tttls1.3 0.2.1 → 0.2.2

data/spec/client_spec.rb

@@ -9,8 +9,8 @@ RSpec.describe Client do
     let(:record) do
       mock_socket = SimpleStream.new
       client = Client.new(mock_socket, 'localhost')
-      exs, _priv_keys = client.send(:gen_ch_extensions)
-      client.send(:send_client_hello, exs)
+      extensions, _priv_keys = client.send(:gen_ch_extensions)
+      client.send(:send_client_hello, extensions)
       Record.deserialize(mock_socket.read, Cryptograph::Passer.new)
     end
 
@@ -52,52 +52,51 @@ RSpec.describe Client do
     let(:client) do
       mock_socket = SimpleStream.new
       mock_socket.write(TESTBINARY_SERVER_PARAMETERS_RECORD)
-      client = Client.new(mock_socket, 'localhost')
-      client.instance_variable_set(:@cipher_suite,
-                                   CipherSuite::TLS_AES_128_GCM_SHA256)
-      read_seq_num = SequenceNumber.new
-      cipher = Cryptograph::Aead.new(
+      Client.new(mock_socket, 'localhost')
+    end
+
+    let(:cipher) do
+      Cryptograph::Aead.new(
         cipher_suite: CipherSuite::TLS_AES_128_GCM_SHA256,
         write_key: TESTBINARY_SERVER_PARAMETERS_WRITE_KEY,
         write_iv: TESTBINARY_SERVER_PARAMETERS_WRITE_IV,
-        sequence_number: read_seq_num
+        sequence_number: SequenceNumber.new
       )
-      client.instance_variable_set(:@read_cipher, cipher)
-      client.instance_variable_set(:@read_seq_num, read_seq_num)
-      client
     end
 
     it 'should receive EncryptedExtensions' do
-      message = client.send(:recv_encrypted_extensions)
+      message = client.send(:recv_encrypted_extensions, cipher)
       expect(message.msg_type).to eq HandshakeType::ENCRYPTED_EXTENSIONS
     end
 
     it 'should receive Certificate' do
-      client.send(:recv_encrypted_extensions) # to skip
-      message = client.send(:recv_certificate)
+      client.send(:recv_encrypted_extensions, cipher) # to skip
+      message = client.send(:recv_certificate, cipher)
       expect(message.msg_type).to eq HandshakeType::CERTIFICATE
     end
 
     it 'should receive CertificateVerify' do
-      client.send(:recv_encrypted_extensions) # to skip
-      client.send(:recv_certificate)          # to skip
-      message = client.send(:recv_certificate_verify)
+      client.send(:recv_encrypted_extensions, cipher) # to skip
+      client.send(:recv_certificate, cipher)          # to skip
+      message = client.send(:recv_certificate_verify, cipher)
       expect(message.msg_type).to eq HandshakeType::CERTIFICATE_VERIFY
     end
 
     it 'should receive Finished' do
-      client.send(:recv_encrypted_extensions) # to skip
-      client.send(:recv_certificate)          # to skip
-      client.send(:recv_certificate_verify)   # to skip
-      message = client.send(:recv_finished)
+      client.send(:recv_encrypted_extensions, cipher) # to skip
+      client.send(:recv_certificate, cipher)          # to skip
+      client.send(:recv_certificate_verify, cipher)   # to skip
+      message = client.send(:recv_finished, cipher)
       expect(message.msg_type).to eq HandshakeType::FINISHED
     end
   end
 
