logstash-output-elasticsearch 11.12.4-java → 11.15.9-java

data/lib/logstash/outputs/elasticsearch.rb

@@ -96,10 +96,14 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
   require "logstash/outputs/elasticsearch/data_stream_support"
   require 'logstash/plugin_mixins/ecs_compatibility_support'
   require 'logstash/plugin_mixins/deprecation_logger_support'
+  require 'logstash/plugin_mixins/normalize_config_support'
 
   # Protocol agnostic methods
   include(LogStash::PluginMixins::ElasticSearch::Common)
 
+  # Config normalization helpers
+  include(LogStash::PluginMixins::NormalizeConfigSupport)
+
   # Methods for ILM support
   include(LogStash::Outputs::ElasticSearch::Ilm)
 
@@ -263,14 +267,6 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
   # ILM policy to use, if undefined the default policy will be used.
   config :ilm_policy, :validate => :string, :default => DEFAULT_POLICY
 
-  # List extra HTTP's error codes that are considered valid to move the events into the dead letter queue.
-  # It's considered a configuration error to re-use the same predefined codes for success, DLQ or conflict.
-  # The option accepts a list of natural numbers corresponding to HTTP errors codes.
-  config :dlq_custom_codes, :validate => :number, :list => true, :default => []
-
-  # if enabled, failed index name interpolation events go into dead letter queue.
-  config :dlq_on_failed_indexname_interpolation, :validate => :boolean, :default => true
-
   attr_reader :client
   attr_reader :default_index
   attr_reader :default_ilm_rollover_alias
@@ -279,6 +275,7 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
   def initialize(*params)
     super
     setup_ecs_compatibility_related_defaults
+    setup_ssl_params!
   end
 
   def register
@@ -307,6 +304,22 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
     data_stream_enabled = data_stream_config?
 
     setup_template_manager_defaults(data_stream_enabled)
+    # To support BWC, we check if DLQ exists in core (< 5.4). If it doesn't, we use nil to resort to previous behavior.
+    @dlq_writer = dlq_enabled? ? execution_context.dlq_writer : nil
+
+    @dlq_codes = DOC_DLQ_CODES.to_set
+
+    if dlq_enabled?
+      check_dlq_custom_codes
+      @dlq_codes.merge(dlq_custom_codes)
+    else
+      raise LogStash::ConfigurationError, "DLQ feature (dlq_custom_codes) is configured while DLQ is not enabled" unless dlq_custom_codes.empty?
+    end
+
+    setup_mapper_and_target(data_stream_enabled)
+
+    @bulk_request_metrics = metric.namespace(:bulk_requests)
+    @document_level_metrics = metric.namespace(:documents)
 
     @after_successful_connection_thread = after_successful_connection do
       begin
@@ -320,18 +333,9 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
       end
     end
 
-    # To support BWC, we check if DLQ exists in core (< 5.4). If it doesn't, we use nil to resort to previous behavior.
-    @dlq_writer = dlq_enabled? ? execution_context.dlq_writer : nil
-
-    @dlq_codes = DOC_DLQ_CODES.to_set
-
-    if dlq_enabled?
-      check_dlq_custom_codes
-      @dlq_codes.merge(dlq_custom_codes)
-    else
-      raise LogStash::ConfigurationError, "DLQ feature (dlq_custom_codes) is configured while DLQ is not enabled" unless dlq_custom_codes.empty?
-    end
+  end
 
+  def setup_mapper_and_target(data_stream_enabled)
     if data_stream_enabled
       @event_mapper = -> (e) { data_stream_event_action_tuple(e) }
       @event_target = -> (e) { data_stream_name(e) }
@@ -340,14 +344,6 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
       @event_mapper = -> (e) { event_action_tuple(e) }
       @event_target = -> (e) { e.sprintf(@index) }
     end
-
-    @bulk_request_metrics = metric.namespace(:bulk_requests)
-    @document_level_metrics = metric.namespace(:documents)
-
-    if ecs_compatibility == :v8
-      @logger.warn("Elasticsearch Output configured with `ecs_compatibility => v8`, which resolved to an UNRELEASED preview of version 8.0.0 of the Elastic Common Schema. " +
-                   "Once ECS v8 and an updated release of this plugin are publicly available, you will need to update this plugin to resolve this warning.")
-    end
   end
 
