logstash-input-tcp 6.0.10-java → 6.2.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 877ef458e968d48f3cd99ecd7f6846ac2f371e8c3897a6ed831b86e1f584d245
-  data.tar.gz: fab3cedbc3b4fab8c5915e219e03cfa6da6ba3aa9bb61d3245e0339535067894
+  metadata.gz: 387806978d8a05a020a5f642c6e377a4ebb6b40d73df908a88d99282d0b4e99e
+  data.tar.gz: 670952d23fd233413a074c2447b15fb6f04aef532b311edac6dcfc85d9de7299
 SHA512:
-  metadata.gz: 6196c01efc835b13d84528bbc780d6915d40adc7e86b7427d5b0e445fef3f9b3df6049301dbeb6f7321510b908dc16910920b50d602a30e6f049461f9fc8509c
-  data.tar.gz: 41102085f47d341e9db45d8ded793ced779f703102c22929c1382b1047d41269849d8d116e2a73531498b2b9b4430cde135c38a50e29b43aab2e8dc015784231
+  metadata.gz: 151d1d001537105d26efbd03cdb603bec2c8e2c5402082b0f66b26bc582c5e601790d5d61e90eea224781b9682b221026daad5d8323bfa1a030e0fbc10c628e7
+  data.tar.gz: b290d05bf1c1f3fcb3ac3bc0e9d7d8cc2523b52cd90f0aad848398971026e4bb2e7eba94a5b27ec56ee4e961d33b1672c27992cf5997ffffc81cc5357af53d2b

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 6.2.1
+  - Fix: restore logic to add the Bouncy-Castle security provider at runtime [#181](https://github.com/logstash-plugins/logstash-input-tcp/pull/181)
+    - required to properly read encrypted (legacy) OpenSSL PKCS#5v1.5 keys
+
+## 6.2.0
+ - Added ECS Compatibility Mode [#165](https://github.com/logstash-plugins/logstash-input-tcp/pull/165)
+   - When operating in an ECS Compatibility mode, metadata about the connection on which we are receiving data is nested in well-named fields under `[@metadata][input][tcp]` instead of at the root level.
+ - Fix: source address is no longer missing when a proxy is present
+
+## 6.1.1
+ - Changed jar dependencies to reflect newer versions [#179](https://github.com/logstash-plugins/logstash-input-http/pull/179)
+
+## 6.1.0
+  - Feat: improve SSL error logging/unwrapping [#178](https://github.com/logstash-plugins/logstash-input-tcp/pull/178)
+  - Fix: the plugin will no longer have a side effect of adding the Bouncy-Castle security provider at runtime  
+
 ## 6.0.10
   - bumping dependency commons-io [#174](https://github.com/logstash-plugins/logstash-input-tcp/pull/174)
 

data/docs/index.asciidoc

@@ -70,6 +70,52 @@ event timestamp
       }
     }
 
+[id="plugins-{type}s-{plugin}-ecs_metadata"]
+==== Event Metadata and the Elastic Common Schema (ECS)
+
+In addition to decoding the events, this input will add metadata about the TCP connection itself to each event.
+This can be helpful when applications are configured to send events directly to this input's TCP listener without including information about themselves.
+
+Historically, this metadata was added to a variety of non-standard top-level fields, which had the potential to create confusion and schema conflicts downstream.
+With ECS compatibility mode, we can ensure a pipeline still has access to this metadata throughout the event's lifecycle without polluting the top-level namespace.
+
+[cols="3,7,5"]
+|=======================================================================
+| Metadata Group                                     | ecs: `v1`, `v8`                       | ecs: `disabled`
+
+.3+|Source Metadata from the TCP connection
+on which events are being received, including
+the sender's name, ip, and outbound port.       l|[@metadata][input][tcp][source][name] l|[host]
+l|[@metadata][input][tcp][source][ip]   l|[@metadata][ip_address]
+l|[@metadata][input][tcp][source][port] l|[port]
+
+.2+|Proxy Metadata from a proxied TCP connection.
+Available when receiving events by proxy and
+`proxy_protocol => true`                        l|[@metadata][input][tcp][proxy][ip]    l|[proxy_host]
+l|[@metadata][input][tcp][proxy][port]  l|[proxy_port]
+
+.1+|SSL Subject Metadata from a secured TCP
+connection. Available when `ssl_enable => true`
+AND `ssl_verify => true`                        l|[@metadata][input][tcp][ssl][subject] l|[sslsubject]
+|=======================================================================
+
+For example, the Elastic Common Schema reserves the https://www.elastic.co/guide/en/ecs/current/ecs-host.html[top-level `host` field] for information about the host on which the event happened.
+If an event is missing this metadata, it can be copied into place from the source TCP connection metadata that has been added to the event:
+
+[source,txt]
+-----
+filter {
+  if [@metadata][input][tcp][source] and not [host] {
+    mutate {
+      copy {
+        "[@metadata][input][tcp][source][name]" => "[host][name]"
+        "[@metadata][input][tcp][source][ip]"   => "[host][ip]"
+      }
+    }
+  }
+}
+-----
+
 [id="plugins-{type}s-{plugin}-options"]
 ==== Tcp Input Configuration Options
 