   context 'client' do
-    let(:record) do
-      mock_socket = SimpleStream.new
-      client = Client.new(mock_socket, 'localhost')
+    let(:cipher_suite) do
+      CipherSuite::TLS_AES_128_GCM_SHA256
+    end
+
+    let(:transcript) do
       transcript = Transcript.new
       transcript.merge!(
         CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
@@ -107,30 +106,41 @@ RSpec.describe Client do
         CV => CertificateVerify.deserialize(TESTBINARY_CERTIFICATE_VERIFY),
         SF => Finished.deserialize(TESTBINARY_SERVER_FINISHED)
       )
-      client.instance_variable_set(:@transcript, transcript)
-      ks = KeySchedule.new(shared_secret: TESTBINARY_SHARED_SECRET,
-                           cipher_suite: CipherSuite::TLS_AES_128_GCM_SHA256,
-                           transcript: transcript)
-      client.instance_variable_set(:@key_schedule, ks)
-      client.instance_variable_set(:@cipher_suite,
-                                   CipherSuite::TLS_AES_128_GCM_SHA256)
-      write_seq_num = SequenceNumber.new
-      write_cipher = Cryptograph::Aead.new(
-        cipher_suite: CipherSuite::TLS_AES_128_GCM_SHA256,
+      transcript
+    end
+
+    let(:finished_key) do
+      key_schedule = KeySchedule.new(
+        shared_secret: TESTBINARY_SHARED_SECRET,
+        cipher_suite: cipher_suite,
+        transcript: transcript
+      )
+      key_schedule.client_finished_key
+    end
+
+    let(:record) do
+      mock_socket = SimpleStream.new
+      client = Client.new(mock_socket, 'localhost')
+      digest = CipherSuite.digest(cipher_suite)
+      hash = transcript.hash(digest, EOED)
+      signature = client.send(:sign_finished,
+                              digest: digest,
+                              finished_key: finished_key,
+                              hash: hash)
+      hs_wcipher = Cryptograph::Aead.new(
+        cipher_suite: cipher_suite,
         write_key: TESTBINARY_CLIENT_FINISHED_WRITE_KEY,
         write_iv: TESTBINARY_CLIENT_FINISHED_WRITE_IV,
-        sequence_number: write_seq_num
+        sequence_number: SequenceNumber.new
       )
-      client.instance_variable_set(:@write_cipher, write_cipher)
-      client.instance_variable_set(:@write_seq_num, write_seq_num)
-      client.send(:send_finished)
-      read_cipher = Cryptograph::Aead.new(
-        cipher_suite: CipherSuite::TLS_AES_128_GCM_SHA256,
+      client.send(:send_finished, signature, hs_wcipher)
+      hs_rcipher = Cryptograph::Aead.new(
+        cipher_suite: cipher_suite,
         write_key: TESTBINARY_CLIENT_FINISHED_WRITE_KEY,
         write_iv: TESTBINARY_CLIENT_FINISHED_WRITE_IV,
         sequence_number: SequenceNumber.new
       )
-      Record.deserialize(mock_socket.read, read_cipher)
+      Record.deserialize(mock_socket.read, hs_rcipher)
     end
 
     it 'should send Finished' do
@@ -143,144 +153,73 @@ RSpec.describe Client do
   end
 
   context 'client' do
-    let(:client) do
-      client = Client.new(nil, 'localhost')
-      transcript = Transcript.new
-      transcript.merge!(
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => ServerHello.deserialize(TESTBINARY_SERVER_HELLO),
-        EE => EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS),
-        CT => Certificate.deserialize(TESTBINARY_CERTIFICATE),
-        CV => CertificateVerify.deserialize(TESTBINARY_CERTIFICATE_VERIFY),
-        SF => Finished.deserialize(TESTBINARY_SERVER_FINISHED)
-      )
-      client.instance_variable_set(:@transcript, transcript)
-      ks = KeySchedule.new(shared_secret: TESTBINARY_SHARED_SECRET,
-                           cipher_suite: CipherSuite::TLS_AES_128_GCM_SHA256,
-                           transcript: transcript)
-      client.instance_variable_set(:@key_schedule, ks)
-      client.instance_variable_set(:@cipher_suite,
-                                   CipherSuite::TLS_AES_128_GCM_SHA256)
-      client
+    let(:cipher_suite) do
+      CipherSuite::TLS_AES_128_GCM_SHA256
     end
 
-    let(:client_finished) do
-      Finished.deserialize(TESTBINARY_CLIENT_FINISHED)
+    let(:ct) do
+      Certificate.deserialize(TESTBINARY_CERTIFICATE)
     end
 
-    it 'should verify server CertificateVerify' do
-      expect(client.send(:verified_certificate_verify?)).to be true
+    let(:cv) do
+      CertificateVerify.deserialize(TESTBINARY_CERTIFICATE_VERIFY)
     end
 
-    it 'should verify server Finished' do
-      expect(client.send(:verified_finished?)).to be true
+    let(:sf) do
+      Finished.deserialize(TESTBINARY_SERVER_FINISHED)
     end
 
-    it 'should sign client Finished' do
-      expect(client.send(:sign_finished)).to eq client_finished.verify_data
-    end
-  end
-
-  context 'client' do
-    let(:client) do
-      client = Client.new(nil, 'localhost')
-      transcript = {
+    let(:transcript) do
+      transcript = Transcript.new
+      transcript.merge!(
         CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
-      }
-      client.instance_variable_set(:@transcript, transcript)
-      client
-    end
-
-    it 'should check that ServerHello.legacy_version matches ' \
-       'ClientHello.legacy_version' do
-      expect(client.send(:valid_sh_legacy_version?)).to be true
-    end
-
-    it 'should check that ServerHello.legacy_session_id_echo matches ' \
-       'ClientHello.legacy_session_id' do
-      expect(client.send(:valid_sh_legacy_session_id_echo?)).to be true
-    end
-
-    it 'should check that ServerHello.cipher_suite is included in' \
-       'ClientHello.cipher_suites' do
-      expect(client.send(:valid_sh_cipher_suite?)).to be true
-    end
-
-    it 'should check that ServerHello.compression_method is valid value' do
-      expect(client.send(:valid_sh_compression_method?)).to be true
+        SH => ServerHello.deserialize(TESTBINARY_SERVER_HELLO),
+        EE => EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS),
+        CT => ct,
+        CV => cv,
+        SF => sf
+      )
     end
 
