ssl-test 1.4.1 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ruby.yml +3 -5
  3. data/README.md +38 -10
  4. data/lib/ssl-test/crl.rb +3 -3
  5. data/lib/ssl-test/ocsp.rb +3 -3
  6. data/lib/ssl-test.rb +67 -21
  7. data/spec/fixtures/digicert_com_ca_bundle.pem +94 -0
  8. data/spec/fixtures/digicert_com_client.pem +40 -0
  9. data/spec/fixtures/expired_cert_ca_bundle.pem +100 -0
  10. data/spec/fixtures/expired_cert_client.pem +31 -0
  11. data/spec/fixtures/google_com_ca_bundle.pem +139 -0
  12. data/spec/fixtures/google_com_client.pem +79 -0
  13. data/spec/fixtures/incomplete_chain_ca_bundle.pem +29 -0
  14. data/spec/fixtures/incomplete_chain_client.pem +29 -0
  15. data/spec/fixtures/revoked_badssl_ca_bundle.pem +81 -0
  16. data/spec/fixtures/revoked_badssl_client.pem +22 -0
  17. data/spec/fixtures/revoked_rsa_dv_ca_bundle.pem +114 -0
  18. data/spec/fixtures/revoked_rsa_dv_client.pem +41 -0
  19. data/spec/fixtures/self_signed_ca_bundle.pem +21 -0
  20. data/spec/fixtures/self_signed_client.pem +21 -0
  21. data/spec/fixtures/www_demarches-simplifiees_fr_ca_bundle.pem +108 -0
  22. data/spec/fixtures/www_demarches-simplifiees_fr_client.pem +52 -0
  23. data/spec/fixtures/www_github_com_ca_bundle.pem +67 -0
  24. data/spec/fixtures/www_github_com_client.pem +27 -0
  25. data/spec/fixtures/www_mycs_com_ca_bundle.pem +79 -0
  26. data/spec/fixtures/www_mycs_com_client.pem +33 -0
  27. data/spec/ssl-test_spec.rb +272 -35
  28. data/ssl-test.gemspec +1 -0
  29. metadata +57 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d3e34cb1b1925cf541b7c8022e4c41adb5346214a48b719ec4fa99b7c434bd38
4
- data.tar.gz: 6b577636e88f9741891bc0161b72b921389be95a7b1323f148c26f41e64e2294
3
+ metadata.gz: 56fc310f88c6cf01540cb98cd8704cf9e4bbbf63f107398ad0c506d809f1661f
4
+ data.tar.gz: a6540f367f4fc62a6cb171e90084fe5d30a7d4247b7dd3f5fe76bd6c78770f52
5
5
  SHA512:
6
- metadata.gz: ad5bbf6ef3f47b7ca645218047ab6b93c3fe497e9233e69bcce3cf7b199bf338dcb358c64b8787b5426235373df76f0d1c8c455a2ee67d9cd3361def51941439
7
- data.tar.gz: 9af52c3812ff2b6c236a592949af4466fe7badbb036f134485847b4db32d53c513c7053fc591f567e091d866ce5078966949053d7cdd37b63163f586db44ad20
6
+ metadata.gz: 827d397d81d91b110ee6e3012f7f0e0816390da20b37bafc563b584fa7d9106b938663f47720c553028fc49f057588ae1fea9e319e561d4d9f2a30f2702ce13d
7
+ data.tar.gz: b4f315bf38d8b86c3411047467c0c01c997f533190c1c54be597c480a5a8ec2bcced348fe8a417fbfa1c77d8ed47e3aab19aeff72167e67f3c4d01e20e4fd223
data/.github/workflows/ruby.yml CHANGED
@@ -2,17 +2,15 @@ name: Specs
2
2
  on: [push]
3
3
  jobs:
4
4
  specs:
5
- runs-on: ubuntu-latest
6
- strategy:
7
- matrix:
8
- ruby-version: ['2.6', '2.7', '3.0', '3.1', 'jruby-head', 'truffleruby-head']
5
+ runs-on: ubuntu-22.04
9
6
  steps:
10
7
  - uses: actions/checkout@v2
11
8
  - name: Set up Ruby
12
9
  uses: ruby/setup-ruby@v1
13
10
  with:
14
- ruby-version: ${{ matrix.ruby-version }}
11
+ ruby-version: '3.1'
15
12
  bundler-cache: true # runs 'bundle install' and caches installed gems automatically
16
13
  - name: Run specs
17
14
  run: |
15
+ openssl version
18
16
  bundle exec rspec
data/README.md CHANGED
@@ -1,4 +1,4 @@
1
- # SSLTest [![Build Status](https://travis-ci.com/jarthod/ssl-test.svg?branch=master)](https://travis-ci.com/jarthod/ssl-test)
1
+ # SSLTest
2
2
 
3
3
  A small ruby gem (with no dependencies) to help you test a website's SSL certificate.