   # @override post-register when ES connection established
@@ -395,7 +391,7 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
 
     event_mapping_errors.each do |event_mapping_error|
       detailed_message = "#{event_mapping_error.message}; event: `#{event_mapping_error.event.to_hash_with_metadata}`"
-      handle_dlq_status(event_mapping_error.event, :warn, detailed_message)
+      @dlq_writer ? @dlq_writer.write(event_mapping_error.event, detailed_message) : @logger.warn(detailed_message)
     end
     @document_level_metrics.increment(:non_retryable_failures, event_mapping_errors.size)
   end
@@ -412,7 +408,7 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
         successful_events << @event_mapper.call(event)
       rescue EventMappingError => ie
         event_mapping_errors << FailedEventMapping.new(event, ie.message)
-       end
+      end
     end
     MapEventsResult.new(successful_events, event_mapping_errors)
   end
@@ -425,7 +421,12 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
   def wait_for_successful_connection
     after_successful_connection_done = @after_successful_connection_done
     return unless after_successful_connection_done
-    stoppable_sleep 1 until after_successful_connection_done.true?
+    stoppable_sleep 1 until (after_successful_connection_done.true? || pipeline_shutdown_requested?)
+
+    if pipeline_shutdown_requested? && !after_successful_connection_done.true?
+      logger.info "Aborting the batch due to shutdown request while waiting for connections to become live"
+      abort_batch_if_available!
+    end
 
     status = @after_successful_connection_thread && @after_successful_connection_thread.value
     if status.is_a?(Exception) # check if thread 'halted' with an error
@@ -524,19 +525,22 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
         routing_field_name => @routing ? event.sprintf(@routing) : nil
     }
 
-    if @pipeline
-      value = event.sprintf(@pipeline)
-      # convention: empty string equates to not using a pipeline
-      # this is useful when using a field reference in the pipeline setting, e.g.
-      #      elasticsearch {
-      #        pipeline => "%{[@metadata][pipeline]}"
-      #      }
-      params[:pipeline] = value unless value.empty?
-    end
+    target_pipeline = resolve_pipeline(event)
+    # convention: empty string equates to not using a pipeline
+    # this is useful when using a field reference in the pipeline setting, e.g.
+    #      elasticsearch {
+    #        pipeline => "%{[@metadata][pipeline]}"
+    #      }
+    params[:pipeline] = target_pipeline unless (target_pipeline.nil? || target_pipeline.empty?)
 
     params
   end
 
+  def resolve_pipeline(event)
+    pipeline_template = @pipeline || event.get("[@metadata][target_ingest_pipeline]")&.to_s
+    pipeline_template && event.sprintf(pipeline_template)
+  end
+
   @@plugins = Gem::Specification.find_all{|spec| spec.name =~ /logstash-output-elasticsearch-/ }
 
   @@plugins.each do |plugin|
@@ -619,6 +623,52 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
     end
   end
 
+  def setup_ssl_params!
+    @ssl_enabled = normalize_config(:ssl_enabled) do |normalize|
+      normalize.with_deprecated_alias(:ssl)
+    end
+
+    @ssl_certificate_authorities = normalize_config(:ssl_certificate_authorities) do |normalize|
+      normalize.with_deprecated_mapping(:cacert) do |cacert|
+        [cacert]
+      end
+    end
+
+    @ssl_keystore_path =  normalize_config(:ssl_keystore_path) do |normalize|
+      normalize.with_deprecated_alias(:keystore)
+    end
+
+    @ssl_keystore_password = normalize_config(:ssl_keystore_password) do |normalize|
+      normalize.with_deprecated_alias(:keystore_password)
+    end
+
+    @ssl_truststore_path = normalize_config(:ssl_truststore_path) do |normalize|
+      normalize.with_deprecated_alias(:truststore)
+    end
+
+    @ssl_truststore_password =  normalize_config(:ssl_truststore_password) do |normalize|
+      normalize.with_deprecated_alias(:truststore_password)
+    end
+
+    @ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize|
+      normalize.with_deprecated_mapping(:ssl_certificate_verification) do |ssl_certificate_verification|
+        if ssl_certificate_verification == true
+          "full"
+        else
+          "none"
+        end
+      end
+    end
+
+    params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
+    params['ssl_certificate_authorities'] = @ssl_certificate_authorities unless @ssl_certificate_authorities.nil?
+    params['ssl_keystore_path'] = @ssl_keystore_path unless @ssl_keystore_path.nil?
+    params['ssl_keystore_password'] = @ssl_keystore_password unless @ssl_keystore_password.nil?
+    params['ssl_truststore_path'] = @ssl_truststore_path unless @ssl_truststore_path.nil?
+    params['ssl_truststore_password'] = @ssl_truststore_password unless @ssl_truststore_password.nil?
+    params['ssl_verification_mode'] = @ssl_verification_mode unless @ssl_verification_mode.nil?
+  end
+
   # To be overidden by the -java version
   VALID_HTTP_ACTIONS = ["index", "delete", "create", "update"]
   def valid_actions