-    it 'should check that negotiated protocol_version is TLS 1.3' do
-      expect(client.send(:negotiated_tls_1_3?)).to be true
+    let(:key_schedule) do
+      KeySchedule.new(
+        shared_secret: TESTBINARY_SHARED_SECRET,
+        cipher_suite: cipher_suite,
+        transcript: transcript
+      )
     end
-  end
 
-  context 'client, received ServerHello with random[-8..] == ' \
-          'downgrade protection value(TLS 1.2),' do
     let(:client) do
-      mock_socket = SimpleStream.new
-      client = Client.new(mock_socket, 'localhost')
-      sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
-      random = OpenSSL::Random.random_bytes(24) + \
-               Client.const_get(:DOWNGRADE_PROTECTION_TLS_1_2)
-      sh.instance_variable_set(:@random, random)
-      transcript = {
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => sh
-      }
-      client.instance_variable_set(:@transcript, transcript)
-      client
-    end
-
-    it 'should check downgrade protection value' do
-      expect(client.send(:valid_sh_random?)).to be false
-      expect(client.send(:negotiated_tls_1_3?)).to be true
+      Client.new(nil, 'localhost')
     end
-  end
 
-  context 'client, received ServerHello with random[-8..] == ' \
-          'downgrade protection value(prior to TLS 1.2),' do
-    let(:client) do
-      mock_socket = SimpleStream.new
-      client = Client.new(mock_socket, 'localhost')
-      sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
-      random = OpenSSL::Random.random_bytes(24) + \
-               Client.const_get(:DOWNGRADE_PROTECTION_TLS_1_1)
-      sh.instance_variable_set(:@random, random)
-      transcript = {
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => sh
-      }
-      client.instance_variable_set(:@transcript, transcript)
-      client
+    let(:cf) do
+      Finished.deserialize(TESTBINARY_CLIENT_FINISHED)
     end
 
-    it 'should check downgrade protection value' do
-      expect(client.send(:valid_sh_random?)).to be false
-      expect(client.send(:negotiated_tls_1_3?)).to be true
+    it 'should verify server CertificateVerify' do
+      hash = transcript.hash(CipherSuite.digest(cipher_suite), CT)
+      expect(client.send(:verified_certificate_verify?, ct, cv, hash))
+        .to be true
     end
-  end
 
-  context 'client, received ServerHello with supported_versions not ' \
-          'including "\x03\x04",' do
-    let(:client) do
-      mock_socket = SimpleStream.new
-      client = Client.new(mock_socket, 'localhost')
-      sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
-      extensions = sh.instance_variable_get(:@extensions)
-      extensions[ExtensionType::SUPPORTED_VERSIONS] = nil
-      sh.instance_variable_set(:@extensions, extensions)
-      transcript = {
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => sh
-      }
-      client.instance_variable_set(:@transcript, transcript)
-      client
+    it 'should verify server Finished' do
+      digest = CipherSuite.digest(cipher_suite)
+      hash = transcript.hash(digest, CV)
+      expect(client.send(:verified_finished?,
+                         finished: sf,
+                         digest: digest,
+                         finished_key: key_schedule.server_finished_key,
+                         hash: hash)).to be true
     end
 
-    it 'should check negotiated protocol_version' do
-      expect(client.send(:negotiated_tls_1_3?)).to be false
+    it 'should sign client Finished' do
+      digest = CipherSuite.digest(cipher_suite)
+      hash = transcript.hash(digest, EOED)
+      expect(client.send(:sign_finished,
+                         digest: digest,
+                         finished_key: key_schedule.client_finished_key,
+                         hash: hash)).to eq cf.verify_data
     end
   end
 

data/spec/connection_spec.rb

@@ -5,7 +5,7 @@ require_relative 'spec_helper'
 
 RSpec.describe Connection do
   context 'connection, Simple 1-RTT Handshake,' do
-    let(:private_key) do
+    let(:key) do
       rsa = OpenSSL::PKey::RSA.new
       rsa.set_key(OpenSSL::BN.new(TESTBINARY_PKEY_MODULUS, 2),
                   OpenSSL::BN.new(TESTBINARY_PKEY_PUBLIC_EXPONENT, 2),
@@ -31,8 +31,7 @@ RSpec.describe Connection do
       Finished.deserialize(TESTBINARY_SERVER_FINISHED)
     end
 
