ulytz5pj0AySFzJUIkz
-a0SZkQKBgCWixtUxiK8PAdWhyS++90WJeJn8eqjuSAz+VMtFQFRRWDUbkiHvGMRu
-o/Hhk6zS46gSF2Evb1d26uUEenXnJlIp6YWzb0DLPrfy5P53kPA6YEvYq5MSAg3l
-DZOJUF+ko7cWXSZkeTIBH/jrGOdP4tTALZt6DNt+Gz7xwPO5tGgV
+MIIJKQIBAAKCAgEAsET/D1QzwBLiia72AnPxCSf5AdOxsKkDIKaUJvYGI0GQcIU+
+CzKzZRtyOIKLK5qSfg2+yfd1cBmHQgwvH5P4pXb8AbZVgJbFbD7mIfP494IBKwF4
+GfM8hHF9gFPlqs745fqAtzDKoszs075/rVE8YvQvCGqclKW25oyvJOhXIh0K038a
+nQk0RMekg001V+3bEqC26oIeaS4hj80RGCKngamLcZ8upZ5WgItLvH4s53kM23eY
+djjDpOc2RWDmev4dLaV6cE3i+joBO7XBIvR3pXOyav2FV+05IiOqCiC4EZZuGCIh
+8DN7J3Y2LKtwZ/XQjpu7OdkIDJN/wP5+kZ4JM79Iih+fA1gnznHcuZVuNkh5Uxgu
+NToDNW/yE9j95k1dIc9Gp/tx0FIYSM2jmoq3DSTDQ9jp7gcqnbGCMMw8IuZG7U+H
+1t0hWbYu0iIDBOMFUwi3fPLxTiIOn/zH7NU+DtgIi6Qb9Czx2ElFKBJKrGa/OBxI
+le+vvMvkzsy2P/x9sa5LjXD9G/QpvG9J10KJOT6xjoqI3X4/Wfowwh51y/Wjk4Zr
+0kRjgsrkBNd3fr2ouHHPd5QBzC2W/+tM2XD51vbhCwjSmz6FstZXBwadUrBpi5UT
+SMGzo9LeVPiIaD7z+fuBUD/4J9ZyOF6OjqayJ6Zf95ASGvlw3iND8UPvteMCAwEA
+AQKCAgAb4s53HlsRh+tO3N8OhEkdqbU7FMKHsDVOdQv7HfDaowS2yF2IZ/z5gd4Q
+EpbxzwJd7s7AJOXvVhqP2F2cIUy04J39p1rffPq+pTTDKlW40lhc9V6KvHBWg53X
+L26mFxhJSdgTIyTrnH/a/8gzIybqgLbwHe2nlo/Y6WjL7fXa771GuFT9gvdB6lOc
+chp+TqLZz5MghnVJLoMgvNB3gQP+/1OQJh67FNGahG724v83n27pSYJVMaXB8NIl
+J69OxeTX09YK7kd6TrLjP13Oqd5DzonrYzA1ONJRFFNSRtrX7XR9XOkBlyNkms73
+QigGSl00Mm7sN+mOE8eiQKDFaLsLsT0euPKSoFNhph3EEv5LrUJ5veebn3N00N7R
+tMC0t4P08VX5/sTpBy9atCrJ3Ccs5k+b1jTQJoKRrvNbtmXR8FZwEbtVBkxCgfq5
+LNbLUd+8bj80TimBEJwVN3Pggl6OwhysAsr3U4CdjWeSxaJh2sATnNuQy7utA1uY
+XbYOZWTYC4jClWDD7o9F1p9OBggX0aqnY77UXt8R5vmjNtNk1L61MKoZ6+2yGgY9
+TGwEpy8KfnpwVBddpVnJAjtQrq4jf8w1GOvI6AdTUn8cqyhycw66FHyyzPzaC8CZ
+DHMysJCXBGLegBCMx1kvZ9FwgIctHuTcShg7xEskI6En3xMQAQKCAQEA6BzbgkUo
+11MLfZdtipo4CJoDq5hdrzPgpUiRK8Gs/Ax3Sp8li+jqfwohvR3JCwHvtwnGpyPo
+gAVuoelT874NW6qkfViqPJ23zz6/KWS1+jdD/xEhZuMx/WwJmxF1k6l3l62kr1OF
+bCLchbPXd87qTLuCtYx0zK1bjNoF6pY/QQ9IQyV30bntiCMFJVUYi3bfi5Z5V7rv
+sSS3xCBxD0kRZ4S9gDWsaGzz1TMQ6TIq2wJ6nfaAbgWuZv1R8BMy8Ih57ZZmyrU2
+FO613JSMT/e8Wbn2NfkmHNwHOZyfVOUTkfKsFd9NfBEbyN0GCTIJ5J9XP1+f6Tq6
+OPNfQZl+wkZuMwKCAQEAwmjq6Maa06VOLSyNNW+uKWY/nL/g2XMtLbueo0yVKf1l
+QG8hh0P26JOjBufXpgC+R+KFvgEft6uylDafw+lVyNLK/VwLZs2vxdIrRzyGy0wg
+Ez01SodpuHVoEnnTJr1BHIRuFJxUt4apPrNJKo2/Aw2gJMek6DtypyA5PwDjnCQ0
+E2zY1B418d9/C2jHRlP71Drb9DspHgG5xABDOH43+9w4aP6T7rztlXw6lMG+3jZl