@@ -79,6 +125,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 |=======================================================================
 |Setting |Input type|Required
 | <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
@@ -108,6 +155,20 @@ It is possible to avoid DNS reverse-lookups by disabling this setting. If disabl
 the address metadata that is added to events will contain the source address as-specified
 at the TCP layer and IPs will not be resolved to hostnames.
 
+[id="plugins-{type}s-{plugin}-ecs_compatibility"]
+===== `ecs_compatibility`
+
+* Value type is <<string,string>>
+* Supported values are:
+** `disabled`: unstructured connection metadata added at root level
+** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
+* Default value depends on which version of Logstash is running:
+** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+** Otherwise, the default value is `disabled`.
+
+Controls this plugin's compatibility with the https://www.elastic.co/guide/en/ecs/current/index.html[Elastic Common Schema (ECS)].
+The value of this setting affects the <<plugins-{type}s-{plugin}-ecs_metadata,placement of a TCP connection's metadata>> on events.
+
 [id="plugins-{type}s-{plugin}-host"]
 ===== `host` 
 

data/lib/logstash/inputs/tcp/decoder_impl.rb

@@ -1,7 +1,7 @@
 # encoding: utf-8
 require 'java'
 
-class DecoderImpl
+class LogStash::Inputs::Tcp::DecoderImpl
 
   include org.logstash.tcp.Decoder
 
@@ -24,7 +24,7 @@ class DecoderImpl
   end
 
   def copy
-    DecoderImpl.new(@codec.clone, @tcp)
+    self.class.new(@codec.clone, @tcp)
   end
 
   def flush
@@ -41,16 +41,17 @@ class DecoderImpl
         @tcp.logger.error("Invalid proxy protocol header label", :header => pp_hdr)
         raise IOError.new("Invalid proxy protocol header label #{pp_hdr.inspect}")
       else
-        @proxy_address = pp_info[3]
-        @proxy_port = pp_info[5]
-        @address = pp_info[2]
-        @port = pp_info[4]
+        @proxy_address = pp_info[3] # layer 3 destination address (proxy's receiving address)
+        @proxy_port = pp_info[5] # TCP destination port (proxy's receiving port)
+        @ip_address = pp_info[2] # layer 3 source address (outgoing ip of sender)
+        @address = extract_host_name(@ip_address)
+        @port = pp_info[4] # TCP source port (outgoing port on sender [probably random])
       end
     else
       filtered = received
-      @ip_address = channel_addr.get_address.get_host_address
-      @address = extract_host_name(channel_addr)
-      @port = channel_addr.get_port
+      @ip_address = channel_addr.get_address.get_host_address # ip address of sender
+      @address = extract_host_name(channel_addr) # name _or_ address of sender
+      @port = channel_addr.get_port # outgoing port of sender (probably random)
     end
     @first_read = false
     filtered
@@ -58,6 +59,8 @@ class DecoderImpl
 
   private
   def extract_host_name(channel_addr)
+    channel_addr = java.net.InetSocketAddress.new(channel_addr, 0) if channel_addr.kind_of?(String)
+
     return channel_addr.get_host_string unless @tcp.dns_reverse_lookup_enabled?
 