-    let(:connection) do
-      connection = Connection.new(nil)
+    let(:transcript) do
       transcript = Transcript.new
       transcript.merge!(
         CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
@@ -43,39 +42,44 @@ RSpec.describe Connection do
         CF => cf,
         SF => sf
       )
-      connection.instance_variable_set(:@transcript, transcript)
-      connection.instance_variable_set(:@cipher_suite,
-                                       CipherSuite::TLS_AES_128_GCM_SHA256)
-      connection
+    end
+
+    let(:digest) do
+      CipherSuite.digest(CipherSuite::TLS_AES_128_GCM_SHA256)
+    end
+
+    let(:connection) do
+      Connection.new(nil)
     end
 
     it 'should verify server CertificateVerify.signature' do
       public_key = ct.certificate_list.first.cert_data.public_key
       signature_scheme = cv.signature_scheme
       signature = cv.signature
+
       expect(connection.send(:do_verified_certificate_verify?,
                              public_key: public_key,
                              signature_scheme: signature_scheme,
                              signature: signature,
                              context: 'TLS 1.3, server CertificateVerify',
-                             handshake_context_end: CT))
+                             hash: transcript.hash(digest, CT)))
         .to be true
     end
 
     it 'should sign client Finished.verify_data' do
-      expect(connection.send(:do_sign_finished,
+      expect(connection.send(:sign_finished,
                              digest: 'SHA256',
                              finished_key: TESTBINARY_CLIENT_FINISHED_KEY,
-                             handshake_context_end: EOED))
+                             hash: transcript.hash(digest, EOED)))
         .to eq cf.verify_data
     end
 
     it 'should verify server Finished.verify_data' do
-      expect(connection.send(:do_verified_finished?,
+      expect(connection.send(:verified_finished?,
+                             finished: sf,
                              digest: 'SHA256',
                              finished_key: TESTBINARY_SERVER_FINISHED_KEY,
-                             handshake_context_end: CV,
-                             signature: sf.verify_data))
+                             hash: transcript.hash(digest, CV)))
         .to be true
     end
 
@@ -86,16 +90,17 @@ RSpec.describe Connection do
       # used RSASSA-PSS signature_scheme, salt is a random sequence.
       # CertificateVerify.signature is random.
       signature = connection.send(:do_sign_certificate_verify,
-                                  private_key: private_key,
+                                  key: key,
                                   signature_scheme: signature_scheme,
                                   context: 'TLS 1.3, server CertificateVerify',
-                                  handshake_context_end: CT)
+                                  hash: transcript.hash(digest, CT))
+
       expect(connection.send(:do_verified_certificate_verify?,
                              public_key: public_key,
                              signature_scheme: signature_scheme,
                              signature: signature,
                              context: 'TLS 1.3, server CertificateVerify',
-                             handshake_context_end: CT))
+                             hash: transcript.hash(digest, CT)))
         .to be true
     end
   end
@@ -109,8 +114,7 @@ RSpec.describe Connection do
       CertificateVerify.deserialize(TESTBINARY_HRR_CERTIFICATE_VERIFY)
     end
 
-    let(:connection) do
-      connection = Connection.new(nil)
+    let(:transcript) do
       transcript = Transcript.new
       transcript.merge!(
         CH1 => ClientHello.deserialize(TESTBINARY_HRR_CLIENT_HELLO1),
@@ -122,22 +126,27 @@ RSpec.describe Connection do
         CT => ct,
         CV => cv
       )
-      connection.instance_variable_set(:@transcript, transcript)
-      connection.instance_variable_set(:@cipher_suite,
-                                       CipherSuite::TLS_AES_128_GCM_SHA256)
-      connection
+    end
+
+    let(:digest) do
+      CipherSuite.digest(CipherSuite::TLS_AES_128_GCM_SHA256)
+    end
+
+    let(:connection) do
+      Connection.new(nil)
     end
 
     it 'should verify server CertificateVerify.signature' do
       public_key = ct.certificate_list.first.cert_data.public_key
       signature_scheme = cv.signature_scheme
       signature = cv.signature
+
       expect(connection.send(:do_verified_certificate_verify?,
                              public_key: public_key,
                              signature_scheme: signature_scheme,
                              signature: signature,
                              context: 'TLS 1.3, server CertificateVerify',
-                             handshake_context_end: CT))
+                             hash: transcript.hash(digest, CT)))
         .to be true
     end
   end

data/spec/encrypted_extensions_spec.rb

@@ -31,7 +31,7 @@ RSpec.describe EncryptedExtensions do
     it 'should be generated' do
       expect(message.msg_type).to eq HandshakeType::ENCRYPTED_EXTENSIONS
       expect(message.extensions).to eq extensions
-      expect(message.only_appearable_extensions?).to be true
+      expect(message.appearable_extensions?).to be true
     end
 
     it 'should be serialized' do
@@ -55,7 +55,7 @@ RSpec.describe EncryptedExtensions do
     it 'should be generated' do
       expect(message.msg_type).to eq HandshakeType::ENCRYPTED_EXTENSIONS
       expect(message.extensions).to eq extensions
-      expect(message.only_appearable_extensions?).to be false
+      expect(message.appearable_extensions?).to be false
     end
   end
 