data/lib/logstash/plugin_mixins/elasticsearch/api_configs.rb

@@ -45,35 +45,79 @@ module LogStash; module PluginMixins; module ElasticSearch
         # Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme
         # is specified in the URLs listed in 'hosts'. If no explicit protocol is specified plain HTTP will be used.
         # If SSL is explicitly disabled here the plugin will refuse to start if an HTTPS URL is given in 'hosts'
-        :ssl => { :validate => :boolean },
+        :ssl => { :validate => :boolean, :deprecated => "Set 'ssl_enabled' instead." },
+
+        # Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme
+        # is specified in the URLs listed in 'hosts'. If no explicit protocol is specified plain HTTP will be used.
+        # If SSL is explicitly disabled here the plugin will refuse to start if an HTTPS URL is given in 'hosts'
+        :ssl_enabled => { :validate => :boolean },
 
         # Option to validate the server's certificate. Disabling this severely compromises security.
         # For more information on disabling certificate verification please read
         # https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
-        :ssl_certificate_verification => { :validate => :boolean, :default => true },
+        :ssl_certificate_verification => { :validate => :boolean, :default => true, :deprecated => "Set 'ssl_verification_mode' instead." },
+
+        # Options to verify the server's certificate.
+        # "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates;
+        # chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
+        # "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
+        :ssl_verification_mode => { :validate => %w[full none], :default => 'full' },
 
         # The .cer or .pem file to validate the server's certificate
-        :cacert => { :validate => :path },
+        :cacert => { :validate => :path, :deprecated => "Set 'ssl_certificate_authorities' instead." },
+
+        # The .cer or .pem files to validate the server's certificate
+        :ssl_certificate_authorities => { :validate => :path, :list => true },
 
         # One or more hex-encoded SHA256 fingerprints to trust as Certificate Authorities
         :ca_trusted_fingerprint => LogStash::PluginMixins::CATrustedFingerprintSupport,
 
         # The JKS truststore to validate the server's certificate.
         # Use either `:truststore` or `:cacert`
-        :truststore => { :validate => :path },
+        :truststore => { :validate => :path, :deprecated => "Set 'ssl_truststore_path' instead." },
+
+        # The JKS truststore to validate the server's certificate.
+        # Use either `:ssl_truststore_path` or `:ssl_certificate_authorities`
+        :ssl_truststore_path => { :validate => :path },
+
+        # The format of the truststore file. It must be either jks or pkcs12
+        :ssl_truststore_type => { :validate => %w[pkcs12 jks] },
+
+        # Set the truststore password
+        :truststore_password => { :validate => :password, :deprecated => "Use 'ssl_truststore_password' instead." },
 
         # Set the truststore password
-        :truststore_password => { :validate => :password },
+        :ssl_truststore_password => { :validate => :password },
 
         # The keystore used to present a certificate to the server.
         # It can be either .jks or .p12
-        :keystore => { :validate => :path },
+        :keystore => { :validate => :path, :deprecated => "Set 'ssl_keystore_path' instead." },
+
+        # The keystore used to present a certificate to the server.
+        # It can be either .jks or .p12
+        :ssl_keystore_path => { :validate => :path },
+
+        # The format of the keystore file. It must be either jks or pkcs12
+        :ssl_keystore_type => { :validate => %w[pkcs12 jks] },
+
+        # Set the keystore password
+        :keystore_password => { :validate => :password, :deprecated => "Set 'ssl_keystore_password' instead." },
 