     channel_addr.get_host_name

data/lib/logstash/inputs/tcp.rb

@@ -5,8 +5,7 @@ require "java"
 require "logstash/inputs/base"
 require "logstash/util/socket_peer"
 require "logstash-input-tcp_jars"
-require "logstash/inputs/tcp/decoder_impl"
-require "logstash/inputs/tcp/compat_ssl_options"
+require 'logstash/plugin_mixins/ecs_compatibility_support'
 
 require "socket"
 require "openssl"
@@ -61,7 +60,13 @@ require "openssl"
 #     }
 class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
-  java_import org.logstash.tcp.InputLoop
+  java_import 'org.logstash.tcp.InputLoop'
+  java_import 'org.logstash.tcp.SslContextBuilder'
+
+  require_relative "tcp/decoder_impl"
+
+  # ecs_compatibility option, provided by Logstash core or the support adapter.
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
 
   config_name "tcp"
 
@@ -103,7 +108,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Useful when the CA chain is not necessary in the system store.
   config :ssl_extra_chain_certs, :validate => :array, :default => []
 
-  # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
+  # Validate client certificates against these authorities. You can define multiple files or paths.
+  # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
@@ -112,13 +118,6 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Option to allow users to avoid DNS Reverse Lookup.
   config :dns_reverse_lookup_enabled, :validate => :boolean, :default => true
 
-  HOST_FIELD = "host".freeze
-  HOST_IP_FIELD = "[@metadata][ip_address]".freeze
-  PORT_FIELD = "port".freeze
-  PROXY_HOST_FIELD = "proxy_host".freeze
-  PROXY_PORT_FIELD = "proxy_port".freeze
-  SSLSUBJECT_FIELD = "sslsubject".freeze
-
   # Monkey patch TCPSocket and SSLSocket to include socket peer
   # @private
   def self.patch_socket_peer!
@@ -133,6 +132,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def initialize(*args)
     super(*args)
 
+    setup_fields!
+
     self.class.patch_socket_peer!
 
     # threadsafe socket bookkeeping
@@ -148,10 +149,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     fix_streaming_codecs
 
     if server?
-      ssl_context = get_ssl_context(SslOptions)
-
-
-      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, ssl_context)
+      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
     end
   end
 
@@ -188,8 +186,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
                     proxy_port, tbuf, socket)
     codec.decode(tbuf) do |event|
       if @proxy_protocol
-        event.set(PROXY_HOST_FIELD, proxy_address) unless event.get(PROXY_HOST_FIELD)
-        event.set(PROXY_PORT_FIELD, proxy_port) unless event.get(PROXY_PORT_FIELD)
+        event.set(@field_proxy_host, proxy_address) unless event.get(@field_proxy_host)
+        event.set(@field_proxy_port, proxy_port) unless event.get(@field_proxy_port)
       end
       enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
     end
@@ -262,14 +260,24 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   end
 
   def enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
-    event.set(HOST_FIELD, client_address) unless event.get(HOST_FIELD)
-    event.set(HOST_IP_FIELD, client_ip_address) unless event.get(HOST_IP_FIELD)
-    event.set(PORT_FIELD, client_port) unless event.get(PORT_FIELD)
-    event.set(SSLSUBJECT_FIELD, socket.peer_cert.subject.to_s) if socket && @ssl_enable && @ssl_verify && event.get(SSLSUBJECT_FIELD).nil?
+    event.set(@field_host, client_address) unless event.get(@field_host)
+    event.set(@field_host_ip, client_ip_address) unless event.get(@field_host_ip)
+    event.set(@field_port, client_port) unless event.get(@field_port)
+    event.set(@field_sslsubject, socket.peer_cert.subject.to_s) if socket && @ssl_enable && @ssl_verify && event.get(@field_sslsubject).nil?
     decorate(event)
     @output_queue << event
   end
 
