tttls1.3 0.2.12 → 0.2.16

data/lib/tttls1.3/server.rb

@@ -44,6 +44,11 @@ module TTTLS13
   ].freeze
   private_constant :DEFAULT_SP_NAMED_GROUP_LIST
 
+  DEFAULT_SP_COMPRESS_CERTIFICATE_ALGORITHMS = [
+    Message::Extension::CertificateCompressionAlgorithm::ZLIB
+  ].freeze
+  private_constant :DEFAULT_SP_COMPRESS_CERTIFICATE_ALGORITHMS
+
   DEFAULT_SERVER_SETTINGS = {
     crt_file: nil,
     chain_files: nil,
@@ -52,6 +57,8 @@ module TTTLS13
     signature_algorithms: DEFAULT_SP_SIGNATURE_ALGORITHMS,
     supported_groups: DEFAULT_SP_NAMED_GROUP_LIST,
     alpn: nil,
+    process_ocsp_response: nil,
+    compress_certificate_algorithms: DEFAULT_SP_COMPRESS_CERTIFICATE_ALGORITHMS,
     compatibility_mode: true,
     loglevel: Logger::WARN
   }.freeze
@@ -139,7 +146,6 @@ module TTTLS13
       transcript = Transcript.new
       key_schedule = nil # TTTLS13::KeySchedule
       priv_key = nil # OpenSSL::PKey::$Object
-
       hs_wcipher = nil # TTTLS13::Cryptograph::$Object
       hs_rcipher = nil # TTTLS13::Cryptograph::$Object
 
@@ -150,7 +156,7 @@ module TTTLS13
           logger.debug('ServerState::START')
 
           receivable_ccs = transcript.include?(CH1)
-          ch = transcript[CH] = recv_client_hello(receivable_ccs)
+          ch, = transcript[CH] = recv_client_hello(receivable_ccs)
 
           # support only TLS 1.3
           terminate(:protocol_version) unless ch.negotiated_tls_1_3?
@@ -182,7 +188,7 @@ module TTTLS13
           logger.debug('ServerState::RECVD_CH')
 
           # select parameters
-          ch = transcript[CH]
+          ch, = transcript[CH]
           @cipher_suite = select_cipher_suite(ch)
           @named_group = select_named_group(ch)
           @signature_scheme = select_signature_scheme(ch, @crt)
@@ -191,8 +197,9 @@ module TTTLS13
 
           # send HRR
           if @named_group.nil?
-            ch1 = transcript[CH1] = transcript.delete(CH)
-            transcript[HRR] = send_hello_retry_request(ch1, @cipher_suite)
+            ch1, = transcript[CH1] = transcript.delete(CH)
+            hrr = send_hello_retry_request(ch1, @cipher_suite)
+            transcript[HRR] = [hrr, hrr.serialize]
             @state = ServerState::START
             next
           end
@@ -200,10 +207,14 @@ module TTTLS13
         when ServerState::NEGOTIATED
           logger.debug('ServerState::NEGOTIATED')
 
-          ch = transcript[CH]
+          ch, = transcript[CH]
           extensions, priv_key = gen_sh_extensions(@named_group)
-          transcript[SH] = send_server_hello(extensions, @cipher_suite,
-                                             ch.legacy_session_id)
+          sh = send_server_hello(
+            extensions,
+            @cipher_suite,
+            ch.legacy_session_id
+          )
+          transcript[SH] = [sh, sh.serialize]
           send_ccs if @settings[:compatibility_mode]
 
           # generate shared secret
@@ -234,25 +245,30 @@ module TTTLS13
         when ServerState::WAIT_FLIGHT2
           logger.debug('ServerState::WAIT_FLIGHT2')
 