         # Set the keystore password
-        :keystore_password => { :validate => :password },
+        :ssl_keystore_password => { :validate => :password },
 
         :ssl_supported_protocols => { :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true },
 
+        # OpenSSL-style X.509 certificate certificate to authenticate the client
+        :ssl_certificate => { :validate => :path },
+
+        # OpenSSL-style RSA private key to authenticate the client
+        :ssl_key => { :validate => :path },
+
+        # The list of cipher suites to use, listed by priorities.
+        # Supported cipher suites vary depending on which version of Java is used.
+        :ssl_cipher_suites => { :validate => :string, :list => true },
+
         # This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list.
         # Note: This will return ALL nodes with HTTP enabled (including master nodes!). If you use
         # this with master nodes, you probably want to disable HTTP on them by setting
@@ -169,7 +213,15 @@ module LogStash; module PluginMixins; module ElasticSearch
         :retry_initial_interval => { :validate => :number, :default => 2 },
 
         # Set max interval in seconds between bulk retries.
-        :retry_max_interval => { :validate => :number, :default => 64 }
+        :retry_max_interval => { :validate => :number, :default => 64 },
+
+        # List extra HTTP's error codes that are considered valid to move the events into the dead letter queue.
+        # It's considered a configuration error to re-use the same predefined codes for success, DLQ or conflict.
+        # The option accepts a list of natural numbers corresponding to HTTP errors codes.
+        :dlq_custom_codes => { :validate => :number, :list => true, :default => [] },
+
+        # if enabled, failed index name interpolation events go into dead letter queue.
+        :dlq_on_failed_indexname_interpolation => { :validate => :boolean, :default => true }
     }.freeze
 
     def self.included(base)

data/lib/logstash/plugin_mixins/elasticsearch/common.rb

@@ -28,8 +28,7 @@ module LogStash; module PluginMixins; module ElasticSearch
 
       setup_hosts
 
-
-      params['ssl'] = effectively_ssl? unless params.include?('ssl')
+      params['ssl_enabled'] = effectively_ssl? unless params.include?('ssl_enabled')
 
       # inject the TrustStrategy from CATrustedFingerprintSupport
       if trust_strategy_for_ca_trusted_fingerprint
@@ -74,7 +73,7 @@ module LogStash; module PluginMixins; module ElasticSearch
     end
 
     def effectively_ssl?
-      return @ssl unless @ssl.nil?
+      return @ssl_enabled unless @ssl_enabled.nil?
 
       hosts = Array(@hosts)
       return false if hosts.nil? || hosts.empty?
@@ -160,6 +159,8 @@ module LogStash; module PluginMixins; module ElasticSearch
     def after_successful_connection(&block)
       Thread.new do
         sleep_interval = @retry_initial_interval
+        # in case of a pipeline's shutdown_requested?, the method #close shutdown also this thread
+        # so no need to explicitly handle it here and return an AbortedBatchException.
         until successful_connection? || @stopping.true?
           @logger.debug("Waiting for connectivity to Elasticsearch cluster, retrying in #{sleep_interval}s")
           sleep_interval = sleep_for_interval(sleep_interval)
@@ -192,8 +193,14 @@ module LogStash; module PluginMixins; module ElasticSearch
             @logger.info("Retrying individual bulk actions that failed or were rejected by the previous bulk request", count: submit_actions.size)
           end
         rescue => e
-          @logger.error("Encountered an unexpected error submitting a bulk request, will retry",
-                        message: e.message, exception: e.class, backtrace: e.backtrace)
+          if abort_batch_present? && e.instance_of?(org.logstash.execution.AbortedBatchException)
+            # if Logstash support abort of a batch and the batch is aborting,
+            # bubble up the exception so that the pipeline can handle it
+            raise e
+          else
+            @logger.error("Encountered an unexpected error submitting a bulk request, will retry",
+                          message: e.message, exception: e.class, backtrace: e.backtrace)
+          end
         end
 