4
4
 
@@ -8,48 +8,61 @@ gem 'ssl-test'
8
8
 
9
9
  ## Usage
10
10
 
11
- Simply call the `SSLTest.test` method and it'll return 3 values:
11
+ Simply call the `SSLTest.test_url` method and it'll return 3 values:
12
12
 
13
13
  1. the validity of the certificate
14
14
  2. the error message (if any)
15
15
  3. the certificate itself
16
16
 
17
17
  Example with good cert:
18
+
18
19
  ```ruby
19
- valid, error, cert = SSLTest.test "https://google.com"
20
+ valid, error, cert = SSLTest.test_url "https://google.com"
20
21
  valid # => true
21
22
  error # => nil
22
23
  cert # => #<OpenSSL::X509::Certificate...>
23
24
  ```
24
25
 
25
26
  Example with bad certificate:
27
+
26
28
  ```ruby
27
- valid, error, cert = SSLTest.test "https://testssl-expire.disig.sk"
29
+ valid, error, cert = SSLTest.test_url "https://testssl-expire.disig.sk"
28
30
  valid # => false
29
31
  error # => "error code 10: certificate has expired"
30
32
  cert # => #<OpenSSL::X509::Certificate...>
31
33
  ```
32
34
 
33
35
  If the request fails and we're unable to detemine the validity, here are the returned values:
36
+
34
37
  ```ruby
35
- valid, error, cert = SSLTest.test "https://thisisdefinitelynotawebsite.com"
38
+ valid, error, cert = SSLTest.test_url "https://thisisdefinitelynotawebsite.com"
36
39
  valid # => nil
37
40
  error # => "SSL certificate test failed: getaddrinfo: Name or service not known"
38
41
  cert # => nil
39
42
  ```
40
43
 
41
- You can also pass custom timeout values:
44
+ You can also pass custom timeout values (defaults to 5 seconds for open and read):
45
+
42
46
  ```ruby
43
- valid, error, cert = SSLTest.test "https://slowebsite.com", open_timeout: 2, read_timeout: 2
47
+ valid, error, cert = SSLTest.test_url "https://slowebsite.com", open_timeout: 2, read_timeout: 2
44
48
  valid # => nil
45
49
  error # => "SSL certificate test failed: execution expired"
46
50
  cert # => nil
47
51
  ```
48
- Default timeout values are 5 seconds each (open and read)
52
+
53
+ Or a proxy host and port to use for the http requests:
54
+
55
+ ```ruby
56
+ valid, error, cert = SSLTest.test_url "https://slowebsite.com", proxy_host: 'localhost', proxy_port: 8080
57
+ valid # => true
58
+ error # => nil
59
+ cert # => #<OpenSSL::X509::Certificate...>
60
+ ```
49
61
 
50
62
  Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint by default:
63
+
51
64
  ```ruby
52
- valid, error, cert = SSLTest.test "https://revoked.badssl.com"
65
+ valid, error, cert = SSLTest.test_url "https://revoked.badssl.com"
53
66
  valid # => false
54
67
  error # => "SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2019-10-07 20:30:39 UTC)"
55
68
  cert # => #<OpenSSL::X509::Certificate...>
@@ -58,13 +71,27 @@ cert # => #<OpenSSL::X509::Certificate...>
58
71
  If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
59
72
 
60
73
  If both OCSP and CRL tests are impossible, the certificate will still be considered valid but with an error message:
74
+
61
75
  ```ruby
62
- valid, error, cert = SSLTest.test "https://sitewithnoOCSPorCRL.com"
76
+ valid, error, cert = SSLTest.test_url "https://sitewithnoOCSPorCRL.com"
63
77
  valid # => true
64
78
  error # => "Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: Missing crlDistributionPoints extension"
65
79
  cert # => #<OpenSSL::X509::Certificate...>
66
80
  ```
67
81
 
82
+ ### Testing when you have the client certificate and Certificate Authority Bundle
83
+
84
+ If you already have access to the client certificate and the CA certificate bundle to check against, you can call `test_cert` which takes a certificate and ca bundle certificate instead of a URL. it has all the same options as `test_url`
85
+
86
+ ```ruby
87
+ cert = OpenSSL::X509::Certificate.new(File.read('path/to/certificate')))
88
+ ca_bundle = OpenSSL::X509::Certificate.load(File.read('path/to/ca-bundle-certificate'))
89
+
90
+ valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
91
+ ```
92
+
93
+ This check will pass for self-signed certificates if the certificate is signed by the ca certificate provided.