-          ch = transcript[CH]
+          ch, = transcript[CH]
           rsl = @send_record_size \
-            unless ch.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT].nil?
-          ee = transcript[EE] = gen_encrypted_extensions(ch, @alpn, rsl)
+            if ch.extensions.include?(Message::ExtensionType::RECORD_SIZE_LIMIT)
+          ee = gen_encrypted_extensions(ch, @alpn, rsl)
+          transcript[EE] = [ee, ee.serialize]
           # TODO: [Send CertificateRequest]
-          ct = transcript[CT] = gen_certificate(@crt, @chain)
+
+          # status_request
+          ocsp_response = fetch_ocsp_response \
+            if ch.extensions.include?(Message::ExtensionType::STATUS_REQUEST)
+          ct = gen_certificate(@crt, ch, @chain, ocsp_response)
+          transcript[CT] = [ct, ct.serialize]
           digest = CipherSuite.digest(@cipher_suite)
-          cv = transcript[CV] = gen_certificate_verify(
-            @key,
-            @signature_scheme,
-            transcript.hash(digest, CT)
-          )
+          hash = transcript.hash(digest, CT)
+          cv = gen_certificate_verify(@key, @signature_scheme, hash)
+          transcript[CV] = [cv, cv.serialize]
           finished_key = key_schedule.server_finished_key
           signature = sign_finished(
             digest: digest,
             finished_key: finished_key,
             hash: transcript.hash(digest, CV)
           )
-          sf = transcript[SF] = Message::Finished.new(signature)
+          sf = Message::Finished.new(signature)
+          transcript[SF] = [sf, sf.serialize]
           send_server_parameters([ee, ct, cv, sf], hs_wcipher)
           @state = ServerState::WAIT_FINISHED
         when ServerState::WAIT_CERT
@@ -262,7 +278,7 @@ module TTTLS13
         when ServerState::WAIT_FINISHED
           logger.debug('ServerState::WAIT_FINISHED')
 
-          cf = transcript[CF] = recv_finished(hs_rcipher)
+          cf, = transcript[CF] = recv_finished(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
           verified = verified_finished?(
             finished: cf,
@@ -320,12 +336,15 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::ClientHello]
+    # @return [String]
     def recv_client_hello(receivable_ccs)
-      ch = recv_message(receivable_ccs: receivable_ccs,
-                        cipher: Cryptograph::Passer.new)
+      ch, orig_msg = recv_message(
+        receivable_ccs: receivable_ccs,
+        cipher: Cryptograph::Passer.new
+      )
       terminate(:unexpected_message) unless ch.is_a?(Message::ClientHello)
 
-      ch
+      [ch, orig_msg]
     end
 
     # @param extensions [TTTLS13::Message::Extensions]
@@ -350,7 +369,7 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::ServerHello]
     def send_hello_retry_request(ch1, cipher_suite)
-      exs = []
+      exs = Message::Extensions.new
       # supported_versions
       exs << Message::Extension::SupportedVersions.new(
         msg_type: Message::HandshakeType::SERVER_HELLO
@@ -372,7 +391,7 @@ module TTTLS13
         random: Message::HRR_RANDOM,
         legacy_session_id_echo: ch1.legacy_session_id,
         cipher_suite: cipher_suite,
-        extensions: Message::Extensions.new(exs)
+        extensions: exs
       )
       send_handshakes(Message::ContentType::HANDSHAKE, [sh],
                       Cryptograph::Passer.new)
@@ -403,14 +422,39 @@ module TTTLS13
     end
 
     # @param crt [OpenSSL::X509::Certificate]
+    # @param ch [TTTLS13::Message::ClientHell]
     # @param chain [Array of OpenSSL::X509::Certificate]
+    # @param ocsp_response [OpenSSL::OCSP::Response]
     #
-    # @return [TTTLS13::Message::Certificate, nil]
-    def gen_certificate(crt, chain = [])
-      ces = [crt] + (chain || [])
-      ces.map! { |c| Message::CertificateEntry.new(c) }
-      Message::Certificate.new(certificate_list: ces)
+    # @return [TTTLS13::Message::Certificate, CompressedCertificate, nil]
+    # rubocop: disable Metrics/CyclomaticComplexity
+    def gen_certificate(crt, ch, chain = [], ocsp_response = nil)
+      exs = Message::Extensions.new
+      # status_request
+      exs << Message::Extension::OCSPResponse.new(ocsp_response) \
+        unless ocsp_response.nil?
+      ces = [Message::CertificateEntry.new(crt, exs)] \
+            + (chain || []).map { |c| Message::CertificateEntry.new(c) }
+      ct = Message::Certificate.new(certificate_list: ces)
+
+      # compress_certificate
+      cc = ch.extensions[Message::ExtensionType::COMPRESS_CERTIFICATE]
+      if !cc.nil? && !cc.algorithms.empty?
+        cca = (@settings[:compress_certificate_algorithms] || []).find do |a|
+          cc.algorithms.include?(a)
+        end
+
+        unless cca.nil?
+          ct = Message::CompressedCertificate.new(
+            certificate_message: ct,
+            algorithm: cca
+          )
+        end
+      end
+
+      ct
     end
+    # rubocop: enable Metrics/CyclomaticComplexity
 