+yj6Gl5KXiS6ojIBLZAcJuq54qMJ8YH9mNu8kViAdj4u0G2ERBaQUfCeEVFLCaPk3
+QXApaKquOnj7AAHYEUqTabfFHBAfQeZfs7U5nKaJkQKCAQEAmcGL8zaHAGQlh3OI
+/7h7B8+mQMQ0wvt1g2eXqsmoImrLluXnhE+tDqySfuk9JQqKVdCnBE74E94FVEHw
+99Rcmu1l+xaB5pd/jEx/axcoqPB1HYCmhLZZhgtMLamaHk+zRgmjvvRvvJs3Q2ZH
+hDjP4jaQNl0tfewUajB+nNAcZKeP8dLfFVG5tGWmYf2FvdTn7lqmVOQjJVAyXzwy
+SLLZUZ6PvV9QrvgFaaRjPmaaFuwEd6EzoC4pQlXqMkM1ijqNskHgI8V4ZtNeKxlH
+/S0ZWsKiA0zg31steg9zSFRa62I6dl6uwFHA+wTWm77G6OhYbkWU83WQqGsnHZhl
+bKIlGwKCAQBOzkTbExbT0GB+Q18CWEEbGw2SNt2oh926eiF2RKb6nHMcyW+n6079
+PEuLkxOBgS+g6Bwax03aIEmFdxcQTVeuznPmfBdLFvm3kNhmSgzCABvIcLlXesjK
+Mx16z9NeEr2AF9afmDdnJbkZZ4ezLj5NuIpAHoWkdeSmBpPuDCg3tR0++pJyecSY
+RWa0c0bEJWshvrJGsGycc0qgPxMApXmAKObc+MVyszcDr5X3kwoR/a8JaosYih3P
+SBCe06q743Z4LB1RG3VbkIkYn5v1JZOWCqV5q8FAriB3q3Ui0WFpOAzEA/llKjry
+DPSCLj0t1TMoWYwXMhnZls8Yg8/UxlVhAoIBAQDTZbWxnEV2jKcH+HJdaECMLvGH
+DKnz1eYDg4F1tQzaVIv1JVqOReNHshQuee73zfe7oQ2T7ify+OuxcUaiPU19RzHR
+L9JOiVxhVNH8ERNaxysQ9bPrymaXvyY2I7FN6CLBNjbSr0LqgAOwgspQI93GZWC/
+CCJd5ZymH2B5lchkYSv45PEwvQ7pEiD40sKh4QHwK/qgXwS0yta7Ood/ruTRSq4m
+GOkSKEYM4wU6DfsiCSKD8NYmyFyreMPIZlCenMhDWk7/Xn76uvHcuUw2kHG5UuU2
+lwkSp29ifJzWRzacTJiG6rlBPuOEl/pDa70BEkXGvIz9SB6i/29Iiwmq5qiv
 -----END RSA PRIVATE KEY-----

data/spec/filters/fixtures/test_certs/ls.chain.crt

@@ -0,0 +1,67 @@
+-----BEGIN CERTIFICATE-----
+MIIGCzCCA/OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJMUzEL
+MAkGA1UECAwCTkExEzARBgNVBAcMCkh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0
+YXNoMQ0wCwYDVQQDDARyb290MB4XDTIyMTAxNDE5MzgxMFoXDTI1MTAxNDE5Mzgx
+MFowUzELMAkGA1UEBhMCTFMxCzAJBgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElu
+cHV0MREwDwYDVQQKDAhMb2dzdGFzaDEPMA0GA1UEAwwGc2VydmVyMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtD+/LdfEMEBN8JjD8AE8ZNHopz9ozvZA
+BZ4QG4JWdZS0sGIYOBynL2OsEgmkEmntFiewuq5hEBXHTRF8H5vh+89jyaG3C/aP
+fmAWs/es/Fy74g8/lAeNJY854KVOhjCkqXi47tmy6+M8Z9D3V+RLQgm4f0aZtZ9t
+Di1SCPrrUYDZ3WFaIu7OnuK23O3mGMq5oRw1BtQMPPOObb83FiH6coCIFzj5rhHF
+mVG++YN/VSkAoEZGMcfkfoK8s9MB6vgk8vy3XYz+q7mqTGVxk5LSvY/APe/bMRqz
+lqmFyvT28pCcr/C+ipL7joHu+pdWJSkDz622StNrUF7BpJyhNSO4pEONRtipwgp3
+3f5UTJvEsoALgVilHUsGNo21qNtwu8op6I4lLBrw2Xm+YCCcSI5bF5u7ItJv9VIC
+fMJTsr8M9FQclS47RluYXwVXWZI0gns8bUROY5z1Tsh5XajSOfuiKDQ4DR3REAwf
+O5Tm0kOonariM73IjishGGmAIj1jLf3fLrtsHME1svciLEhQKtu594HSeteL3kZ5