94
+
68
95
  ## How it works
69
96
 
70
97
  SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
@@ -140,6 +167,7 @@ But also **revoked certs** like most browsers (not handled by `curl`)
140
167
 
141
168
  See also github releases: https://github.com/jarthod/ssl-test/releases
142
169
 
170
+ * 1.5.0 - 2025-11-28: Add support for local certificates testing and HTTP proxies (#8), changed `#test` method into `#test_url` and `#test_cert` (`#test` remains as an alias for `#test_url` for backward-compatibility)
143
171
  * 1.4.1 - 2022-10-24: Add support for "tcps://" scheme
144
172
  * 1.4.0 - 2021-01-16: Implemented CRL as fallback to OCSP + expose cache metrics + add logger support
145
173
  * 1.3.1 - 2020-04-25: Improved caching of failed OCSP responses (#5)
data/lib/ssl-test/crl.rb CHANGED
@@ -51,7 +51,7 @@ module SSLTest
51
51
  end
52
52
 
53
53
  # Returns an array with [response, error_message]
54
- def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5)
54
+ def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
55
55
  return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
56
56
 
57
57
  # Return file from cache if not expired
@@ -61,7 +61,7 @@ module SSLTest
61
61
 
62
62
  @logger&.debug { "SSLTest + CRL: fetch URI #{uri}" }
63
63
  path = uri.path == "" ? "/" : uri.path
64
- http = Net::HTTP.new(uri.hostname, uri.port)
64
+ http = Net::HTTP.new(uri.hostname, uri.port, proxy_host, proxy_port)
65
65
  http.open_timeout = open_timeout
66
66
  http.read_timeout = read_timeout
67
67
 
@@ -92,7 +92,7 @@ module SSLTest
92
92
  }
93
93
  [http_response.body, nil]
94
94
  when Net::HTTPRedirection
95
- follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit - 1)
95
+ follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)
96
96
  else
97
97
  @logger&.debug { "SSLTest + CRL: Error: #{http_response.class}" }
98
98
  [nil, "Wrong response type (#{http_response.class})"]
data/lib/ssl-test/ocsp.rb CHANGED
@@ -67,12 +67,12 @@ module SSLTest
67
67
  end
68
68
 
69
69
  # Returns an array with [response, error_message]
70
- def follow_ocsp_redirects(uri, data, open_timeout: 5, read_timeout: 5, redirection_limit: 5)
70
+ def follow_ocsp_redirects(uri, data, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
71
71
  return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
72
72
 
73
73
  @logger&.debug { "SSLTest + OCSP: fetch URI #{uri}" }
74
74
  path = uri.path == "" ? "/" : uri.path
75
- http = Net::HTTP.new(uri.hostname, uri.port)
75
+ http = Net::HTTP.new(uri.hostname, uri.port, proxy_host, proxy_port)
76
76
  http.open_timeout = open_timeout
77
77
  http.read_timeout = read_timeout
78
78
 
@@ -82,7 +82,7 @@ module SSLTest
82
82
  @logger&.debug { "SSLTest + OCSP: 200 OK (#{http_response.body.bytesize} bytes)" }
83
83
  [http_response.body, nil]
84
84
  when Net::HTTPRedirection
85
- follow_ocsp_redirects(URI(http_response["location"]), data, open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit - 1)
85
+ follow_ocsp_redirects(URI(http_response["location"]), data, open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)
86
86
  else
87
87
  @logger&.debug { "SSLTest + OCSP: Error: #{http_response.class}" }
88
88
  [nil, "Wrong response type (#{http_response.class})"]
data/lib/ssl-test.rb CHANGED
@@ -10,16 +10,17 @@ module SSLTest
10
10
  extend OCSP
11
11
  extend CRL
12
12
 
13
- VERSION = -"1.4.1"
13
+ VERSION = -"1.5.0"
14
14
 
15
15
  class << self
16
- def test url, open_timeout: 5, read_timeout: 5, redirection_limit: 5
16
+ def test_url url, open_timeout: 5, read_timeout: 5, proxy_host: nil, proxy_port: nil, redirection_limit: 5
17
+ cert = failed_cert_reason = chain = nil
18
+
17
19
  uri = URI.parse(url)
18
20
  return if uri.scheme != 'https' and uri.scheme != 'tcps'
19
- cert = failed_cert_reason = chain = nil
20
21
 
21
22
  @logger&.info { "SSLTest #{url} started" }
22
- http = Net::HTTP.new(uri.host, uri.port)
23
+ http = Net::HTTP.new(uri.host, uri.port, proxy_host, proxy_port)
23
24
  http.open_timeout = open_timeout
24
25
  http.read_timeout = read_timeout
25
26
  http.use_ssl = true
@@ -33,25 +34,48 @@ module SSLTest
33
34
 
34
35
  begin
35
36
  http.start { }
36
- revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, redirection_limit: redirection_limit)
37
+
38
+ revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit)
37
39
  @logger&.info { "SSLTest #{url} finished: revoked=#{revoked} #{message}" }
38
- return [false, "SSL certificate revoked: #{message} (revocation date: #{revocation_date})", cert] if revoked
39
- return [true, "Revocation test couldn't be performed: #{message}", cert] if message
40
- return [true, nil, cert]
41
- rescue OpenSSL::SSL::SSLError => e
42
- error = e.message
43
- error = "error code %d: %s" % failed_cert_reason if failed_cert_reason
44
- if error =~ /certificate verify failed/
45
- domains = cert_domains(cert)
46
- if matching_domains(domains, uri.host).none?