     # @param key [OpenSSL::PKey::PKey]
     # @param signature_scheme [TTTLS13::SignatureScheme]
@@ -432,11 +476,12 @@ module TTTLS13
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Finished]
+    # @return [String]
     def recv_finished(cipher)
-      cf = recv_message(receivable_ccs: true, cipher: cipher)
+      cf, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless cf.is_a?(Message::Finished)
 
-      cf
+      [cf, orig_msg]
     end
 
     # @param named_group [TTTLS13::NamedGroup]
@@ -444,7 +489,7 @@ module TTTLS13
     # @return [TTTLS13::Message::Extensions]
     # @return [OpenSSL::PKey::EC.$Object]
     def gen_sh_extensions(named_group)
-      exs = []
+      exs = Message::Extensions.new
       # supported_versions: only TLS 1.3
       exs << Message::Extension::SupportedVersions.new(
         msg_type: Message::HandshakeType::SERVER_HELLO
@@ -455,7 +500,7 @@ module TTTLS13
                  = Message::Extension::KeyShare.gen_sh_key_share(named_group)
       exs << key_share
 
-      [Message::Extensions.new(exs), priv_key]
+      [exs, priv_key]
     end
 
     # @param ch [TTTLS13::Message::ClientHello]
@@ -464,15 +509,16 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::Extensions]
     def gen_ee_extensions(ch, alpn, record_size_limit)
-      exs = []
+      exs = Message::Extensions.new
 
       # server_name
       exs << Message::Extension::ServerName.new('') \
         if ch.extensions.include?(Message::ExtensionType::SERVER_NAME)
 
       # supported_groups
-      exs \
-      << Message::Extension::SupportedGroups.new(@settings[:supported_groups])
+      exs << Message::Extension::SupportedGroups.new(
+        @settings[:supported_groups]
+      )
 
       # alpn
       exs << Message::Extension::Alpn.new([alpn]) unless alpn.nil?
@@ -481,7 +527,7 @@ module TTTLS13
       exs << Message::Extension::RecordSizeLimit.new(record_size_limit) \
         unless record_size_limit.nil?
 
-      Message::Extensions.new(exs)
+      exs
     end
 
     # @param key [OpenSSL::PKey::PKey]
@@ -543,6 +589,11 @@ module TTTLS13
 
       matching_san?(crt, server_name)
     end
+
+    # @return [OpenSSL::OCSP::Response, nil]
+    def fetch_ocsp_response
+      @settings[:process_ocsp_response]&.call
+    end
   end
   # rubocop: enable Metrics/ClassLength
 end

data/lib/tttls1.3/transcript.rb

@@ -19,10 +19,6 @@ module TTTLS13
   CF   = 12
 
   class Transcript < Hash
-    def initialize
-      super
-    end
-
     alias super_include? include?
 
     # @param digest [String] name of digest algorithm
@@ -62,12 +58,12 @@ module TTTLS13
         exc_prefix = Message::HandshakeType::MESSAGE_HASH \
                      + "\x00\x00" \
                      + OpenSSL::Digest.new(digest).digest_length.to_uint8 \
-                     + OpenSSL::Digest.digest(digest, self[CH1].serialize) \
-                     + self[HRR].serialize
+                     + OpenSSL::Digest.digest(digest, self[CH1].last) \
+                     + self[HRR].last
       end
 
       messages = (CH..end_index).to_a.map do |m|
-        include?(m) ? self[m].serialize : ''
+        include?(m) ? self[m].last : ''
       end
       exc_prefix + messages.join
     end

data/lib/tttls1.3/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TTTLS13
-  VERSION = '0.2.12'
+  VERSION = '0.2.16'
 end

data/spec/client_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe Client do
       client = Client.new(mock_socket, 'localhost')
       extensions, _priv_keys = client.send(:gen_ch_extensions)
       client.send(:send_client_hello, extensions)
-      Record.deserialize(mock_socket.read, Cryptograph::Passer.new)
+      Record.deserialize(mock_socket.read, Cryptograph::Passer.new).first
     end
 
     it 'should send default ClientHello' do
@@ -37,7 +37,7 @@ RSpec.describe Client do
                         + msg_len.to_uint16 \
                         + TESTBINARY_SERVER_HELLO)
       client = Client.new(mock_socket, 'localhost')
-      client.send(:recv_server_hello)
+      client.send(:recv_server_hello).first
     end
 