@@ -67,7 +67,7 @@ RSpec.describe EncryptedExtensions do
     it 'should be generated' do
       expect(message.msg_type).to eq HandshakeType::ENCRYPTED_EXTENSIONS
       expect(message.extensions).to eq Extensions.new
-      expect(message.only_appearable_extensions?).to be true
+      expect(message.appearable_extensions?).to be true
     end
 
     it 'should be serialized' do
@@ -84,7 +84,7 @@ RSpec.describe EncryptedExtensions do
 
     it 'should generate valid object' do
       expect(message.msg_type).to eq HandshakeType::ENCRYPTED_EXTENSIONS
-      expect(message.only_appearable_extensions?).to be true
+      expect(message.appearable_extensions?).to be true
     end
 
     it 'should generate valid serializable object' do

data/spec/fixtures/rsa_ca.crt

@@ -1,29 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIE4TCCAsmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd0ZXN0
-LWNhMB4XDTE5MDUyMTE0MTAyM1oXDTI5MDUxODE0MTAyM1owEjEQMA4GA1UEAwwH
-dGVzdC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALhDr6JVtpPi
-FfRy/1WCfwEEHy1zKDXkrjSUYICdXP2WhaHBfL0k2sk4q2uRxEJl+st7SkGPl307
-rFsrVLsWlRumVB7RuQ1ayvRdWTiOaEqRWtsW6f2IxKrv89Trh89gezpenbZ9RyIx
-Kr2CMBEHLjxI3ON0x7ok18c/8eIVJzIjSo7cuCiVaSTlMS6Hj+XGtAzjLgKRojeR
-meeuRzXatqZ6NGqjyB0u+Fg2Erijm4n5IIQyZrIyuIkMYak4pXZQ/9KMOsAoLHFc
-OBKakkLFpRvaYWTg1zilGz7fdJrFHl9B5SKYstXYnjjyXEw91lYKxSO1MgZjqyJ8
-G4GX8Lj0vSpCV10zRMPDvuuIUW3G/lyY6dZYWROuUGfRD0ithL6yVnjkFKdJ9YkM
-pc/fN1llDEjcvxDY0yfPVRVIJtQ4Xy0txZG2G8Nke9rD1m7+wAegdrgiSP9NlbkR
-/ALbw2GrUWVtR86HkrzADDvVsg5vSbSRf2pfgJTr37tl25QJ5EfHk9i2H2v0wcQ8
-6DN7gYtd45jD9N4rqfRgG4qfQ4wIGkSSRBZfE9CBRYwrL6frUga6QZgYkaxMcdQG
-PVttF5WQwcR4blsqZ6n14dCjJkNWJ56qsq+bzf4WENB9SAZpKHv4rekfRUw7ZVBB
-Secoisg/rbIkWFlnpSwyBWUhdGJ3C6mHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB
-BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5rnZ4ZxbSKb4Py7wA+/a9zCbj
-RDANBgkqhkiG9w0BAQsFAAOCAgEAbVYmzqfBrgl1CsAnTEKQW4WQGuPhrzWuAYm3
-joVNDRzC3pkfHzt5/1hSJsqf9GA3HH+bDdStm0IB82SgycvSccqoEN1in8jwC3pi
-LJSfqXf5qVonJtotfr4lkr9ay/wbsqsnEYQtkLafhT+n4/2cu72V6OJJBKldlqGz
-Iugwx+3Dv8ZidtX7VQWkd0tyioxcTYaXQ3QvQZZXQ+wbuNOvTIlbmhZasR3jhSN0
-ytEFS9qWZ5MS95jO1FWdStCvHA5abi5JRW7sGHkkkNXcFB0jgCLbmQlHIXgM3/sF
-3SJQPCil0wNE1wWWemD5BikAIN7F+WN1uAQ21AA8QXlpjDCKj+XAZDmTvS6Ttub6
-BUqsxaEmz6A8mkqeL55FDEsQ8KpLHcAa9/RviuGequqiV4mJdP92oebGLaTeOJxD
-rxxZjPXFrBkZ5UXjwdFdkNaIgRe7hza1N5SljyxzkXwG5iwA/4/4qoP0kkyC+ReR
-16y0t1papARFR47VPn5IAS9WRHNg7jklBkN1kwFyQR88/hi3zNPKOd4x6EN6HeC7
-8ggPXFKNShSkNz7RF/OxG4kEPaHva/U+tdZzid3/LlXYh6+eIgswFSLPMTAusPcu
-Lx9N5nEmeIwTqrZGn0jCodsM7fYmqU4nmuEIUHjPTp+D1Vt0+c8ZxRy34N9mQRyE
-PcAi66U=
+MIIC6TCCAdGgAwIBAgIJAPCDjtGMCXxLMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMTkwNTI1MDEyOTA1WhcNMjkwNTIyMDEyOTA1WjASMRAw
+DgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uL67dHTIZa/Lv+q/k2cTdXUyARn8EjKYWyWCSlJ9ixm9og5OudrqtjncVEf7m8N4
+cZ4BRztZjHnhFSmaezw79siK1e8/ZtNcKy6cQ6CirmZ7JgHhUTJTWVWqW2k3xp10
+Ur+fAUqOqV+v1iYlznbZSFyV9jkOKQd/kJwUSCpcd1KNDgTjeRI7h47ppAss5QdF
+8GSRnqa+z4yar4cc6zEEHFyvO/MES0rGN+wQ/aZ2Q5RC5tOACLsEndyWjiwnUSYX
+IpivEAb/MUoSsNN3okhBL9VUzIyhy3oLUcvEzUXrdHgXjkimISE74kOSIEqD/Mgh
+YbBOa/7ZZZeXjGu4tfoWpQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUrMJjif5NxggfH013nhJ6vzK21hIwDQYJKoZI
+hvcNAQELBQADggEBAHNSeg80fBBbFmNQaRDCmAratdBVgXPfTwH2LF7OUZh2JJGA
+n/H0m3mLFgfunQhYgWh5/6T71xWx/A0pAI73WDA/v2UnMUkNcJ6DttUEcRmhZJ7+
+nmu2Ym4LN3dTvMtNe0/6Yph+6PR8cP56HvSu1vIxQTjN3Dadjop92k98hxbX5iVp
+I74YZcLyOYqWWp1id3lF0ro7uyW6dcxUJTf53LXHlGNrIiUj07ThX/wCKBS0yw/H
++TCUdykUoiBCwgrl+RAn9EE1Hjt4D3q/vlZwzzddFds3kvP97CdjyP2M/60Ff9po
+Bdrqsa1vegwvAk+hRgocvrH3TPJslfycAada1zw=
 -----END CERTIFICATE-----