47
- error = "hostname \"#{uri.host}\" does not match the server certificate (#{domains.join(', ')})"
48
- end
40
+ return [!revoked, revocation_message(revoked, revocation_date, message), cert]
41
+ rescue OpenSSL::SSL::SSLError => error
42
+ error_message = parse_ssl_error(error, cert, failed_cert_reason, uri:)
43
+ @logger&.info { "SSLTest #{url} finished: #{error_message}" }
44
+ return [false, error_message, cert]
45
+ rescue => error
46
+ @logger&.error { "SSLTest #{url} failed: #{error.message}" }
47
+ return [nil, "SSL certificate test failed: #{error.message}", cert]
48
+ end
49
+ end
50
+ alias :test :test_url
51
+
52
+
53
+ def test_cert client_cert, ca_certs, open_timeout: 5, read_timeout: 5, proxy_host:nil, proxy_port: nil, redirection_limit: 5
54
+ cert = failed_cert_reason = chain = store = nil
55
+
56
+ store = OpenSSL::X509::Store.new
57
+ ca_certs.each { store.add_cert(_1) }
58
+ store.verify_callback = -> (verify_ok, store_context) {
59
+ cert = store_context.current_cert
60
+ chain = store_context.chain
61
+ failed_cert_reason = [store_context.error, store_context.error_string] if store_context.error != 0
62
+ verify_ok
63
+ }
64
+
65
+ begin
66
+ store.verify(client_cert)
67
+
68
+ if failed_cert_reason
69
+ error_message = "error code #{failed_cert_reason[0]}: #{failed_cert_reason[1]}"
70
+ @logger&.info { "SSLTest #{cert.subject.to_s} finished: #{error_message}" }
71
+ return [false, error_message, cert]
72
+ else
73
+ revoked, message, revocation_date = test_chain_revocation(chain, open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit)
74
+ return [!revoked, revocation_message(revoked, revocation_date, message), cert]
49
75
  end
50
- @logger&.info { "SSLTest #{url} finished: #{error}" }
51
- return [false, error, cert]
52
- rescue => e
53
- @logger&.error { "SSLTest #{url} failed: #{e.message}" }
54
- return [nil, "SSL certificate test failed: #{e.message}", cert]
76
+ rescue => error
77
+ @logger&.error { "SSLTest #{cert.subject.to_s} failed: #{error.message}" }
78
+ return [nil, "SSL certificate test failed: #{error.message}", cert]
55
79
  end
56
80
  end
57
81
 
@@ -81,6 +105,28 @@ module SSLTest
81
105
 
82
106
  private
83
107
 
108
+ def revocation_message(revoked, revocation_date, message)
109
+ if revoked
110
+ "SSL certificate revoked: #{message} (revocation date: #{revocation_date})"
111
+ elsif message
112
+ "Revocation test couldn't be performed: #{message}"
113
+ end
114
+ end
115
+
116
+ def parse_ssl_error(error, cert, failed_cert_reason, uri:)
117
+ message = error.message
118
+ message = "error code %d: %s" % failed_cert_reason if failed_cert_reason
119
+ if message =~ /certificate verify failed/
120
+ domains = cert_domains(cert)
121
+ if !uri.nil? && matching_domains(domains, uri.host).none?