     it 'should receive ServerHello' do
@@ -65,20 +65,20 @@ RSpec.describe Client do
     end
 
     it 'should receive EncryptedExtensions' do
-      message = client.send(:recv_encrypted_extensions, cipher)
+      message, = client.send(:recv_encrypted_extensions, cipher)
       expect(message.msg_type).to eq HandshakeType::ENCRYPTED_EXTENSIONS
     end
 
     it 'should receive Certificate' do
       client.send(:recv_encrypted_extensions, cipher) # to skip
-      message = client.send(:recv_certificate, cipher)
+      message, = client.send(:recv_certificate, cipher)
       expect(message.msg_type).to eq HandshakeType::CERTIFICATE
     end
 
     it 'should receive CertificateVerify' do
       client.send(:recv_encrypted_extensions, cipher) # to skip
       client.send(:recv_certificate, cipher)          # to skip
-      message = client.send(:recv_certificate_verify, cipher)
+      message, = client.send(:recv_certificate_verify, cipher)
       expect(message.msg_type).to eq HandshakeType::CERTIFICATE_VERIFY
     end
 
@@ -86,7 +86,7 @@ RSpec.describe Client do
       client.send(:recv_encrypted_extensions, cipher) # to skip
       client.send(:recv_certificate, cipher)          # to skip
       client.send(:recv_certificate_verify, cipher)   # to skip
-      message = client.send(:recv_finished, cipher)
+      message, = client.send(:recv_finished, cipher)
       expect(message.msg_type).to eq HandshakeType::FINISHED
     end
   end
@@ -97,14 +97,20 @@ RSpec.describe Client do
     end
 
     let(:transcript) do
+      ch = ClientHello.deserialize(TESTBINARY_CLIENT_HELLO)
+      sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
+      ee = EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS)
+      ct = Certificate.deserialize(TESTBINARY_CERTIFICATE)
+      cv = CertificateVerify.deserialize(TESTBINARY_CERTIFICATE_VERIFY)
+      sf = Finished.deserialize(TESTBINARY_SERVER_FINISHED)
       transcript = Transcript.new
       transcript.merge!(
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => ServerHello.deserialize(TESTBINARY_SERVER_HELLO),
-        EE => EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS),
-        CT => Certificate.deserialize(TESTBINARY_CERTIFICATE),
-        CV => CertificateVerify.deserialize(TESTBINARY_CERTIFICATE_VERIFY),
-        SF => Finished.deserialize(TESTBINARY_SERVER_FINISHED)
+        CH => [ch, TESTBINARY_CLIENT_HELLO],
+        SH => [sh, TESTBINARY_SERVER_HELLO],
+        EE => [ee, TESTBINARY_ENCRYPTED_EXTENSIONS],
+        CT => [ct, TESTBINARY_CERTIFICATE],
+        CV => [cv, TESTBINARY_CERTIFICATE_VERIFY],
+        SF => [sf, TESTBINARY_SERVER_FINISHED]
       )
       transcript
     end
@@ -140,7 +146,7 @@ RSpec.describe Client do
         write_iv: TESTBINARY_CLIENT_FINISHED_WRITE_IV,
         sequence_number: SequenceNumber.new
       )
-      Record.deserialize(mock_socket.read, hs_rcipher)
+      Record.deserialize(mock_socket.read, hs_rcipher).first
     end
 
     it 'should send Finished' do
@@ -170,14 +176,17 @@ RSpec.describe Client do
     end
 
     let(:transcript) do
+      ch = ClientHello.deserialize(TESTBINARY_CLIENT_HELLO)
+      sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
+      ee = EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS)
       transcript = Transcript.new
       transcript.merge!(
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => ServerHello.deserialize(TESTBINARY_SERVER_HELLO),
-        EE => EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS),
-        CT => ct,
-        CV => cv,
-        SF => sf
+        CH => [ch, TESTBINARY_CLIENT_HELLO],
+        SH => [sh, TESTBINARY_SERVER_HELLO],
+        EE => [ee, TESTBINARY_ENCRYPTED_EXTENSIONS],
+        CT => [ct, TESTBINARY_CERTIFICATE],
+        CV => [cv, TESTBINARY_CERTIFICATE_VERIFY],
+        SF => [sf, TESTBINARY_SERVER_FINISHED]
       )
     end
 

