tls: require RSA certificates with 2048-bit or larger keys. (envoypro…

…xy#5318)

RSA certificates with keys smaller than 2048-bits are disallowed by NIST,
Internet migrated to 2048-bit keys in 2013, and no CAs issue certificates
with smaller keys, so we let's prevent users from accidentally using such
certificates.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Fred Douglas <fredlas@google.com>

docs/root/intro/version_history.rst

@@ -77,10 +77,12 @@ Version history
 * stream: renamed `perRequestState` to `filterState` in `StreamInfo`.
 * stream: added `downstreamDirectRemoteAddress` to `StreamInfo`.
 * thrift_proxy: introduced thrift rate limiter filter
+* tls: added ssl.versions.<version> to :ref:`listener metrics <config_listener_stats>` to track TLS versions in use.
 * tls: added support for :ref:`client-side session resumption <envoy_api_field_auth.UpstreamTlsContext.max_session_keys>`.
 * tls: added support for CRLs in :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 * tls: added support for :ref:`password encrypted private keys <envoy_api_field_auth.TlsCertificate.password>`.
-* tls: added ssl.versions.<version> to :ref:`listener metrics <config_listener_stats>` to track TLS versions in use.
+* tls: removed support for ECDSA certificates with curves other than P-256.
+* tls: removed support for RSA certificates with keys smaller than 2048-bits.
 * tracing: added support to the Zipkin tracer for the :ref:`b3 <config_http_conn_man_headers_b3>` single header format.
 * tracing: added support for :ref:`Datadog <arch_overview_tracing>` tracer.
 * upstream: added :ref:`scale_locality_weight<envoy_api_field_Cluster.LbSubsetConfig.scale_locality_weight>` to enable

source/common/ssl/context_impl.cc

@@ -247,10 +247,10 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const ContextConfig& config, TimeS
  }
 
  bssl::UniquePtr<EVP_PKEY> public_key(X509_get_pubkey(ctx.cert_chain_.get()));
- ctx.is_ecdsa_ = EVP_PKEY_id(public_key.get()) == EVP_PKEY_EC;
- if (ctx.is_ecdsa_) {
+ switch (EVP_PKEY_id(public_key.get())) {
+ case EVP_PKEY_EC: {
  // We only support P-256 ECDSA today.
- EC_KEY* ecdsa_public_key = EVP_PKEY_get0_EC_KEY(public_key.get());
+ const EC_KEY* ecdsa_public_key = EVP_PKEY_get0_EC_KEY(public_key.get());
  // Since we checked the key type above, this should be valid.
  ASSERT(ecdsa_public_key != nullptr);
  const EC_GROUP* ecdsa_group = EC_KEY_get0_group(ecdsa_public_key);
@@ -259,6 +259,20 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const ContextConfig& config, TimeS
  "ECDSA certificates are supported",
  ctx.cert_chain_file_path_));
  }
+ ctx.is_ecdsa_ = true;
+ } break;
+ case EVP_PKEY_RSA: {
+ // We require RSA certificates with 2048-bit or larger keys.
+ const RSA* rsa_public_key = EVP_PKEY_get0_RSA(public_key.get());
+ // Since we checked the key type above, this should be valid.
+ ASSERT(rsa_public_key != nullptr);
+ const unsigned rsa_key_length = RSA_size(rsa_public_key);
+ if (rsa_key_length < 2048 / 8) {
+ throw EnvoyException(fmt::format("Failed to load certificate from chain {}, only RSA "
+ "certificates with 2048-bit or larger keys are supported",
+ ctx.cert_chain_file_path_));
+ }
+ } break;
  }
 
  // Load private key.

test/common/ssl/context_impl_test.cc

@@ -538,6 +538,47 @@ TEST(ClientContextConfigImplTest, InvalidCertificateSpki) {
  EnvoyException, "Invalid base64-encoded SHA-256 .*");
 }
 