+aj2pnZD4cmly7J1XFlR83acydqVgiz6SDbU39DJOJfXa+rPjwF/OtEaydi4KN9an
+yL7MDMGhYKfJBTGZI+nubQtM0JzAtVOatnCNteXJ5TNByemuUemf65AUiBzDgA79
+8wnSjQppF7cCAwEAAaOB6zCB6DAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF
+oDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBQeetV4PXJhHdbsTceb4TGvElARYTAfBgNVHSMEGDAW
+gBTDJJC8WvER4wBvj4s8mi/4KCTcPDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuCCGxvZ3N0YXNogglsb2Nh
+bGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAE+TYh1qdbFSzIDQPUehAwnC
+CtUOyF1hRA38UbpRzefjT/2h85LkVbD5D4tcyJIEQyBWfhuxeroJwQYVyz1vOne0
+hRM9yB8wxK9pAx/ZXEJuIfCUvH7LBZABXlhiQE08Az9rm/Pj6iq2NXdukM+YNk3W
+W4kfPS9i3vx+1d6UM14xUQtzLipO9BLmOeo5pD0q0gjRczYdsJF5QL/K7xfM0dus
+M+2M0Q0h4YzrqFR9jZT7zgkdS0WMcIqKh/9V9XNP2Kge4XuiImqZtvFdooYiiywV
+aVdB4c94zv2XFeqIix81eCI48DXC8YVgF6H62St74deHxJobIHcXtXIr7kxsi0Sa
+crrIuClkz4P99v0FtrthJD5L7+5mBBC/wcuCsXwKE+XnaP5tAYE2MdBh9xEy6Ua7
+XPnItLlArKqcr3i5LE8lxhktQtJvRqaQwkn30SUXh5o2aAw1lkkUvZAAp0eoOZZP
+Pkn+9wO3yl8q7L+6jOH6gD0gg8PvuKk9rTVx1jTFg5MEUpWp0lWZqDnHIolEZ2SG
+xXaISAkYnfaQtAXxmhLQRbQqFwq4doxPJdMs9Bz0iDc8/GCpH5X9KZ9n0RqJp5WA
+xkZeJm/MoBX85yX+T9jHMSM5vldvjcjNbP9INikoN+3ZxIPcRJVq5pwq+ELzSZO5
+J55nIYTq+uBxxugiPfl8
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFiDCCA3CgAwIBAgIJAMPwu3Hm/yaUMA0GCSqGSIb3DQEBCwUAMFExCzAJBgNV
+BAYTAkxTMQswCQYDVQQIDAJOQTETMBEGA1UEBwwKSHR0cCBJbnB1dDERMA8GA1UE
+CgwITG9nc3Rhc2gxDTALBgNVBAMMBHJvb3QwHhcNMjIxMDE0MTkxOTM2WhcNMjcx
+MDE0MTkxOTM2WjBRMQswCQYDVQQGEwJMUzELMAkGA1UECAwCTkExEzARBgNVBAcM
+Ckh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0YXNoMQ0wCwYDVQQDDARyb290MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsqSxx9bax+BGxDZ3qzkt0WAY
+6/UXqv8ay5q3ejrDsYqEopQzvpIfVqZvjAx4aGc+FsYs1ophg3RKBZz84+2DQIDD
+cwrP9/ggDs7C7c/9PEV77tLpkcvvhzW6JxsvY0BjGhPNNKl5KObxeVnLXyDjiYeC
+ON1U8ve4p0K6nczCbvPtyXgjYKLXGSOB6JRDDJa8exAPhO3HoSv0ZuVFLuSzle8z
+ZH1+P5wRGxGobi4NmhFTfYSSL5j21631P8n5N4xHVIhYr8vQNlWVGKkAIQeVneaD
+RsJ+NNRG+tP07X7sv5/QdgjEWXXF33sLeVusK+jWnGep//3Nr8d69ep230rnFQJv
+16HXkGhUUpCWyzE7n7sXS+Z7luOtQtPxHYAh40QKLUQMZVW7rS35KmeLOQMeIGEX
+xSZGRN7kYBqCV7FP8O7uvnBIXUcp66s9lSyaFJAZZgFb7VV2POZ0fBKRjvZVPjRa
+q0qwiSz2H/YbaszK8h22KYvYePzcBJ649w0G3siQ8pz5aFb1dT0H/CrKzdRTN3bE
+nuwk1HsiiM+9Jm0FSjQW5QMmwL+dWorVU1mTNB5wCO8fbmAoNZp3e5PkqkoOP/4q
+I+e0nKOHVqcmCw4WiLa2C05Le4VHlBdPzp2Zm/8b1VgDfIf+9LPcgwACzxkF5KTD