data/spec/fixtures/rsa_ca.key

@@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEAuEOvolW2k+IV9HL/VYJ/AQQfLXMoNeSuNJRggJ1c/ZaFocF8
-vSTayTira5HEQmX6y3tKQY+XfTusWytUuxaVG6ZUHtG5DVrK9F1ZOI5oSpFa2xbp
-/YjEqu/z1OuHz2B7Ol6dtn1HIjEqvYIwEQcuPEjc43THuiTXxz/x4hUnMiNKjty4
-KJVpJOUxLoeP5ca0DOMuApGiN5GZ565HNdq2pno0aqPIHS74WDYSuKObifkghDJm
-sjK4iQxhqTildlD/0ow6wCgscVw4EpqSQsWlG9phZODXOKUbPt90msUeX0HlIpiy
-1dieOPJcTD3WVgrFI7UyBmOrInwbgZfwuPS9KkJXXTNEw8O+64hRbcb+XJjp1lhZ
-E65QZ9EPSK2EvrJWeOQUp0n1iQylz983WWUMSNy/ENjTJ89VFUgm1DhfLS3FkbYb
-w2R72sPWbv7AB6B2uCJI/02VuRH8AtvDYatRZW1HzoeSvMAMO9WyDm9JtJF/al+A
-lOvfu2XblAnkR8eT2LYfa/TBxDzoM3uBi13jmMP03iup9GAbip9DjAgaRJJEFl8T
-0IFFjCsvp+tSBrpBmBiRrExx1AY9W20XlZDBxHhuWypnqfXh0KMmQ1Ynnqqyr5vN
-/hYQ0H1IBmkoe/it6R9FTDtlUEFJ5yiKyD+tsiRYWWelLDIFZSF0YncLqYcCAwEA
-AQKCAgAkAWXibKk+gGEV4RqvlM5IXovRD719um+n6o5o01cGXlFCaFJ9iyQNSbuF
-S3h0GQVGmZLK+Mn7OJvXPMJTxHfibT/mvchRKbqawVrbyEfsujZstS+H0R/M3xJg
-Op3REeNCZpaewCAUOFNHsJa/3Q1Vzk8LSxhz8RsQ3hffu45rJ6Y8ADkkBP4ErZxM
-oUSm+4rXMdUdv2NZRGQ0d0OG7HPgV+TCKbrCqRjx86740U9lSH7oFgknLO4OKZMz
-w9PhKLa0Z55bSf5VMFXsnLOTxJccuDFrytuDQA/w2y0nyPjEWFXzyq63Rpq0Ofd7
-FmI5ceVPsupRgUxBcsrVKeFp4rjLobx4sEtd568XOf+6QkeEnPSsbgZR3JDlG5g8
-2/aEVAQtk9KZ5DBw3AVj+Hlj6xADCn9hXifafKOFoaSC1RiZRc8MWrfh3PU9px4y
-GJqZgHWsrrzqTmyYuvvSOrHVF/XB05xKmquuRnkqhf7P5qFvaRThtebUXhDHrrED
-JkY16Y3GI1uQwpQxt+IzjzGKLPLXmP16bP0hFwAg4GeTcmPC9rwypDx0MnFrlLIW
-jXyVCESD/dsz8mtI+c3fJFpKzFf2t98jPc0zXmEl9wd+fayNXvr8EwIK0OZqpzpw
-Niq3+hv3oq2sTabStxnd4A1HFdcay+ZjW+RTQ/Gzipmke+yHkQKCAQEA8wQcl6vU
-CbXRKPIeUQj7kE+xLBh+fy+UscYvXz/pDq22tVRIce3JQOs8WXO+t/3jwigTRote
-4b/JFPSuPRLouvixtrzHJawjq1tBB2c24FeRPnUxvamZ9MklHtJH89ggKkogeiBY