data/spec/compress_certificate_spec.rb

@@ -0,0 +1,54 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+using Refinements
+
+RSpec.describe Alpn do
+  context 'valid compress_certificate' do
+    let(:algorithms) do
+      [CertificateCompressionAlgorithm::ZLIB]
+    end
+
+    let(:extension) do
+      CompressCertificate.new(algorithms)
+    end
+
+    it 'should be generated' do
+      expect(extension.extension_type)
+        .to eq ExtensionType::COMPRESS_CERTIFICATE
+      expect(extension.algorithms).to eq algorithms
+    end
+
+    it 'should be serialized' do
+      expect(extension.serialize)
+        .to eq ExtensionType::COMPRESS_CERTIFICATE \
+               + 3.to_uint16 \
+               + 2.to_uint8 \
+               + "\x00\x01"
+    end
+  end
+
+  context 'invalid compress_certificate, empty,' do
+    let(:extension) do
+      CompressCertificate.new([])
+    end
+
+    it 'should not be generated' do
+      expect { extension }.to raise_error(ErrorAlerts)
+    end
+  end
+
+  context 'valid compress_certificate binary' do
+    let(:extension) do
+      CompressCertificate.deserialize(TESTBINARY_COMPRESS_CERTIFICATE)
+    end
+
+    it 'should generate valid object' do
+      expect(extension.extension_type)
+        .to eq ExtensionType::COMPRESS_CERTIFICATE
+      expect(extension.algorithms)
+        .to eq [CertificateCompressionAlgorithm::ZLIB]
+    end
+  end
+end

data/spec/connection_spec.rb

@@ -32,15 +32,18 @@ RSpec.describe Connection do
     end
 
     let(:transcript) do
+      ch = ClientHello.deserialize(TESTBINARY_CLIENT_HELLO)
+      sh = ServerHello.deserialize(TESTBINARY_SERVER_HELLO)
+      ee = EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS)
       transcript = Transcript.new
       transcript.merge!(
-        CH => ClientHello.deserialize(TESTBINARY_CLIENT_HELLO),
-        SH => ServerHello.deserialize(TESTBINARY_SERVER_HELLO),
-        EE => EncryptedExtensions.deserialize(TESTBINARY_ENCRYPTED_EXTENSIONS),
-        CT => ct,
-        CV => cv,
-        CF => cf,
-        SF => sf
+        CH => [ch, TESTBINARY_CLIENT_HELLO],
+        SH => [sh, TESTBINARY_SERVER_HELLO],
+        EE => [ee, TESTBINARY_ENCRYPTED_EXTENSIONS],
+        CT => [ct, TESTBINARY_CERTIFICATE],
+        CV => [cv, TESTBINARY_CERTIFICATE_VERIFY],
+        CF => [cf, TESTBINARY_CLIENT_FINISHED],
+        SF => [sf, TESTBINARY_SERVER_FINISHED]
       )
     end
 
@@ -115,16 +118,20 @@ RSpec.describe Connection do
     end
 
     let(:transcript) do
+      ch1 = ClientHello.deserialize(TESTBINARY_HRR_CLIENT_HELLO1)
+      hrr = ServerHello.deserialize(TESTBINARY_HRR_HELLO_RETRY_REQUEST)
+      ch = ClientHello.deserialize(TESTBINARY_HRR_CLIENT_HELLO)
+      sh = ServerHello.deserialize(TESTBINARY_HRR_SERVER_HELLO)
+      ee = EncryptedExtensions.deserialize(TESTBINARY_HRR_ENCRYPTED_EXTENSIONS)
       transcript = Transcript.new
       transcript.merge!(
-        CH1 => ClientHello.deserialize(TESTBINARY_HRR_CLIENT_HELLO1),
-        HRR => ServerHello.deserialize(TESTBINARY_HRR_HELLO_RETRY_REQUEST),
-        CH => ClientHello.deserialize(TESTBINARY_HRR_CLIENT_HELLO),
-        SH => ServerHello.deserialize(TESTBINARY_HRR_SERVER_HELLO),
-        EE =>
-        EncryptedExtensions.deserialize(TESTBINARY_HRR_ENCRYPTED_EXTENSIONS),
-        CT => ct,
-        CV => cv
+        CH1 => [ch1, TESTBINARY_HRR_CLIENT_HELLO1],
+        HRR => [hrr, TESTBINARY_HRR_HELLO_RETRY_REQUEST],
+        CH => [ch, TESTBINARY_HRR_CLIENT_HELLO],
+        SH => [sh, TESTBINARY_HRR_SERVER_HELLO],
+        EE => [ee, TESTBINARY_HRR_ENCRYPTED_EXTENSIONS],
+        CT => [ct, TESTBINARY_HRR_CERTIFICATE],
+        CV => [cv, TESTBINARY_HRR_CERTIFICATE_VERIFY]
       )
     end
 

data/spec/extensions_spec.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require_relative 'spec_helper'
+using Refinements
 