+cLvemYMVIJ+mveMitS8CAwEAAaNjMGEwHQYDVR0OBBYEFMMkkLxa8RHjAG+Pizya
+L/goJNw8MB8GA1UdIwQYMBaAFMMkkLxa8RHjAG+PizyaL/goJNw8MA8GA1UdEwEB
+/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAUmBX5
+pUi4PJIB/Cld8T2Otgmywu4gSrTFWQpJuF++NxdryZRGg7twDxErlaH1YTuuvtwY
+X0LGF6b1XTNyRZn5o/gJJNxiYGucBxLc4Qx2qJje6CIg38fhfDTeyU8paiFnNxNj
+Fy+/5CgCrxEGd310XIU2gHJ8SWjhHNtJBeeDU6iXl6ITDTBI+Vf7gDyuR4fSi5rK
+Jl3oxxZLwk9u8qAQ/qzRadIQK1yRjUnZI6ClFLULXKGBu5DG9Uh9S3FGUPWCd4dl
+gU6dfhnxdy6PMUbkhdK426dm7U7W0NpbqxfCQWvnaiwihyfN2/gM0GfuNHkp8kA4
+W76xOC6aM6PjjyNWeIx7+Rm4/rCzWlL0aue9ZTWkxQlTbwms70KEGS12qriX6lPC
+mwIWvkN88JnbPlHvGCtxn+GBYb2qwtWmPdBl3t0EivpfJMG+gEuyoY7i/zf+2bvD
+h5A8r0PBhtliZDFX5ZY1UMvoh6Jag2QxzHCr+oDbjljMbR2M76ezfWOCntRGlkVa
+1Ah+vs7/kS2TwSL0X8EY2gXl7iGIhpJ7B6npz3KfvaRysHwP4xMxIUdy9Aj8niFf
+5OMCF2rYrXSu4tK7uvwp/V3Xuk3H4YM1wFXapE2o+DCuFhOwHbku1r/ALH//KgFb
+4O26CUzCDyhhBy+/wiuG6Fk37YskQBCgs37Mww==
+-----END CERTIFICATE-----

data/spec/filters/fixtures/test_certs/ls.crt

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGCzCCA/OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJMUzEL
+MAkGA1UECAwCTkExEzARBgNVBAcMCkh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0
+YXNoMQ0wCwYDVQQDDARyb290MB4XDTIyMTAxNDE5MzgxMFoXDTI1MTAxNDE5Mzgx
+MFowUzELMAkGA1UEBhMCTFMxCzAJBgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElu
+cHV0MREwDwYDVQQKDAhMb2dzdGFzaDEPMA0GA1UEAwwGc2VydmVyMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtD+/LdfEMEBN8JjD8AE8ZNHopz9ozvZA
+BZ4QG4JWdZS0sGIYOBynL2OsEgmkEmntFiewuq5hEBXHTRF8H5vh+89jyaG3C/aP
+fmAWs/es/Fy74g8/lAeNJY854KVOhjCkqXi47tmy6+M8Z9D3V+RLQgm4f0aZtZ9t
+Di1SCPrrUYDZ3WFaIu7OnuK23O3mGMq5oRw1BtQMPPOObb83FiH6coCIFzj5rhHF
+mVG++YN/VSkAoEZGMcfkfoK8s9MB6vgk8vy3XYz+q7mqTGVxk5LSvY/APe/bMRqz
+lqmFyvT28pCcr/C+ipL7joHu+pdWJSkDz622StNrUF7BpJyhNSO4pEONRtipwgp3
+3f5UTJvEsoALgVilHUsGNo21qNtwu8op6I4lLBrw2Xm+YCCcSI5bF5u7ItJv9VIC
+fMJTsr8M9FQclS47RluYXwVXWZI0gns8bUROY5z1Tsh5XajSOfuiKDQ4DR3REAwf
+O5Tm0kOonariM73IjishGGmAIj1jLf3fLrtsHME1svciLEhQKtu594HSeteL3kZ5
+aj2pnZD4cmly7J1XFlR83acydqVgiz6SDbU39DJOJfXa+rPjwF/OtEaydi4KN9an
+yL7MDMGhYKfJBTGZI+nubQtM0JzAtVOatnCNteXJ5TNByemuUemf65AUiBzDgA79
+8wnSjQppF7cCAwEAAaOB6zCB6DAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF
+oDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBQeetV4PXJhHdbsTceb4TGvElARYTAfBgNVHSMEGDAW
+gBTDJJC8WvER4wBvj4s8mi/4KCTcPDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuCCGxvZ3N0YXNogglsb2Nh
+bGhvc3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAE+TYh1qdbFSzIDQPUehAwnC
+CtUOyF1hRA38UbpRzefjT/2h85LkVbD5D4tcyJIEQyBWfhuxeroJwQYVyz1vOne0
+hRM9yB8wxK9pAx/ZXEJuIfCUvH7LBZABXlhiQE08Az9rm/Pj6iq2NXdukM+YNk3W
+W4kfPS9i3vx+1d6UM14xUQtzLipO9BLmOeo5pD0q0gjRczYdsJF5QL/K7xfM0dus
+M+2M0Q0h4YzrqFR9jZT7zgkdS0WMcIqKh/9V9XNP2Kge4XuiImqZtvFdooYiiywV
+aVdB4c94zv2XFeqIix81eCI48DXC8YVgF6H62St74deHxJobIHcXtXIr7kxsi0Sa
+crrIuClkz4P99v0FtrthJD5L7+5mBBC/wcuCsXwKE+XnaP5tAYE2MdBh9xEy6Ua7
+XPnItLlArKqcr3i5LE8lxhktQtJvRqaQwkn30SUXh5o2aAw1lkkUvZAAp0eoOZZP
+Pkn+9wO3yl8q7L+6jOH6gD0gg8PvuKk9rTVx1jTFg5MEUpWp0lWZqDnHIolEZ2SG
+xXaISAkYnfaQtAXxmhLQRbQqFwq4doxPJdMs9Bz0iDc8/GCpH5X9KZ9n0RqJp5WA
+xkZeJm/MoBX85yX+T9jHMSM5vldvjcjNbP9INikoN+3ZxIPcRJVq5pwq+ELzSZO5
+J55nIYTq+uBxxugiPfl8
+-----END CERTIFICATE-----

data/spec/filters/fixtures/test_certs/ls.der.sha256

@@ -0,0 +1 @@
+8475c96eb5167b9acafd5a58b920510b86582419a9b17f1116c5ba22a1478965

data/spec/filters/fixtures/test_certs/ls.key

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAtD+/LdfEMEBN8JjD8AE8ZNHopz9ozvZABZ4QG4JWdZS0sGIY
+OBynL2OsEgmkEmntFiewuq5hEBXHTRF8H5vh+89jyaG3C/aPfmAWs/es/Fy74g8/
+lAeNJY854KVOhjCkqXi47tmy6+M8Z9D3V+RLQgm4f0aZtZ9tDi1SCPrrUYDZ3WFa
+Iu7OnuK23O3mGMq5oRw1BtQMPPOObb83FiH6coCIFzj5rhHFmVG++YN/VSkAoEZG
+McfkfoK8s9MB6vgk8vy3XYz+q7mqTGVxk5LSvY/APe/bMRqzlqmFyvT28pCcr/C+
+ipL7joHu+pdWJSkDz622StNrUF7BpJyhNSO4pEONRtipwgp33f5UTJvEsoALgVil
+HUsGNo21qNtwu8op6I4lLBrw2Xm+YCCcSI5bF5u7ItJv9VICfMJTsr8M9FQclS47
+RluYXwVXWZI0gns8bUROY5z1Tsh5XajSOfuiKDQ4DR3REAwfO5Tm0kOonariM73I
+jishGGmAIj1jLf3fLrtsHME1svciLEhQKtu594HSeteL3kZ5aj2pnZD4cmly7J1X
+FlR83acydqVgiz6SDbU39DJOJfXa+rPjwF/OtEaydi4KN9anyL7MDMGhYKfJBTGZ
+I+nubQtM0JzAtVOatnCNteXJ5TNByemuUemf65AUiBzDgA798wnSjQppF7cCAwEA
+AQKCAgBONWqqZXiGxyAKSP6bYK3nwPyFtQmw40AcL90lUoRZOFC+R5HipuwTr9e1
+a+F46+UnO8l+9rK+2/RCCFgnDuga7n2Ju1VFJ5JTbzXqmIjCZypOh/c6L5yas26V
+fqR3rRuFPRBg8qyjlVFcalsoE7Jj0PvwnZ2MJMSY5ik2JEl+b74YRGlrxtp4Lj7R
+1ZeFIlExCqAnelJlD/i4vcMVI2Eb1ZE3Ik2TrbpjMAkBEoFpXgUbheJnLyiBjBB8
+pg2q+kht9iFJwieuMz0lMM77DTXLclgjh7M/tyo9MQkQawHLddvGq1rBnczwpIgg
+yxFhxk4VCnaSOPHTSYoT9rIr8Hfoc5TReJXf/bBMlJfC/BdIKLd8r3RrEbAmSfni