-RCGRryPHTSzrOv6WXzyc85BmhuW3anIxMIOKMAIz6NJ8MSYJPr0LxzlJbxaakJUr
-fCWml/n3cqR6Ytlw6HWr7HiqIf2ucv4F6ywgLaKGuSx5B7cPIrsAeWIKjI+W0eu+
-BC6Ng+1s4q5ahbNWOw0Vdt6Wj0H82sK3XtCkeJl0IKcNjecGuw4X+2UlmAVyld8c
-J2oD2Or1qjxI4wKCAQEAwhv9Yk2blcrp+TN8XA4cDnQio9x40dY553wbGdNxHaHF
-GerqkARzJHtyLkxAltP68YVIENYvbh9tcOySTHijors9cDvADogtMW64mu+z3OJ6
-Phzyo1XPFHjE5j2/rtxZL1uXcaJZ4syy4h8DGKZw7dOS0OB9aNWNvB9yDAwsGs7n
-T0QJ001Z9LsZdRRGC7XGCgqx5509O7wpBoTLrb6bzAo5WGj1i5y+uuskidE2zn5B
-DlVsOs7IeytSXPbY2Mm8Plq6Av7MAewb0RwFU2NLq5t0cgXre07xF01qQkEup552
-dG27z60Fc3HPZbUoybJyVyAFMxgpOWfavYnNmnQSDQKCAQEAzuvyWKcDjh0VcrLu
-Y3utkEx7BJv6odtm1hR1Y7osfMYna7DPWsro8XEbWuN2Qn5Zf4nWF9w2NyyxUDmj
-XveJ2SJHV9zYCVjQqmiyL1aQYGfPkYoCh4cxQ0A+bkcI4zVk9f1WOAbwgVrADIv/
-eNRFm18JtSAMWEvdMQHKskV3YuKuOIC3qIgJHWRQvO4FaGZ8A64QgAm0FCqO9pru
-OtyYJTEWtaj0cg6wdu7lqp5ndb6Fy7W211dp2srhhWYLWk/DwbnF5wq/Khplfy8b
-5swk4fE4/GEApM2VD3hVkAP6VS58zP+E5QS5QtmzXnT6sKGIaDBDSB/IfjsD+aDe
-+0wHlwKCAQEAvwCbzGdheXw5zyWCcXLQ2Mgebe88U/7g64+Le1Y8MFRGhsJKHXzD
-cFqoeDZAOCpO++mSiD66XTo/jqa7LtRm8HIeepnQ2nvVPJcewBaufeO9NfF2MJL3
-OcW8unJ4c7APcjJGS2Ld3/Zc73Rkr5TX+q3+AdtkjAvXdA3dQ02W+KovoifpIysy
-IUcaPcK9SjiLrsXnWWm4H1d/ZxK0+TpeQ+CrnPtq4v5SD8viIFrl+zrw+RHFdfiT
-/d8bJK8hofCgcxsDfn8Kb7nNhW51LyC+DRbi9nAszyFWyv86WAebyQR8uwRfknNG
-sdqDoikpAY++Q00W0LgtmHdBHtDCqAEe4QKCAQEApjCoVd/WiN15LjORmRunJky4
-F8tZuyNw1U4Ig89TAQp467IZPFuLiMao+cGf7AropYH3hAG+MnBfbwfgznA5kvTi
-anj/dknQcN6z0LIvJxMv+eXWfX50T1h6WXb4SJtfo+NyVuvudF/4mJhhOAMhJQkv
-1THR6qopbeW/Ovf5Sf12xizOhTOJWhsfwXfp5HFo4VBLZkZqFdBgJXCBTiw0YBij
-1BgC1RL8lyC1fuNT00y6ion+O7YYBK4N5JEZ7wMIiC1ToeB9gfDxGTaS7pIoDN4o
-KmC/X1MbYqjR4xkyvaz5BAnlqUoyRb9QAgPZlEIT4xVzL89xm9uMyh90sTP61g==