         # Everything was a success!
@@ -220,22 +227,16 @@ module LogStash; module PluginMixins; module ElasticSearch
     end
 
     def handle_dlq_response(message, action, status, response)
-      _, action_params = action.event, [action[0], action[1], action[2]]
-
-      # TODO: Change this to send a map with { :status => status, :action => action } in the future
-      detailed_message = "#{message} status: #{status}, action: #{action_params}, response: #{response}"
-
-      log_level = dig_value(response, 'index', 'error', 'type') == 'invalid_index_name_exception' ? :error : :warn
+      event, action_params = action.event, [action[0], action[1], action[2]]
 
-      handle_dlq_status(action.event, log_level, detailed_message)
-    end
-
-    def handle_dlq_status(event, log_level, message)
-      # To support bwc, we check if DLQ exists. otherwise we log and drop event (previous behavior)
       if @dlq_writer
-        @dlq_writer.write(event, "#{message}")
+        # TODO: Change this to send a map with { :status => status, :action => action } in the future
+        detailed_message = "#{message} status: #{status}, action: #{action_params}, response: #{response}"
+        @dlq_writer.write(event, "#{detailed_message}")
       else
-        @logger.send log_level, message
+        log_level = dig_value(response, 'index', 'error', 'type') == 'invalid_index_name_exception' ? :error : :warn
+
+        @logger.public_send(log_level, message, status: status, action: action_params, response: response)
       end
     end
 
@@ -332,6 +333,11 @@ module LogStash; module PluginMixins; module ElasticSearch
 
         sleep_interval = sleep_for_interval(sleep_interval)
         @bulk_request_metrics.increment(:failures)
+        if pipeline_shutdown_requested?
+          # when any connection is available and a shutdown is requested
+          # the batch can be aborted, eventually for future retry.
+          abort_batch_if_available!
+        end
         retry unless @stopping.true?
       rescue ::LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError => e
         @bulk_request_metrics.increment(:failures)
@@ -350,6 +356,11 @@ module LogStash; module PluginMixins; module ElasticSearch
         end
 
         sleep_interval = sleep_for_interval(sleep_interval)
+        if pipeline_shutdown_requested?
+          # In case ES side changes access credentials and a pipeline reload is triggered
+          # this error becomes a retry on restart
+          abort_batch_if_available!
+        end
         retry
       rescue => e # Stuff that should never happen - print out full connection issues
         @logger.error(
@@ -364,6 +375,19 @@ module LogStash; module PluginMixins; module ElasticSearch
       end
     end
 
+    def pipeline_shutdown_requested?
+      return super if defined?(super) # since LS 8.1.0
+      execution_context&.pipeline&.shutdown_requested?
+    end
+
+    def abort_batch_if_available!
+      raise org.logstash.execution.AbortedBatchException.new if abort_batch_present?
+    end
+
+    def abort_batch_present?
+      ::Gem::Version.create(LOGSTASH_VERSION) >= ::Gem::Version.create('8.8.0')
+    end
+
     def dlq_enabled?
       # TODO there should be a better way to query if DLQ is enabled
       # See more in: https://github.com/elastic/logstash/issues/8064

data/logstash-output-elasticsearch.gemspec

@@ -1,12 +1,12 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-output-elasticsearch'
-  s.version         = '11.12.4'
+  s.version         = '11.15.9'
   s.licenses        = ['apache-2.0']
   s.summary         = "Stores logs in Elasticsearch"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
   s.authors         = ["Elastic"]
   s.email           = 'info@elastic.co'
-  s.homepage        = "http://logstash.net/"
+  s.homepage        = "https://www.elastic.co/guide/en/logstash/current/index.html"
   s.require_paths = ["lib"]
 
   s.platform = RUBY_PLATFORM
@@ -26,6 +26,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.0'
   s.add_runtime_dependency 'logstash-mixin-deprecation_logger_support', '~>1.0'
   s.add_runtime_dependency 'logstash-mixin-ca_trusted_fingerprint_support', '~>1.0'
+  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_development_dependency 'logstash-codec-plain'
   s.add_development_dependency 'logstash-devutils'

data/spec/es_spec_helper.rb

@@ -67,19 +67,24 @@ module ESHelper
   end
 
   RSpec::Matchers.define :have_hits do |expected|
+    hits_count_path = ESHelper.es_version_satisfies?(">=7") ? %w(hits total value) : %w(hits total)
+
     match do |actual|
-      if ESHelper.es_version_satisfies?(">=7")
-        expected == actual['hits']['total']['value']
-      else
-        expected == actual['hits']['total']
-      end
+      @actual_hits_count = actual&.dig(*hits_count_path)
+      values_match? expected, @actual_hits_count
+    end
+    failure_message do |actual|
+      "expected that #{actual} with #{@actual_hits_count || "UNKNOWN" } hits would have #{expected} hits"
     end
   end
 