+  # setup the field names, with respect to ECS compatibility.
+  def setup_fields!
+    @field_host       = ecs_select[disabled: "host",                    v1: "[@metadata][input][tcp][source][name]"        ].freeze
+    @field_host_ip    = ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][tcp][source][ip]"          ].freeze
+    @field_port       = ecs_select[disabled: "port",                    v1: "[@metadata][input][tcp][source][port]"        ].freeze
+    @field_proxy_host = ecs_select[disabled: "proxy_host",              v1: "[@metadata][input][tcp][proxy][ip]"           ].freeze
+    @field_proxy_port = ecs_select[disabled: "proxy_port",              v1: "[@metadata][input][tcp][proxy][port]"         ].freeze
+    @field_sslsubject = ecs_select[disabled: "sslsubject",              v1: "[@metadata][input][tcp][tls][client][subject]"].freeze
+  end
+
   def server?
     @mode == "server"
   end
@@ -320,7 +328,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
     socket
   rescue OpenSSL::SSL::SSLError => e
-    @logger.error("SSL Error", :exception => e, :backtrace => e.backtrace)
+    @logger.error("SSL Error", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
     sleep(1) # prevent hammering peer
@@ -362,15 +370,33 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @socket_mutex.synchronize{@connection_sockets.keys.dup}
   end
 
-  def get_ssl_context(options_class)
-    ssl_context = options_class.builder
-      .set_is_ssl_enabled(@ssl_enable)
+  def java_ssl_context
+    SslContextBuilder.new
+      .set_ssl_enabled(@ssl_enable)
       .set_should_verify(@ssl_verify)
       .set_ssl_cert(@ssl_cert)
       .set_ssl_key(@ssl_key)
-      .set_ssl_key_passphrase(@ssl_key_passphrase.value)
+      .set_ssl_key_password(@ssl_key_passphrase.value)
       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-      .build.toSslContext()
+      .build_context
+  rescue java.lang.IllegalArgumentException => e
+    @logger.error("SSL configuration invalid", error_details(e))
+    raise LogStash::ConfigurationError, e
+  rescue java.lang.Exception => e
+    @logger.error("SSL configuration failed", error_details(e, true))
+    raise e
+  end
+
+  def error_details(e, trace = false)
+    error_details = { :exception => e.class, :message => e.message }
+    error_details[:backtrace] = e.backtrace if trace || @logger.debug?
+    cause = e.cause
+    if cause && e != cause
+      error_details[:cause] = { :exception => cause.class, :message => cause.message }
+      error_details[:cause][:backtrace] = cause.backtrace if trace || @logger.debug?
+    end
+    error_details
   end
+
 end

data/logstash-input-tcp.gemspec

@@ -21,6 +21,12 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
+
+  s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
+
+  # we depend on bouncycastle's bcpkix-jdk15on being on the class-path
+  s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2', '< 0.12'
 
   # line vs streaming codecs required for fix_streaming_codecs
   # TODO: fix_streaming_codecs should be refactored to not

data/spec/fixtures/encrypted-pkcs5v15.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICNDCCAZ0CFDeJbri+rGpHPKybNEMIdH/rV8NNMA0GCSqGSIb3DQEBCwUAMFkx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA4
+MjUxMzAyMzZaFw0yNDEyMDcxMzAyMzZaMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+v7u9o3mztK8BQ7HiuWs1YJSzpPujs6cYefYDU8AWg6SkDIS/E0SiVoKZmHxcyul+
+t1QEsF3VYEnkKs0jtJQKE6Av0DCMQWA8lXmuEnXI02mDvtL2Kxh4w5x1D5bSRgJP
+Ms9ozN06F5wrMtipUBglwIwQ6HHPywToNMnf5BBZUnECAwEAATANBgkqhkiG9w0B
+AQsFAAOBgQCuh+ytoZKgOEzeLwhfScUvcuDcYJFGkMckO6oUe+/SDTfBN/z5WAhV
+ogBOLOqate4plaP12ZhjE8DUeRy9oN3zKenpskTtXrMz5XH0mclAn8aBig+eOyEj
+1QMDysipE11d1sx1SIXiIMSKtv6kLV/Y+4aId9/AJHxOYMHxebwSQg==
+-----END CERTIFICATE-----