 RSpec.describe Extensions do
   context 'empty extensions' do
@@ -167,4 +168,19 @@ RSpec.describe Extensions do
       expect(extensions).to include ExtensionType::RECORD_SIZE_LIMIT
     end
   end
+
+  context 'duplicated extension_type' do
+    let(:server_name) do
+      ServerName.new('example.com')
+    end
+
+    let(:testbinary) do
+      server_name.serialize * 2
+    end
+
+    it 'should raise error, if extension_type get duplicated' do
+      expect { Extensions.deserialize(testbinary, HandshakeType::CLIENT_HELLO) }
+        .to raise_error(ErrorAlerts)
+    end
+  end
 end

data/spec/fixtures/rsa_rsa.crt

@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC2TCCAcGgAwIBAgIJAM8aTIrMzHgzMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
-BAMMB3Rlc3QtY2EwHhcNMTkwNTI1MDEzODAyWhcNMjAwNTI0MDEzODAyWjAUMRIw
+MIIC2TCCAcGgAwIBAgIJALo0YKZBVqYnMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB3Rlc3QtY2EwHhcNMjAwNzE1MTU0NTE4WhcNMzAwNzEzMTU0NTE4WjAUMRIw
 EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDb9cGc2hOrLp3VWpxw8WgDqEL3LzZ5a6iYwibeR4AEB5FJLhS3Wvxa1xOS510C
-Kyfk/0znJvN9y+C8tFpB1BAN1OpPvaMPcYWx9CfEeoXaA5+QtU0MWJV7uYMtEUEx
-mEOvDKK1ZvHhw7xUzwcJTFRo6ZY6LqjiozlSPkTrVRIWoy7qEzXnOza36xX18xVt
-azvJBBudtTrjjBfQv2DJdF44icWqOBvAwg54BAbaH3bZ1WOg5oRnOPeVumYbPBsl
-dCDs67S1+RHKMEjRTk7gzuGog9lxJVMluU7iyreROD9+GvJEY3ra2KH96rtIgzo6
-KFHlC4Ih18zRfJZePgMGi5zVAgMBAAGjMDAuMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgWgMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAAjDs
-4PgPL2Tn8+TxFWEPjh3VUB2kNyYK4LFA/ooN81pDLmm9/qc0FcUs16YQIqYdZICc
-vE83z3RlTmSjsynaRXxYh0VGVE2g2pWiPzEGTGE5HJy2JOtidMiacskmvetbTyYd
-TLdTEFiAlXF9e24OanglmFr9QnA/Z/zQkuIb4t7KN8Dufsi3ljkoJ+puuPxrEQj0
-4BfBo381jK5WULHJ2G9pz5pvy1GZLfj1tQyG2wkI/vV2tjFN+LLO7NCY3V6RjvEZ
-bH4ZdAQz9fbbp7eCXImP+OJYt97Q3RZFJjUWhmh4qFebelkeN3RnmWSFrgjh0O67
-pyNwVv0//MYIEhMUVQ==
+AQC65xzvPQrsXXRVsQ4rcrmvOF0gdWV38JKlhHUrS50//T0S55FUSBkuVXUDCZDx
+dOf0y/5HaMb3hm68+ld5B/oNtoPlJWW6Sgc8OLERQy9qGpwR0mXND4SnZ9or7RDV
+8tAEg/Hzq5rm6Xy2WClSR+nHg2tVh2Szde39j7o8ivJpHPzfEyZh37y9oIiY2/FP
+QpbAe8n3Ses04D3jhZRoysdcuneWuG3h5DJ9X4IhZUBM54nEO5IQElyYnF6xY/Lt
+Gykf8+ydiuAZpZF5FGGfoiKB7XdIwhSlK1XRFeBbHRqyAFjpSNtqy6RPdJINLseb
+wG6DNSxcLm91C6ZJaaqu7Qp1AgMBAAGjMDAuMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgWgMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEALqaQ
+J5H9jB2VmIEDxhXAQTeqW1Hmp0oHhL1XcAvNS+JILjFfAdjMe/3Kei3hQJv8j8sE
+uck3o7iA4kcE0ydUzO7TM7efjqcksyZrmWSB0xj+NHjcybwhD4Selr1vBSCU0IHN
+Ap+zYbBX7eQawm2lIzniBvS6MmP+dgZjhy73FVQ4oSz+wTcg1iPkhulYL4iV/HSG
+fND5gUvlRbLHGTETpCdq7iJNOpNl/OYboJLPvVpx8H7Jc+L2bQl05fj/koO35xaL
+JuZGj5aVOKw45WvqERpe1RI3077dWE6bAr9DzrW13IqmFMbPD817pcB6+ILZnMAF
+RhobWRU6PA4TdDP8bg==
 -----END CERTIFICATE-----