   RSpec::Matchers.define :have_index_pattern do |expected|
     match do |actual|
-      test_against = Array(actual['index_patterns'].nil? ? actual['template'] : actual['index_patterns'])
-      test_against.include?(expected)
+      @actual_index_pattterns = Array(actual['index_patterns'].nil? ? actual['template'] : actual['index_patterns'])
+      @actual_index_pattterns.any? { |v| values_match? expected, v }
+    end
+    failure_message do |actual|
+      "expected that #{actual} with index patterns #{@actual_index_pattterns} would have included `#{expected}`"
     end
   end
 

data/spec/fixtures/test_certs/ca.crt

@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIFDDCCAvQCAQEwDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCUFQxCzAJBgNV
+MIIFDDCCAvQCAQEwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCUFQxCzAJBgNV
 BAgMAk5BMQ8wDQYDVQQHDAZMaXNib24xDjAMBgNVBAoMBU15TGFiMQ8wDQYDVQQD
-DAZSb290Q0EwHhcNMjIwNTIzMTcyODU1WhcNMjMwNTIzMTcyODU1WjBMMQswCQYD
+DAZSb290Q0EwHhcNMjMwNTMwMTUxMDM4WhcNMjQwNTI5MTUxMDM4WjBMMQswCQYD
 VQQGEwJQVDELMAkGA1UECAwCTkExDzANBgNVBAcMBkxpc2JvbjEOMAwGA1UECgwF
 TXlMYWIxDzANBgNVBAMMBlJvb3RDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
 AgoCggIBAMtTMqAWuH17b9XqPa5L3HNqgnZ958+gvcOt7Q/sOEvcDQJgkzZ+Gywh
@@ -15,15 +15,15 @@ dY9xPL0uKYm6ADsDC0B8sGgNMBXeB6aLojY1/ITwmmfpfk9c/yWPfC7stHgCYRAv
 5MfGAsmv0/ya5VrWQGBJkFiYy1pon6nxUjCbgn0RABojRoGdhhY3QDipgwmSgFZx
 r064RFr1bt/Ml3MJmPf535mSwPdk/j/zw4IZTvlmwKW3FyMDhwYL/zX7J0c6MzMP
 LEdi73Qjzmr3ENIrir4O86wNz81YRfYkg9ZX8yKJK9LBAUrYCjJ3AgMBAAEwDQYJ
-KoZIhvcNAQEFBQADggIBAAGUkKT6GwoOOqPT7/FTdjU7h6q2vAaevd/TbYOBjhMw
-XNVpmuIE/r9mXF5lR1MuMebUXIWrrthXeX0TqucQzsJI+pCNugQP0HyUNF83S4l9
-G/0xvL2iYx7ftkMtje/NNiCUMpaXxulHi94fx4Kbivihlga6f8OF4+wNmIatb5bp
-SnLE/CsE3vLrwPZgcROXhKy8ESAI4mLclOn86nOXbIunFRNxFHis/dQOxX+CfkPp
-CDJv10jiaG9HCcGppNzDfxP0+v67RU2zTsCktEIILYBGTBBi5jczbtbtM0L/VCIA
-AoJTGWkKtPUesAuthPaHsOAXUSnNYakf4PEyJF6g9mIiFyeosGNhgNcA6coKsX+6
-pzS2pr+X2TiuNMGTCayFFIDpLvr99pPbf1yq2IBkEn09uZHLS/xyDxYtNaJAhbUh
-JuszjjjfHDHVTnDykyIoTzfeLICFKoMRL0rUedljqYuI0QAic6rgn68dkfYK8zzy
-IjRK5wZ4rM94xcEQfJSDxusJSPlCPTN4oe6A5HCaHe4GKYihiGKlOMGWkCxwYVa5
-nl88TNh2xG6y+ZZMQDQJdRBwmJ/i+rDRTxHGuemQka5bZH8PRZGBYUiIRVS7N8px
-Y1ITp+FdSlJAm41UGChuF8Our31AqZYvLNRWAvLJRhR/kNM9HMeURz7zI/KKYhlA
+KoZIhvcNAQELBQADggIBACE5DihUXpysZv0d25Fw9V2LRI0iJXOoVOu+RrnkL2HD
+LGBEbw0KOkS3mpgKpir1pD4TINAvPs5ZkAAREny8bAXrhdUY6Gd+Fpq5bwPnZHr3
+UvazLCNY5YUQpg1TjgbQ9LyBwf5jz5ZHR6Kilw87kaAdqzgqRnMXOuuSZeT70vH+
+M+Ra99lLpyT+A2Isp7/vzg3HhSAi/UsZCPzGLQwEeZBmlaKAtsjF0B1L8cvd5xWh
+rZ3PJWfvn2Aaiz4QEVq+jiZW8Y6bqHDb/lZQPs9Z5dLOww56VDJcBU87mayAYnRH
+edsshuCVqwTZU3Y3+z/g/G+IQWByYM9sr3zcgpFdI74Ly20ClbegqaXXL1wfhA76
+zT4cLH616Ukdqi8bCPPgy5KnYQWjks8cvabjPT/HeHzhJ/2vkfb1vWGHBCU9fg1n
+mfVWvRJlf2McwW2vogE3eHFnEJWOha85Kif/SteVH0cHHHIUacJhtD6m0wIDW7vU
+1xjDkipzKGnOsxGjLxAvw/eyHHWx8XT+z7oPzQX2UBStsIB4WGYmqqW3tV19E8Li
+bGk5klu+lXK0UomAm2MD3MRR10UCkVFXM4/cUfiMrAgG232yDwRLiGp1EmY3uHyD
+8/5mRJzBtLsGQKbfBPPNExiFqDzXr2ZwE7tyfsB8auSV3mkVjYjYYFnDfE835U+y
 -----END CERTIFICATE-----