+XDIU55Hx/lSZKBrZM5xWp/ef7WNLYoa6ZOFl+qfz/d9iTjoCMb7uwQZUm6x/QikC
+bP6Vdpv10t+HWZhB8w84olJqDKX59L9aBNWUNnuf84dI4wk9QYX1nL7DZkblmLXY
+dC1RrI+FF6+6PiRrQvCxRAg6ITuGVeKDwBw2T3/DF9uQXcFXK/GgnQgJShm3rqhr
+6XjBp66/1+Dq9Ogu63uaNN27s8sZ/XNaGwdzmbgfHihaRju+uUzm+aZoDX+xKSRs
+pKMIIXJ4niw5cAxSYYDBEZnHQjI6zL3un0IDq8z+ivLveEuG4QKCAQEA4Ymg14eg
+mYrn9lzXLsnnJxxN3gP0KiQYJvIZeKMJcg2IuzQOtbeM9HFHSVLBCQeD0m3hx0g3
+AxFc2S1hUUscIX/d7gng4pyGit9JX3LEA6LJw+nXYlNcM/NEKHtuYYo73SFXXJ79
++CdpfQ+dCCQKLnuDSZiAOrl/bkKeTN6P6d9a2rMMG03ILUPRRNKJ+3p9bItcVSDU
+r1fbDN1s+gMgs3vHF3qWfwEOuPddb7qK6x8QM4OOslbno1nr8mhjZbLyJmzqrErg
+G2QplJ7HMkwMU0e6QRL1byewPUFuBB9B8DPtAuUUbnY/zEinDIdgecs5BskDiQ0y
+ngUWEbVhVdxBkwKCAQEAzJgu3lEekG6v6QfGfLIolD9Gt9+wQfK4Sr771Nhq/fyG
+22rDeGrftdRnoS265iFV3hjQcRE/OeTt4B3anW66YhBp5nHOB5N/Cjikpv1/5+eZ
+EaXQrNyvY+9TW0rokB5GDec5FYAPctuQ/lDiYxMRWrz6ih1mTMmVdLWZvmlEymsy
+V0x5td7m3oDMQr+CLoUyjZ4tpXT0YfXtU3O1oyaJlnwhCJw8QjV2oQXjNmYN3K6q
+C9W3hArxXtVFfOHO+Rxj9ACf3hCYXDLMFehX5u3csXO21zI5rgWWlwq4i09Edkig
+liCMwezQT4CDYyiFFLXdAI5JlK292a9qkFFdTIY3zQKCAQEAhsc0Mxh9xMPZssPw
+Y6mMVTb44YADXVuMg1mSFyF2941W9Gg7kiRKO5mmPA8UBE1VXV8E2Y4yMccicTZJ
+Pcdg3DQJb8K/fSyEymB8/Gkc8f9KC6WmbL/cDb+GL5rzb56n/5F5H4RzyOPkijPW
+Z5MB8p0k68oSdwV7PWzaJJ2r6trq9F6jEX397e7lE/etNXcRlNgDKWwhLVeXM6zu
+/sj3tcp2Q3WikesT3T0VvTsA4VkC2YX4tGJyso9+DLKNE61IP+Y+pw9ntXa50nLA
+HzKK+wmWKGUn/nD9RN3g3N3BDcY6EMzM1OYdYfrYuQf9g0sKnR9q2W/lm8D2W0bF
+EAY7uQKCAQEAxaeYT+sqjfqBM63xUfKERYRD+8u86lllNcEAZgaWhr16Q2wHX8RQ
+T8fePdaCI2W9IQ30AefZn0LNlKEC3OlmYurchGcZ1jPmnadPWoy5Dv+t32DEEtw5
+DWDetOnPd7vnjfL+MQlA44O/thHKRFDdiT3dBaWVeUWef9wZpdzpOm0Je1FEnDG1
+9OuVaj69s9e2mR5hluFAX4tJNkApEG9gqONOvpTBmm0wKCwZ8Cnz5mlPmpNj8cro
+mOeNdDJq1DtbTRV1XQHHT/s7M0b99PmDJmRWFdxN4RNBAra2xs9TorpTefYERi1U
+qhnL1PYGa5Wu5qSP7XVUXoObfcU9T3qzWQKCAQBWPWf4DBczCbOa+z7uij7tkqm7
+15DeQfbFOUa++ieSBfZYKYtMP7Sf1Ntu9+r8VNey7pX9PuqAC/IGyG/TWTsmaHUS
+sbeBtC7TW00KwPsSImvlbhyCDU+AyJHo+LuWsyFVu9NWgbyE4kxyBM7aV8fBTcfz
+fj7TVsvlw+rcXvBPiJ31geLSmTyIwiGwYhH8g3srwPgr7OkRW6yb2KlVeEfy7ktw
+yBVik7Qgw6jHfbskowbFPl0IEuWPf7PtlGYEyAkYlqTwUT1MRwOzLLoaLwbGQVRV
+E/2K1oFSNYKvKUwesGVv58g/W1XE6Xvr7NqLb8YrzMm/Pi6ZuFE/2VLqXvHy
+-----END RSA PRIVATE KEY-----

data/spec/filters/integration/elasticsearch_spec.rb

@@ -102,4 +102,53 @@ describe LogStash::Filters::Elasticsearch, :integration => true do
 