data/spec/fixtures/encrypted-pkcs5v15.key

@@ -0,0 +1,17 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIICoTAbBgkqhkiG9w0BBQMwDgQI3TfMa5Qd1D8CAggABIICgFjVn88VPNrjBXiF
+Hw5W8yFFwvoeSd/vVkDcGUiNhQy9A3ra/QmktEHvv1d/rGGLSkPypmx9zJuTNGz9
+eJs7TSgIVBsmRG4UtG20qBifG/XVpN1/6pk1Hp9hbIuSBzNIi+EhdhSEty10oZso
+JwrkTbFS4VAk4ivOWcl0O0HQRkGxlSaKmgYNOebvOLqw4/77BN80AOeZHXBGwYNJ
+vRf8Og5PWqR5XmTJLVQxtB4BcBSPCSkECgOBoFfAeaeE6ei0W7V+LDBBHC7Ql0Dl
+rK3KCyvYywd+Ep58jNQRfDsEglgw7jrN2IIaf2jRhfEiPhwbAnEDlQXsMqAIWS/I
+gwj6NaaZObdX8hDVhz/T7MSnK9O8q2JGM6jhhRQZxo4TUlLB1xnwGZ9uQRljshQy
+OmtQ3KuLZvRML9G8nMtd73vdQ3f0cFBIjPG8QblUMOews8tJA2OMpBXEAZf0go25
++lI+rk4RKdHvX9kVGDmKoe/KN3xo23usTjcfodhapHQYPqHc3QOx8XNxtcio1I49
+wnS2xICbiEJfnSOBrrjWIivW0wHZG590ZKJ0FnpKEaXXJ2bV8VEyn+mZ4Ef9ITLk
+9wsOt+68V9xRrsUsvUkkW97POVGZbw0XHf5xZ3ckKiBK41wPuoo2opVc/Qyw+jB0
+cw2Lr/AUzLWZW9w+jmHL1Qr9cydcf2XKBMIoqBFQpJce35bNLTTm8O8K8ZMXEK8g
+WhKLaLRfo4j/pFyuUeHw2pQ7QHRdcYtRHT1GqsQ4AQsXqVYJjwpm1E2ZL001Y+6O
+r/7sJ91jAcv4IwpRS4suaJJydvVQ0qz7xq7B9TvyxZh2f4zbHL+qSe6OQj8Erm1/
+jHkcaB0=
+-----END ENCRYPTED PRIVATE KEY-----

data/spec/fixtures/encrypted-pkcs8.crt

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqjCCARMCFCWVL+Vfx2IIr8d2/GMqsmfzPLD/MA0GCSqGSIb3DQEBDQUAMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA4MjUxMDUyNTRaFw0yNDEyMDcxMDUy
+NTRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
+gYkCgYEA8HAsVcCjcolfzYR0siWOAg+xFG4fIahO6PH2Oi0l3zosa4KX2dlt3nFS
+2PmgG9MNIDfXwI+BoM6QXB7O7Ch/YUhOz4GGDv3ptCjTYWyA9KZBrgLpiBFsCdt+
+DiW7JBbt0OnMJGhVEsZa2Byh3HOxYqkvC2y4fET4OXdj2uX56B0CAwEAATANBgkq
+hkiG9w0BAQ0FAAOBgQAW/tHI3AnyKYsJ9uaqvndUnVTIDHEEPNFE/xMM3mtQiL8f
+qVYPq4V4C1Z5RD2xBI/skPngaZRWmqFrshEz2EccKe8gzdfyGQG89MQAB8QWn4dJ
+bXUcnXO4hcSD4y3SiZYXJYNj37I2qJ2DfYBx7pScGYdjzIr/OJNK5EIGZI1Bvg==
+-----END CERTIFICATE-----