data/spec/fixtures/test_certs/ca.der.sha256

@@ -1 +1 @@
-3e1c908fb2d7f1634643bb75462119c55a7cc392cd1877dd91d9f15f87e86757
+86a8abdffc0dd114d50cb20c7cc635bdb4bdcb16370fdee5aa5c05b4861faacd

data/spec/fixtures/test_certs/test.crt

@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIFEzCCAvsCAQEwDQYJKoZIhvcNAQEFBQAwTDELMAkGA1UEBhMCUFQxCzAJBgNV
+MIIFEzCCAvsCAQEwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCUFQxCzAJBgNV
 BAgMAk5BMQ8wDQYDVQQHDAZMaXNib24xDjAMBgNVBAoMBU15TGFiMQ8wDQYDVQQD
-DAZSb290Q0EwHhcNMjIwNTIzMTcyODU1WhcNMjMwNTIzMTcyODU1WjBTMQswCQYD
+DAZSb290Q0EwHhcNMjMwNTMwMTUxMDM4WhcNMjQwNTI5MTUxMDM4WjBTMQswCQYD
 VQQGEwJQVDELMAkGA1UECAwCTkExDzANBgNVBAcMBkxpc2JvbjEOMAwGA1UECgwF
 TXlMYWIxFjAUBgNVBAMMDWVsYXN0aWNzZWFyY2gwggIiMA0GCSqGSIb3DQEBAQUA
 A4ICDwAwggIKAoICAQDGIT9szzhN5HvZ2nivnCDzVfdYbbqBhgEbPppWPyFcV0r2
@@ -15,16 +15,16 @@ QcDuDDHfObWhzb4rS55BERIwDUqD1LgCRd0ikRxPSvI1AM4cl35b4DTaDLcnM6EO
 fy+QTYsgNoftU1PI1onDQ7ZdfgrTrIBFQQRwOqfyB4bB2zWVj62LSDvZoYYicNUe
 cqyE1542WNKzmyE8Mrf3uknN2J6EH7EhmiyRBtGg3NEQCwIYM4/kWPNPOtkSjsn3
 cNbMNUZiSnQn/nTs4T8g6b2rrwsay/FGUE83AbPqqcTlp2RUVnjbC8KA5+iV1wID
-AQABMA0GCSqGSIb3DQEBBQUAA4ICAQAhg0y7SfTv2RIcU8tsvSGOpXM6KPx111eJ
-pWrJTEZBCieCUhkonmlUifZHjV6B4d1OiS3GBXP0iAWff3Pb40co8AR4Brhne7Bd
-xkD8TKReJ/sfeKDsr3enLxFrmcxWCD5x9b6ybl7aotzP1S286rPpehE3QKJM3L1Z
-tRZik7pE3Iju4PpnvfaOAoJup9+v9Y6ySMKcMY19b/izM9VPwF+hllFQ31bibCRz