   end
 
+  if SECURE_INTEGRATION
+    context 'setting keystore' do
+      let(:keystore_path) { Pathname.new("../fixtures/test_certs/ls.chain.p12").expand_path(__dir__).cleanpath.to_s }
+      let(:keystore_password) { '12345678' }
+
+      let(:config) do
+        super().merge(
+          "hosts" => [ESHelper.get_host_port],
+          "keystore" => keystore_path,
+          "keystore_password" => keystore_password,
+          "ssl" => true,
+          "fields" => { "this" => "contents", "response" => "four-oh-four" }
+        )
+      end
+
+      it "should enhance the current event with new data" do
+        plugin.register
+        plugin.filter(event)
+        puts event.to_hash.inspect
+        expect(event.get('contents')).to eq('that')
+        expect(event.get('four-oh-four')).to eq(404)
+      end
+    end
+
+    if Gem::Version.create(LOGSTASH_VERSION) >= Gem::Version.create("8.3.0")
+      context 'setting ca_trusted_finterprint WITHOUT ca_file' do
+        let(:ca_trusted_fingerprint) { Pathname.new("../fixtures/test_certs/ca.der.sha256").expand_path(__dir__).read.chomp }
+
+        let(:config) do
+          bc = super()
+          bc.delete('ca_file')
+          bc.merge({
+            'ca_trusted_fingerprint' => ca_trusted_fingerprint,
+            'fields' => { "this" => "contents", "response" => "four-oh-four" }
+          })
+        end
+
+        it "should enhance the current event with new data" do
+          puts config.inspect
+          plugin.register
+          plugin.filter(event)
+          puts event.to_hash.inspect
+          expect(event.get('contents')).to eq('that')
+          expect(event.get('four-oh-four')).to eq(404)
+        end
+      end
+    end
+  end
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-elasticsearch
 version: !ruby/object:Gem::Version
-  version: 3.12.0
+  version: 3.14.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-24 00:00:00.000000000 Z
+date: 2023-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -136,16 +136,28 @@ files:
 - spec/es_helper.rb
 - spec/filters/elasticsearch_spec.rb
 - spec/filters/fixtures/elasticsearch_7.x_hits_total_as_object.json
+- spec/filters/fixtures/generate_test_certs.openssl.cnf
+- spec/filters/fixtures/generate_test_certs.sh