122
+ message = "hostname \"#{uri.host}\" does not match the server certificate (#{domains.join(', ')})"
123
+ end
124
+ end
125
+
126
+ message
127
+ end
128
+
129
+
84
130
  # https://docs.ruby-lang.org/en/2.2.0/OpenSSL/OCSP.html
85
131
  # https://stackoverflow.com/questions/16244084/how-to-programmatically-check-if-a-certificate-has-been-revoked#answer-16257470
86
132
  # Returns an array with [certificate_revoked?, error_reason, revocation_date]
data/spec/fixtures/digicert_com_ca_bundle.pem ADDED
@@ -0,0 +1,94 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIG7jCCBdagAwIBAgIQBz2KfzHX7LJ6+D64tWXIFTANBgkqhkiG9w0BAQsFADBE
3
+ MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE
4
+ aWdpQ2VydCBFViBSU0EgQ0EgRzIwHhcNMjUxMTAzMDAwMDAwWhcNMjUxMjE5MjM1
5
+ OTU5WjCBwTETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRV
6
+ dGFoMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEBRMMNTI5
7
+ OTUzNy0wMTQyMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxME
8
+ TGVoaTEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xGTAXBgNVBAMTEHd3dy5kaWdp
9
+ Y2VydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFf4dPzKL
10
+ K3KtscZ8hWhinM8VizoyYg6qF7zpGIphVHZtiuMowkKcHN8zk+Te9o3BFDnQYU6L
11
+ LSvI3JqcCxe8G7xOLxHG94ZDwjhhXUo/CxcHgNgyuSx1+OC5bXISTibb7jF2YU8u
12
+ 9rh4Vuyn13JNqU4HqrdwqEVZiW7rlC5yPO5sKadgjIu7CjjLsSYfen7uSfM0Mc4i
13
+ qs8TNqD2jQViefdIvmQGVqyJf+Fk12LlW2TdUeh89aEOagK+ZhSJx2bipeyj0eBB
14
+ ybJ8Q6kd4XLIPpx1QOV7yy755vLdfedllgnCv9C0BdHQF90SS+oADvyefXNNOTqT
15
+ fe+XwDdfkATTAgMBAAGjggNcMIIDWDAfBgNVHSMEGDAWgBRqTlC/mGidW3sgddRZ
16
+ AXlIZpIyBjAdBgNVHQ4EFgQUGd8hbnJtfOowjka/Sg7kOYi2oeEwKQYDVR0RBCIw
17
+ IIIQd3d3LmRpZ2ljZXJ0LmNvbYIMZGlnaWNlcnQuY29tMEoGA1UdIARDMEEwCwYJ
18
+ YIZIAYb9bAIBMDIGBWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGln
19
+ aWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
20
+ AwEwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp
21
+ Z2lDZXJ0RVZSU0FDQUcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQu
22
+ Y29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNybDBzBggrBgEFBQcBAQRnMGUwJAYIKwYB
23
+ BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA9BggrBgEFBQcwAoYxaHR0
24
+ cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNydDAM
25
+ BgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDd3Mo0ldfh
26
+ FgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZpIkZnpAAAEAwBHMEUCIC8jE0Ey
27
+ 0Q7xGE3PenZUJKcj+18nm0myb27cIyHx2jsVAiEA+YQXhHCbJc17AXmWgc63Z7RT
28
+ PvhE/Fq8k53T2H6SirYAdwDtPEvW6AbCpKIAV9vLJOI4Ad9RL+3EhsVwDyDdtz4/
29
+ 4AAAAZpIkZnnAAAEAwBIMEYCIQD+lFI/hO60oJOUndldghaqClo9/dy0O6FWaP06
30
+ Mn619QIhAMUSTSyO09wXaoiCUGrEZLlPvU1a3woB7Ja63sh1aUkbAHUApELFBklg
31
+ YVSPD9TqnPt6LSZFTYepfy/fRVn2J086hFQAAAGaSJGZ+AAABAMARjBEAiBWGFi2
32
+ 0F9ZZMzWcCcdmVpEz5y5T7cQ91z1DojVjc8Y4AIgGVU0KD/MTHi8b0nZb6B4uiD8
33
+ k97tErH3VPd1N5CiMPcwDQYJKoZIhvcNAQELBQADggEBADwGDULnh6YXMyl5Zylo
34
+ su7Bzw6lLG6RVYUtkJuiWeDfCCxaXkzUYIA/bsAQFBrWTQmyxBm6vIh/eNgGYUtO
35
+ 05uFrRbijre0+DiF1QTtfg9lBPtXVp4GwpB3om7C283TQvlDczpyPKkVtYrvsp0L
36
+ VUyt7LDPgaR69+ieVMQIn4pH/vWNGA8xlrL1jqv3W9RnGc1w1X/ceCshQD+VcNDe
37
+ 7xm0tesmOzuFwJbEetuDLWfXHUs2UWkbGyS8XMt76mo6rsesex0GjO2VsTkrV5Fg
38
+ xdboAzxOYE7ASn/LTbdtGQBuKyZHS1wH6g2q8vr9INk2rj+XvTCPe6DSffRrKdMf
39
+ LbM=
40
+ -----END CERTIFICATE-----
41
+
42
+ -----BEGIN CERTIFICATE-----
43
+ MIIFPDCCBCSgAwIBAgIQAWePH++IIlXYsKcOa3uyIDANBgkqhkiG9w0BAQsFADBh
44
+ MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
45
+ d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
46
+ MjAeFw0yMDA3MDIxMjQyNTBaFw0zMDA3MDIxMjQyNTBaMEQxCzAJBgNVBAYTAlVT
47
+ MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxHjAcBgNVBAMTFURpZ2lDZXJ0IEVWIFJT
48
+ QSBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0eZsx/neTr
49
+ f4MXJz0R2fJTIDfN8AwUAu7hy4gI0vp7O8LAAHx2h3bbf8wl+pGMSxaJK9ffDDCD
50
+ 63FqqFBqE9eTmo3RkgQhlu55a04LsXRLcK6crkBOO0djdonybmhrfGrtBqYvbRat
51
+ xenkv0Sg4frhRl4wYh4dnW0LOVRGhbt1G5Q19zm9CqMlq7LlUdAE+6d3a5++ppfG
52
+ cnWLmbEVEcLHPAnbl+/iKauQpQlU1Mi+wEBnjE5tK8Q778naXnF+DsedQJ7NEi+b
53
+ QoonTHEz9ryeEcUHuQTv7nApa/zCqes5lXn1pMs4LZJ3SVgbkTLj+RbBov/uiwTX
54
+ tkBEWawvZH8CAwEAAaOCAgswggIHMB0GA1UdDgQWBBRqTlC/mGidW3sgddRZAXlI
55
+ ZpIyBjAfBgNVHSMEGDAWgBROIlQgGJXm427mD/r6uRLtBhePOTAOBgNVHQ8BAf8E
56
+ BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQI
57
+ MAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
58