+MIIEowIBAAKCAQEAuL67dHTIZa/Lv+q/k2cTdXUyARn8EjKYWyWCSlJ9ixm9og5O
+udrqtjncVEf7m8N4cZ4BRztZjHnhFSmaezw79siK1e8/ZtNcKy6cQ6CirmZ7JgHh
+UTJTWVWqW2k3xp10Ur+fAUqOqV+v1iYlznbZSFyV9jkOKQd/kJwUSCpcd1KNDgTj
+eRI7h47ppAss5QdF8GSRnqa+z4yar4cc6zEEHFyvO/MES0rGN+wQ/aZ2Q5RC5tOA
+CLsEndyWjiwnUSYXIpivEAb/MUoSsNN3okhBL9VUzIyhy3oLUcvEzUXrdHgXjkim
+ISE74kOSIEqD/MghYbBOa/7ZZZeXjGu4tfoWpQIDAQABAoIBAFlvC/QubKy9U5dO
+nvtOlN7xowlheOOeVp8ZI1+zW08xYNnIr1fNoH4iuIScbDNVh0MJSHkhRBJ7FflW
+sJAj8qtfHca/ESRIAYBuCfu7EcX3mnolwtu5zxuaGuQxpWyi4KMGXIUVgMaBqe+z
+e+3dHwamu3n82NwH4zswM6lTyHuCScvLr0d/Bbjq6v1pNfRhU58L3RNKDrhETrSA
+aQNEb7Z185q/B/dbDB810pcLaZ5ALbrM89sr7wD4ULPiAgDI7fX/0tK1/Dg4nQzJ
+6j3qrPoR6KdMmiTdtd2/jc3sRbNCBvzsakcGH/8V/47+8ysYGey4T7zBruvJlqY6
+tNkGEGkCgYEA61TM5paQhtzP62cK3b68KhBXFqxov0uV4kVuQFK5jBVVslpExnWl
+Zi+/YXJOOMt8oXkkWeyR2GmBl5BYYiUYfwZHkVWyImDfkYA5dyIpgoB6kGPANaqi
+5J+NCdj3PKgdYSZ7HPnm/pTen9m3Q/Dv5hjMj50Dd+CkJP7qKBavUDcCgYEAyPiM
+k1TgIvSvoVxCXi1yyuxOQgiiAaCBACiEyBpJYu13lVl4H9ziRMnhsXUv22ZsMd+Z
+HW05gMsn+EKifDBWnQqZT8ziRiFXoPylHOOOYbDVBjYMyTOT+ma9OZhJbL+bfTyC
+SjPkiZgIkPRUtqEYsgXZhrQd1qux03rrjUSGCgMCgYBWM3vSwzgxjlTC/72lOCao
+qc+cyI6d88v1VEVsXmEFBROc/x/OKm3pnnfV9A7fEvqWE0/TeKp7wTntELyvRrNQ
+ZDZ28BMOMLn0DCoAj4zw9qrulPtlLRn58M+y2bzGhTYtzfCuzoNkoZdiqldNFcZq
+XI8h0/vfP3Qg8RdIk/anxQKBgG64UGpTFnDrsV8Kvx23mEiny62hp++Rh8CYkh7U
+LJ4uCfXkJsQXIymWt5rW3xjW4sDPWUHXDRkh09F4lKAq2W0Hi9NlIzxT3j05M5Yo
+4CZ+D76uRHkMy3fm5lU2yyz4mydyEK3kzQHpGr8RfSJounxJsL//t3ivevbx/5gC
+qn4VAoGBAIX4k2ugHMPs2R7XVeieURm+otH9QJX81CgVyiLTN67je/0h3bVzmqcI
+SinujOpR6x+Xvc1fMfLEhDkKfO9L+iBAdIb7kd8lQXAdIrgUGhORmvAl99aRFLCC
+1FxaU9P9lk/WMXhuIkq1DmUAHzZGAz+/JzPiXezdo6POcPLoRri4
 -----END RSA PRIVATE KEY-----