 - spec/filters/fixtures/query_template.json
 - spec/filters/fixtures/query_template_unicode.json
 - spec/filters/fixtures/request_error.json
 - spec/filters/fixtures/request_size0_agg.json
 - spec/filters/fixtures/request_x_1.json
 - spec/filters/fixtures/request_x_10.json
+- spec/filters/fixtures/test_certs/README.txt
 - spec/filters/fixtures/test_certs/ca.crt
+- spec/filters/fixtures/test_certs/ca.der.sha256
 - spec/filters/fixtures/test_certs/ca.key
+- spec/filters/fixtures/test_certs/es.chain.crt
 - spec/filters/fixtures/test_certs/es.crt
+- spec/filters/fixtures/test_certs/es.der.sha256
 - spec/filters/fixtures/test_certs/es.key
+- spec/filters/fixtures/test_certs/ls.chain.crt
+- spec/filters/fixtures/test_certs/ls.chain.jks
+- spec/filters/fixtures/test_certs/ls.chain.p12
+- spec/filters/fixtures/test_certs/ls.crt
+- spec/filters/fixtures/test_certs/ls.der.sha256
+- spec/filters/fixtures/test_certs/ls.key
 - spec/filters/integration/elasticsearch_spec.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
@@ -176,14 +188,26 @@ test_files:
 - spec/es_helper.rb
 - spec/filters/elasticsearch_spec.rb
 - spec/filters/fixtures/elasticsearch_7.x_hits_total_as_object.json
+- spec/filters/fixtures/generate_test_certs.openssl.cnf
+- spec/filters/fixtures/generate_test_certs.sh
 - spec/filters/fixtures/query_template.json
 - spec/filters/fixtures/query_template_unicode.json
 - spec/filters/fixtures/request_error.json
 - spec/filters/fixtures/request_size0_agg.json
 - spec/filters/fixtures/request_x_1.json
 - spec/filters/fixtures/request_x_10.json
+- spec/filters/fixtures/test_certs/README.txt
 - spec/filters/fixtures/test_certs/ca.crt
+- spec/filters/fixtures/test_certs/ca.der.sha256
 - spec/filters/fixtures/test_certs/ca.key
+- spec/filters/fixtures/test_certs/es.chain.crt
 - spec/filters/fixtures/test_certs/es.crt
+- spec/filters/fixtures/test_certs/es.der.sha256
 - spec/filters/fixtures/test_certs/es.key
+- spec/filters/fixtures/test_certs/ls.chain.crt
+- spec/filters/fixtures/test_certs/ls.chain.jks
+- spec/filters/fixtures/test_certs/ls.chain.p12
+- spec/filters/fixtures/test_certs/ls.crt
+- spec/filters/fixtures/test_certs/ls.der.sha256
+- spec/filters/fixtures/test_certs/ls.key
 - spec/filters/integration/elasticsearch_spec.rb