+ cC5kaWdpY2VydC5jb20wewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGln
59
+ aWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA3oDWgM4YxaHR0cDov
60
+ L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDCBzgYD
61
+ VR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
62
+ aWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcCAjB+DHxBbnkgdXNlIG9mIHRoaXMg
63
+ Q2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgUmVseWlu
64
+ ZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBhdCBodHRwczovL3d3dy5kaWdpY2Vy
65
+ dC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUAA4IBAQBSMgrCdY2+O9spnYNvwHiG
66
+ +9lCJbyELR0UsoLwpzGpSdkHD7pVDDFJm3//B8Es+17T1o5Hat+HRDsvRr7d3MEy
67
+ o9iXkkxLhKEgApA2Ft2eZfPrTolc95PwSWnn3FZ8BhdGO4brTA4+zkPSKoMXi/X+
68
+ WLBNN29Z/nbCS7H/qLGt7gViEvTIdU8x+H4l/XigZMUDaVmJ+B5d7cwSK7yOoQdf
69
+ oIBGmA5Mp4LhMzo52rf//kXPfE3wYIZVHqVuxxlnTkFYmffCX9/Lon7SWaGdg6Rc
70
+ k4RHhHLWtmz2lTZ5CEo2ljDsGzCFGJP7oT4q6Q8oFC38irvdKIJ95cUxYzj4tnOI
71
+ -----END CERTIFICATE-----
72
+
73
+ -----BEGIN CERTIFICATE-----
74
+ MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
75
+ MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
76
+ d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
77
+ MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
78
+ MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
79
+ b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
80
+ 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
81
+ 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
82
+ 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
83
+ q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
84
+ tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
85
+ vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
86
+ BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
87
+ 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
88
+ 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
89
+ NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
90
+ Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
91
+ 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
92
+ pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
93
+ MrY=
94
+ -----END CERTIFICATE-----
data/spec/fixtures/digicert_com_client.pem ADDED
@@ -0,0 +1,40 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIG7jCCBdagAwIBAgIQBz2KfzHX7LJ6+D64tWXIFTANBgkqhkiG9w0BAQsFADBE
3
+ MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE
4
+ aWdpQ2VydCBFViBSU0EgQ0EgRzIwHhcNMjUxMTAzMDAwMDAwWhcNMjUxMjE5MjM1
5
+ OTU5WjCBwTETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRV
6
+ dGFoMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEBRMMNTI5
7
+ OTUzNy0wMTQyMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxME
8
+ TGVoaTEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xGTAXBgNVBAMTEHd3dy5kaWdp
9
+ Y2VydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFf4dPzKL
10
+ K3KtscZ8hWhinM8VizoyYg6qF7zpGIphVHZtiuMowkKcHN8zk+Te9o3BFDnQYU6L
11
+ LSvI3JqcCxe8G7xOLxHG94ZDwjhhXUo/CxcHgNgyuSx1+OC5bXISTibb7jF2YU8u
12
+ 9rh4Vuyn13JNqU4HqrdwqEVZiW7rlC5yPO5sKadgjIu7CjjLsSYfen7uSfM0Mc4i
13
+ qs8TNqD2jQViefdIvmQGVqyJf+Fk12LlW2TdUeh89aEOagK+ZhSJx2bipeyj0eBB
14
+ ybJ8Q6kd4XLIPpx1QOV7yy755vLdfedllgnCv9C0BdHQF90SS+oADvyefXNNOTqT
15
+ fe+XwDdfkATTAgMBAAGjggNcMIIDWDAfBgNVHSMEGDAWgBRqTlC/mGidW3sgddRZ
16
+ AXlIZpIyBjAdBgNVHQ4EFgQUGd8hbnJtfOowjka/Sg7kOYi2oeEwKQYDVR0RBCIw
17
+ IIIQd3d3LmRpZ2ljZXJ0LmNvbYIMZGlnaWNlcnQuY29tMEoGA1UdIARDMEEwCwYJ
18
+ YIZIAYb9bAIBMDIGBWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGln
19
+ aWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
20
+ AwEwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp
21
+ Z2lDZXJ0RVZSU0FDQUcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQu
22
+ Y29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNybDBzBggrBgEFBQcBAQRnMGUwJAYIKwYB
23
+ BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA9BggrBgEFBQcwAoYxaHR0
24
+ cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNydDAM
25
+ BgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDd3Mo0ldfh
26
+ FgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZpIkZnpAAAEAwBHMEUCIC8jE0Ey
27
+ 0Q7xGE3PenZUJKcj+18nm0myb27cIyHx2jsVAiEA+YQXhHCbJc17AXmWgc63Z7RT
28
+ PvhE/Fq8k53T2H6SirYAdwDtPEvW6AbCpKIAV9vLJOI4Ad9RL+3EhsVwDyDdtz4/
29
+ 4AAAAZpIkZnnAAAEAwBIMEYCIQD+lFI/hO60oJOUndldghaqClo9/dy0O6FWaP06