data/spec/fixtures/encrypted-pkcs8.key

@@ -0,0 +1,18 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIC1DBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIE3AUYJOvgkYCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECO0VArsmaac3BIICgOpQitrzl0AC
+uV2AD2kgBfOUvTVe9jVJZ2Pvawo7IRxZZQl/7wMHfm6uB666OVSOVfKEa6nXJhBn
+JzJYXJHBqzQwgsoGfg25Y6bSvIU8ydkCzwEf2P93cexFCCDJE1B8p1/lxJViEfOq
+2CujkKgS3YZCet/03qt/ktkx3qBk9dOk6+xCXorUgzjwGL2SzSH7Su1kXoVKTu5/
+TRCPyD552l8kjtyqNngfOu3xcd0+FFF/e/bUe4qX1bpYNza/Cs/AJAoxHhhGag+O
+26bZ/LTbsN56fM95PvytRvomyj2rMGFJtz1j56R7iYujLUZu7XgCkxq0/t/3mWgX
+0VxOy0zvppZO0XRky1uwSLPsaopZlPIN6s61JAJciT0O884Hi4citNA0hskOCnJA
+vyy0lGa9goZh/cJKjr7W6w2ZkkPwMOKI6YMIup7Fo+7pfG2h0EDxCZyK2JWVl2n0
+vyKMUNl3yrqDbxTk0vURz9qMx/q2cY6zK6+gi+uvfjvRM4oz3nCREbuVjykvEAXo
+OhmN69CN6f8QwJ6wF4JNtxwwkHy+70dLoQg/FYKIfSbA3aoxpgXtr/2d/vkZYjya
+zjcaIrM/WEoPLFvieMHrOmlRZhbVI9BVjhrAyTmT+sQV+GJ7GJirJpmn06VHz5Ln
+ZNE4+ZSH4ODf+JQdh+LajyI8wQKfh4YMr498i5qHyw/KnKtbPjevbY25uWvEKzce
+RWv9nt7VsSQhXuR2U85yc6sqFQQ01QM9xUdhcVB9Eu7FvloDrC6pgaFIXy3IVcfH
+AJPiyRBv1bNad9wdh/+O5MyoKrhAI37YfH2fEKMdR2QKBEnCs94mjFPLy2Kc9kww
+eVwJJw/VXbE=
+-----END ENCRYPTED PRIVATE KEY-----

data/spec/fixtures/encrypted_aes256.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFCbPEM/VXTgCksFOQPoLuv1Td9seMA0GCSqGSIb3DQEBCwUAMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA4MjUwOTM1MDBaFw0yNDEyMDcwOTM1
+MDBaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOfAL1NL6pXDkpgWNync+LHLWgrrL18gTrpXjaPjmw6HuiX0te6J
+1xYPjg6xYown6/SJeXi7LS0GFvlQGuz9dh2n6OtqpjBgHIXBXLtT8dXQszdZDaGu
+U8iTBnjDYADt206Bqe2q3MpKEz6a3D8fHAE/fR/4FM4HAI77W+Bng2XwFKqLYHQC
+ReKAexjxIExWBh/dvm8tUdvVmWyY/CVABQWucmwRNo+RQqktksiNqZCDHkE6CVgx
+oXS8UUIWfz6EWNT6UkeIWRJSVUUECcgRYOTVgkYWBE/5BDsBK9E7ZNL+gWqy6j6h
+9fSPhK/Xv6XMqdCcOExZsNWFV1j+bt9Wun0CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEA5ah44LKyb2LHTr1ePeduoXdVPqwuXik7mL/H6/ZGI1zfSFb0JgjQG822K0s1
+3QLT15/lndSt8smHCgMTm12i/bO1cwaM93+jpUbOaVILLnfuDprjVMgiBVfz1bdx
+GBz6ISJXe1xaKLBhurDsy/1dzbISoizVIg5mJ1us5BvvdklMjtQ1ymY5210ZYCsk
+YcKBVW3hJ6hoZTHrNw7tI99CeBSOpfg0UaxUNMIy1D95+m4RU2aIykoYhAGfmX+u
+zZR0I16widielJWXNCnh6gXdoNjOgYS0TuNoSfmX2oF7nsC5N1zfynz+tPvoK0ys
+OMFwnJJ5LrPHbQk/RK907gBf5Q==
+-----END CERTIFICATE-----