-Mqa1o9k27e1MQEH7LpGcUBY18fofb2Ie3Y+wzfXm/xG/JrXxgRD/rpyBapCM6jcZ
-C11mj2st+0/9pj4trhq39fj7f3+GWvOY2kZj9x/05gXcFmeaVOnZr/njcQfLd9K7
-2WD1tgr4fTgG8H3UOUMfw5u+pGfAeky1mgHwkjNT6H9PDtoi3lh4y/CmspSSv6t7
-szbaKZUsxXz49hLt8q4IrtHrzqVa3Jk5YXt3GAFlXP1ZnwV5/fvltFNrvpWeUjTn
-IR9CLcYTV9gsLVq7OKFAwelBmcBbbyRoQdqFeoePhv6Frw9mDBoyYoZ8oMmg20to
-in9VrxtbDjw9qaSY58kGNj1cKV5eUnKOi9v0gDjrVyKVuesnDeOmoi25/YvBbBA5
-TKgMUwSmJ2P5p6W4h0ftV/Nyy1Hx/rwJ7ZcvUJCtwgCNOeXw9e61Ys+C2ruLSPuh
-wRncxHmbiw==
+AQABMA0GCSqGSIb3DQEBCwUAA4ICAQC4pZQWJoyNANFscsmm6I/u5LgerRCnCS+Y
+V0tLWribc/iHQNzmUygvwT8+tllp+OzWmp/7oDuFrD/HFf8Xmaj14LTS2QVhZPao
+NMxkcq7W1WRnTdT+4Do4QE3l5hClgfOvcKzzrhCIPQ//aYgUo5JmXUsYoIWSsJ6v
+Z77j70xsz95k+C2qfiIKVx6a0U0lXjkp1fwrpGsG0dUL8GAibcX+BYD91uTMTAmg
+SB4O2xMR6kKCCH3SDuRnkI+iC4MZL64JTrGzn+juMeK0fqZWrdyoVKRlFI92Ao3J
+oFNF9KTCWQPFAaiy1zl3vDAfIfyJBzQsP6D2BaxVlSQ5jbCxRxOapkhwNUUQ2/vg
+anggOIOnm6biKhain4U118jviSEGonTvzcIpjExLVXXTF216Ahd7vQWDWqZkYNi3
+ji1jZSemBWyv/bDxo/STLL/QiX73WuxelerZeMxS03U6KYyhtTLxDvpeOCstbe1u
+wI9LfpdtAbXP+d/djvYJSHb6WoS4Oya2mnyddqDd6Mfn7lTudhqtw5CLV+sElnFf
+XDBjDp6tWUin6s/IWPVnvMceZW/sW7oO3sy9NKQx1acHh85WIMrZ+9iVvwcvQMRF
+p/bTR2VL3jD5fioNyfBmmQ17wIOIm3QvY+nJmzOWalzYYzottPTiabzKYap7Ulcx
+HDB+ZvuJBA==
 -----END CERTIFICATE-----

data/spec/fixtures/test_certs/test.der.sha256

@@ -1 +1 @@
-dca380f330bdf3d4b242b3c48d541c4698eaffa0d532316b27e6080443e601b5
+b6ee8b4a213328074df1da1f3b8fdde95c5e97e9b1d7da58dad0537a04939b97