data/spec/fixtures/rsa_rsa.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA2/XBnNoTqy6d1VqccPFoA6hC9y82eWuomMIm3keABAeRSS4U
-t1r8WtcTkuddAisn5P9M5ybzfcvgvLRaQdQQDdTqT72jD3GFsfQnxHqF2gOfkLVN
-DFiVe7mDLRFBMZhDrwyitWbx4cO8VM8HCUxUaOmWOi6o4qM5Uj5E61USFqMu6hM1
-5zs2t+sV9fMVbWs7yQQbnbU644wX0L9gyXReOInFqjgbwMIOeAQG2h922dVjoOaE
-Zzj3lbpmGzwbJXQg7Ou0tfkRyjBI0U5O4M7hqIPZcSVTJblO4sq3kTg/fhryRGN6
-2tih/eq7SIM6OihR5QuCIdfM0XyWXj4DBouc1QIDAQABAoIBAA6EEGvuhF/Gqsna
-ufpGJCwhnZG8fubScQTrwy7mHw+lBDSFIv7atU61ZOhL9npfKLnXE1cp3eXOX510
-dYRkn06aX4A1rp4lSsJsr3cq8sxpcs1U+am36t2IZ5zAx8GjH8xclBxOl+XjSfl6
-1CcL74Ig8DYUwDZ8uRqxW1EAgzoVGXTMjXqEtP+X3WcFP/XNdzGWeFheowk0iwOn
-DIM6tIELbExbSK8RxhTrKQKv+rTm373ntwSrtvDLlAz1kR9p0a6XeeAn3VVkVYaE
-cu6MRuA2b24EYcEDQgbU2KsUke2vZ1i5hl5ptuc8+iubXCj2SICilBeVQNXLIr2j
-sIzd8x0CgYEA+nH5IIt9pnlqRkFm8Y4bH4cvTk7xMWKj1tuRvP0Vdmw+KsqCxWNR
-w1KuUZ0tj6lzQez0o/jpFWqtxDTV5r3vj/6nrFcLXClENe65pQMByaduoKUGn6VK
-lE7xO0JMRRIqPwRH3vyazcUuVnFtPToBfV82fSvKt9R/xb7lTA8cWk8CgYEA4Naw
-LLwIaL8Drq8BCwJUIrSuZCKcS8542AA+Qz3ivTIMbZshiSE27cLTurFQhpjC7fu3
-V3DQWbQLk3wdg3wAVA7uADlqwCY9SdKo8HstUBaM/GVgPSfxEIRohSHN6KY5NP0r
-tAWKDEcvfuiiV+YFtwz1tXVZl0OpvRpRxzYHYZsCgYEAsziqkjqgYWiTv9D/zS7n
-hAlmtgBSJAg1vQUF5xupp0RQvKiNKponocJiUq9LMnqNq4jZjRoMGrJrxXQV+njD
-neUbsn3b+EjjskCzAz4Con858KYH9mj/1OAlS0XndKpKJyx2DkHwuf44ac3j4aPH
-+yMOyEZ1XFYqVaWFS4eov4sCgYEAppvwaPXddWE2pVdhenr7RcyF/gX3s+UIf2eO
-u908C97ufroaG7fVMFLS+uEyPsssh5WjwtQCULaubVfntutIgwGdM+VYSZMMj4vf
-THS6m0Jarx2gNzFF3WuA2Ea4gtHKSo3guMHyDi8h7vUMd/4n9gFQgmq3PPQS7+J0
-/x32UkkCgYBboPnH4jVSqN0vfFtvsGhxXW4lxJQab6bMQ58DvhitKh8O1r+WCbCY
-ynhyc7ne7DCLfyH1Blv8jG+tjBNaDQgoGIuJ+Bpmwon0T2hUqCQbts12a3ZEffP9
-Wmk8MKKy7fu4RDFh0KHai1Fqa3AmVn8Jhq+kCGbueSOMkRwy0tCetg==