30
+ Mn619QIhAMUSTSyO09wXaoiCUGrEZLlPvU1a3woB7Ja63sh1aUkbAHUApELFBklg
31
+ YVSPD9TqnPt6LSZFTYepfy/fRVn2J086hFQAAAGaSJGZ+AAABAMARjBEAiBWGFi2
32
+ 0F9ZZMzWcCcdmVpEz5y5T7cQ91z1DojVjc8Y4AIgGVU0KD/MTHi8b0nZb6B4uiD8
33
+ k97tErH3VPd1N5CiMPcwDQYJKoZIhvcNAQELBQADggEBADwGDULnh6YXMyl5Zylo
34
+ su7Bzw6lLG6RVYUtkJuiWeDfCCxaXkzUYIA/bsAQFBrWTQmyxBm6vIh/eNgGYUtO
35
+ 05uFrRbijre0+DiF1QTtfg9lBPtXVp4GwpB3om7C283TQvlDczpyPKkVtYrvsp0L
36
+ VUyt7LDPgaR69+ieVMQIn4pH/vWNGA8xlrL1jqv3W9RnGc1w1X/ceCshQD+VcNDe
37
+ 7xm0tesmOzuFwJbEetuDLWfXHUs2UWkbGyS8XMt76mo6rsesex0GjO2VsTkrV5Fg
38
+ xdboAzxOYE7ASn/LTbdtGQBuKyZHS1wH6g2q8vr9INk2rj+XvTCPe6DSffRrKdMf
39
+ LbM=
40
+ -----END CERTIFICATE-----
data/spec/fixtures/expired_cert_ca_bundle.pem ADDED
@@ -0,0 +1,100 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIFSzCCBDOgAwIBAgIQSueVSfqavj8QDxekeOFpCTANBgkqhkiG9w0BAQsFADCB
3
+ kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
4
+ A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
5
+ BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
6
+ QTAeFw0xNTA0MDkwMDAwMDBaFw0xNTA0MTIyMzU5NTlaMFkxITAfBgNVBAsTGERv
7
+ bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
8
+ ZGNhcmQxFTATBgNVBAMUDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
9
+ ggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2PmzA
10
+ S2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMWhyef
11
+ dOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3AxPxT
12
+ uW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqveww9H
13
+ dFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SYQCeF
14
+ xxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaOCAdUwggHRMB8GA1Ud
15
+ IwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBSd7sF7gQs6R2lx
16
+ GH0RN5O8pRs/+zAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
17
+ FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQIC
18
+ BzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAI
19
+ BgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5j
20
+ b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCB
21
+ hQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2Nh
22
+ LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0
23
+ MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIwYDVR0RBBww
24
+ GoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBq
25
+ evHa/wMHcnjFZqFPRkMOXxQhjHUa6zbgH6QQFezaMyV8O7UKxwE4PSf9WNnM6i1p
26
+ OXy+l+8L1gtY54x/v7NMHfO3kICmNnwUW+wHLQI+G1tjWxWrAPofOxkt3+IjEBEH
27
+ fnJ/4r+3ABuYLyw/zoWaJ4wQIghBK4o+gk783SHGVnRwpDTysUCeK1iiWQ8dSO/r
28
+ ET7BSp68ZVVtxqPv1dSWzfGuJ/ekVxQ8lEEFeouhN0fX9X3c+s5vMaKwjOrMEpsi
29
+ 8TRwz311SotoKQwe6Zaoz7ASH1wq7mcvf71z81oBIgxw+s1F73hczg36TuHvzmWf
30
+ RwxPuzZEaFZcVlmtqoq8
31
+ -----END CERTIFICATE-----
32
+ -----BEGIN CERTIFICATE-----
33
+ MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
34
+ hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
35
+ A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
36
+ BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
37
+ MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
38
+ EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
39
+ Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
40
+ bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
41
+ ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
42
+ bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
43
+ Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
44
+ ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
45
+ UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
46
+ c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
47
+ MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
48
+ 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
49
+ HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
50
+ BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
51
+ bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
52
+ AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
53
+ T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
54
+ ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
55
+ mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
56
+ e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
57
+ P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
58
+ dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
59
+ 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