data/spec/fixtures/encrypted_aes256.key

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,23BAC38304EB81CEE42C61575CA054CE
+
+jR1vKTozeVkx4Nyjb38fj/SSj99MZtboUUHSlUyfDYNgWdhDSli3agFuouxtGoGe
+cWNKcjn73lbxBaAozFGejNo1RQSOaWdKLCXKvvoQTjWg02+9xIL4bQL29Xe4xi7f
+DlsMbcLOrlJZsdAYeL+11vU61yrtIYyPJJFaRh6WLTbVuHH6vUJPYt0Vg77g0L8I
+8tJtAvFSLeMzonu1LGEa/gXHwNT5TlWERybXxD6JzoigmHx4mGFNo9fz4ZyTPjkR
+OWbOZssFDKUeGJVdssRTPYwjaEg8DOUk7JbFTWlRYa7Re/2SEkIte3PrAxJFLFuV
+LZSIR4Vg/cKmpo4BcNNNHmSyymSS4ZAh3GQiztfqHOqAXxfvBsuO3ZHUYPCIhpqw
+KwwkDjJb4dRygDRC5n4os/mdQW/dBVD4OIaghE4lQApOqc3fxOoD9V0SIipbPPv0
+bjaKyt5pEZYyAMrAd3G1UGPQBWcNl2Hu1Shc30uhJZrzthPy/0BTWao0lpA3fIQD
+Pv4weYOc+5tZsKXSuFQc/Y2fLPF9m1GGTAd+YQlfN8JO9I1GKhl1AL/7eC+Usgl4
+ugXPjIgh5/5+qYqiaYE1HlaNrNh2XxcIR9SC7+jgbliBMOeouEPQ0bPQyvz/44cg
+sv3OoIP3F7lqLP/3oR9AiqrqadsO0WMNWwYdMUFshY3EZLWgdWVcH6JyxD02E/IJ
+tPtZrhIGMADuJWbTj0abQUIxAuYrBm2Vf/+qgY9gKxJcHIZ3nKfrJc100WOILR8P
+3Ok2WLprASSLiOEkTJ0nvViTtsbgy4DRRhytGNzFEedj50/yRltkb9gdXuVNbmUV
+M7p9YkY4VkF2m43k6sxGXuoAFxAVCLriAGzHLifWkX/xRuxsh93osNhUsg9sMWRd
+bgX5Vcmyr2xhe2UEiQp6glQ6DQg7gofi19jes2iKaw7eMG3pelBvmUKqboARI4Ga
+i8blKaBWZvdmZMBOJ6fx322T+Ii7vvAlCmnWLBxboF5GJ/KiE0i2vrdLTxwI0IZN
+EHFxgfJF3rlLtuvRD8cW1VId9wyOPWPMi/olgE+FdRVlg7+w35cAb9c7Na52c+jj
+G2pxqHgjFoSsofY/iWZ13OQvn6RFUncRS/b+QFz6c2Tp5shMwU+i4BXiuwSj8AvB
+oWfEij7UBpi9o2x4qG3hAeJWM3mg4Nr9MRdv82eEf3tuAPidfXCne/GEN+aIRYeG
+niBZS+kDXtvFgsixGtCU60T4/IXf7FDTWbZ5lN5o0vD6BClReubGd0cYbHTtH7ax
+k4/BAM/PF7dT0sR0zNCd2I7Zkub/CF0+HDAcP94vgV1EcB4XdL7inaZXPTntDRmu
+IZHTVm3satJBt34tAhML1Xqvb8ck02/rhQRdjqWcAOk7gGfKJUwewoH4T558R9uW
+HHEOYCzXy8ckqiDZxJVJ67iZgrCOadWJWtEQPsr1QFxdxuO1J31u50Zzv/nJlrPb
+bmm7fUwszWLX+sM0RGoenvdphicht4gmalMade8N05XzEoOIGth8jYQqFw3s8BKJ
+uZGDC706f0VAGo1dVOvGcNeEOPC3keXkMABbzHFVEzAjH3kfr4rKNCrMx+2Vr/qc
+-----END RSA PRIVATE KEY-----