+MIIEowIBAAKCAQEAuucc7z0K7F10VbEOK3K5rzhdIHVld/CSpYR1K0udP/09EueR
+VEgZLlV1AwmQ8XTn9Mv+R2jG94ZuvPpXeQf6DbaD5SVlukoHPDixEUMvahqcEdJl
+zQ+Ep2faK+0Q1fLQBIPx86ua5ul8tlgpUkfpx4NrVYdks3Xt/Y+6PIryaRz83xMm
+Yd+8vaCImNvxT0KWwHvJ90nrNOA944WUaMrHXLp3lrht4eQyfV+CIWVATOeJxDuS
+EBJcmJxesWPy7RspH/PsnYrgGaWReRRhn6Iige13SMIUpStV0RXgWx0asgBY6Ujb
+asukT3SSDS7Hm8BugzUsXC5vdQumSWmqru0KdQIDAQABAoIBABPIjNaB9psIVV0Q
+rbhJn3/9jlX2NzRX4Z3lhGV9znpMet96ZXavXwL5hrY4mAAG6NqPkS3L2Guw7h3Q
+vduQzZYQAKwLplXuqg9kzNFP9D/d6zEzvRTUlK0HoB9QK50J45zmvoCVZIMWqd2/
+PTh5ZjR5I65c83rPe86AHS11Y61edr+vvGtI07kvj7EzR3jie0Lzzpj7TbmjTt5U
+v9rskcxjulQOmp8t/3ouptUhi16PRXPof0yzRGo6rrCUoQ7Cuy1dbFZ96dIBxrt4
+h9suE6MtpXdsGfI5FZPOKHqUcw8hZfUgeOYm4OTV3vBYie0xJ77i9YgqR+UwymjA
+NK4AOY0CgYEA553JtUvl8py76HjL3DxfbU38Dq22AF9sdUAs9Xwy9B8Y6R9SyrPI
+nab+3EE0gz5NnFLFCILK4A7ewe3OB3bE7/P4mc7JlUWM2LAcBz7K50seIKD3r+cj
+VzLHarOBi/VZ0pe1lDj/cuQ6cXTLHbKtk2XGCRnCBMJlog4ruFMYJ+sCgYEAzpRD
+3YtuQcT0rtvK05BcdWD3nGgsrAauLvKz80LIu4zX9nfz/H6lNRpZYJ2jrLR1ikbX
+XVWIsNlWizAuWEbGokUEYDTuhkh3591nrdPyB6/0Lm2Snl+q7mKIUFrZ08MXe7U8
+Z/qPq2VLVSzCyoGX0l4GuNymgDH6NVR/i5yQXx8CgYBNJ1OUz+aWbb1ukCagg3/q
+QksPfLAe6aqQWENhtvCmP2Gl7mg+26qdUY6eQh5DBdMGms/FqQP5pRpxEU1LUTYD
+FIsgeTDPR67GU8vSYglnCK/NgLFhaCZumpyxH4Cs5Zr5Os4ixOXbGMmbF6O9jdKi
+Qgm46FqoCTWfyQapTQzD5wKBgGQV4WuNCjZDPmkZhANMhf84o77bmgkek3WbkSPi
+z25OprN7GnLSySgZRARTW+Fo7Sm5eM53impkYlG9XjbW05X66kvSWV4l7jIgSwMl
+FLY0wZFc9RRWNXKZuoF0AuVeOBpvjHy0ILdhtEXoEdgbQXtios8d2G1zyU3dSo5R
+pIDxAoGBAIlXeI9tB0X9ywXKylI3CyHi8ex/k6o4WTj/5fH4bYp4faHBRm78Ho81
+Ih9rewMw7fMC3YUN3rcyvHRQqbJ2Wcxpyf0k45GMxTRasoVXCXgV/sMNCHh/ddZM
+Gf5ZTeq10gJPofBlPObg5VrlCLRnIFaNI4izpq2A+/FqTrEvSGlf
 -----END RSA PRIVATE KEY-----