60
+ V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
61
+ HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
62
+ j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
63
+ 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
64
+ lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
65
+ +AZxAeKCINT+b72x
66
+ -----END CERTIFICATE-----
67
+ -----BEGIN CERTIFICATE-----
68
+ MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
69
+ hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
70
+ A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
71
+ BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
72
+ MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
73
+ EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
74
+ Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
75
+ dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
76
+ 6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
77
+ pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
78
+ 9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
79
+ /erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
80
+ Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
81
+ +pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
82
+ qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
83
+ SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
84
+ u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
85
+ Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
86
+ crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
87
+ FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
88
+ /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
89
+ wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
90
+ 4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
91
+ 2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
92
+ FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
93
+ CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
94
+ boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
95
+ jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
96
+ S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
97
+ QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
98
+ 0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
99
+ NVOFBkpdn627G190
100
+ -----END CERTIFICATE-----
data/spec/fixtures/expired_cert_client.pem ADDED
@@ -0,0 +1,31 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIFSzCCBDOgAwIBAgIQSueVSfqavj8QDxekeOFpCTANBgkqhkiG9w0BAQsFADCB
3
+ kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
4
+ A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
5
+ BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
6
+ QTAeFw0xNTA0MDkwMDAwMDBaFw0xNTA0MTIyMzU5NTlaMFkxITAfBgNVBAsTGERv
7
+ bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
8
+ ZGNhcmQxFTATBgNVBAMUDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
9
+ ggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2PmzA
10
+ S2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMWhyef
11
+ dOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3AxPxT
12
+ uW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqveww9H
13
+ dFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SYQCeF
14
+ xxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaOCAdUwggHRMB8GA1Ud
15
+ IwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBSd7sF7gQs6R2lx
16
+ GH0RN5O8pRs/+zAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
17
+ FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQIC
18
+ BzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAI
19
+ BgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5j
20
+ b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCB
21
+ hQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2Nh
22
+ LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0
23
+ MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIwYDVR0RBBww
24
+ GoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBq
25
+ evHa/wMHcnjFZqFPRkMOXxQhjHUa6zbgH6QQFezaMyV8O7UKxwE4PSf9WNnM6i1p
26
+ OXy+l+8L1gtY54x/v7NMHfO3kICmNnwUW+wHLQI+G1tjWxWrAPofOxkt3+IjEBEH
27
+ fnJ/4r+3ABuYLyw/zoWaJ4wQIghBK4o+gk783SHGVnRwpDTysUCeK1iiWQ8dSO/r
28
+ ET7BSp68ZVVtxqPv1dSWzfGuJ/ekVxQ8lEEFeouhN0fX9X3c+s5vMaKwjOrMEpsi
29
+ 8TRwz311SotoKQwe6Zaoz7ASH1wq7mcvf71z81oBIgxw+s1F73hczg36TuHvzmWf
30
+ RwxPuzZEaFZcVlmtqoq8
31
+ -----END CERTIFICATE-----