+// Validate that 2048-bit RSA ceritificates load successfully.
+TEST(ClientContextConfigImplTest, RSA2048Cert) {
+ envoy::api::v2::auth::UpstreamTlsContext tls_context;
+ NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context;
+ const std::string tls_certificate_yaml = R"EOF(
+ certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"
+ )EOF";
+ MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml),
+ *tls_context.mutable_common_tls_context()->add_tls_certificates());
+ ClientContextConfigImpl client_context_config(tls_context, factory_context);
+ Event::SimulatedTimeSystem time_system;
+ ContextManagerImpl manager(time_system);
+ Stats::IsolatedStoreImpl store;
+ manager.createSslClientContext(store, client_context_config);
+}
+
+// Validate that 1024-bit RSA certificates are rejected.
+TEST(ClientContextConfigImplTest, RSA1024Cert) {
+ envoy::api::v2::auth::UpstreamTlsContext tls_context;
+ NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context;
+ const std::string tls_certificate_yaml = R"EOF(
+ certificate_chain:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_rsa_1024_cert.pem"
+ private_key:
+ filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_rsa_1024_key.pem"
+ )EOF";
+ MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml),
+ *tls_context.mutable_common_tls_context()->add_tls_certificates());
+ ClientContextConfigImpl client_context_config(tls_context, factory_context);
+ Event::SimulatedTimeSystem time_system;
+ ContextManagerImpl manager(time_system);
+ Stats::IsolatedStoreImpl store;
+ EXPECT_THROW_WITH_REGEX(manager.createSslClientContext(store, client_context_config),
+ EnvoyException,
+ "Failed to load certificate from chain .*selfsigned_rsa_1024_cert.pem, "
+ "only RSA certificates with 2048-bit or larger keys are supported");
+}
+
 // Validate that P256 ECDSA certs load.
 TEST(ClientContextConfigImplTest, P256EcdsaCert) {
  envoy::api::v2::auth::UpstreamTlsContext tls_context;

test/common/ssl/gen_unittest_certs.sh

@@ -38,7 +38,7 @@ emailAddress_max = 64
 EOF
 ) > "${OPENSSL_CONF}"
 
-openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 1024
+openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 2048
 openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \
  -sha256 <<EOF
 US

test/common/ssl/test_data/README.md

@@ -1,5 +1,5 @@
 # What are the identities, certificates and keys
-There are 14 identities:
+There are 15 identities:
 - **CA**: Certificate Authority for **No SAN**, **SAN With URI** and **SAN With
  DNS**. It has the self-signed certificate *ca_cert.pem*. *ca_key.pem* is its
  private key. Additionally, we create a CRL for this CA (*ca_cert.crl*) that
@@ -32,6 +32,9 @@ There are 14 identities:
  its private key encrypted using the password supplied in *password_protectted_password.txt*.
 - **Self-signed**: The self-signed certificate *selfsigned_cert.pem*, using the
  config *selfsigned_cert.cfg*. *selfsigned_key.pem* is its private key.
+- **Self-signed RSA 1024**: The self-signed certificate *selfsigned_rsa_1024_cert.pem*,
+ using the config *selfsigned_cert.cfg*. *selfsigned_rsa_1024_key.pem* is
+ its private key.
 - **Self-signed ECDSA P-256**: The self-signed certificate *selfsigned_ecdsa_p256_cert.pem*,
  using the config *selfsigned_cert.cfg*. *selfsigned_ecdsa_p256_key.pem* is
  its private key.

test/common/ssl/test_data/ca_cert.crl

@@ -1,10 +1,13 @@
 -----BEGIN X509 CRL-----
-MIIBbDCB1gIBATANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJVUzETMBEGA1UE
+MIIB7TCB1gIBATANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJVUzETMBEGA1UE
 CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwE
 THlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBD
-QRcNMTgxMjE1MTkxMjAwWhcNMjgxMjEyMTkxMjAwWjAcMBoCCQD+8SxKyqbtARcN
-MTgxMjE1MTkxMjAwWqAOMAwwCgYDVR0UBAMCAQAwDQYJKoZIhvcNAQELBQADgYEA
-arzfusk7gI3gGaVORRydhcSMvkfwGY9tKCh5sEYREEZ2uKvg1WwkCfZZhEjvdkcA
-9u3qJ1nC7gcEtUKjfjzL3x9eRwx4rpu/+qI2zNqCDPm4NqElpF+bGdZ+VeOtc5pa
-V8CvimEZfXwETpBogMHa62gYpZE59VxssAFyWNge8wc=
+QRcNMTgxMjE2MDczMzU1WhcNMjgxMjEzMDczMzU1WjAcMBoCCQCXsSoXHUplgBcN
+MTgxMjE2MDczMzU1WqAOMAwwCgYDVR0UBAMCAQAwDQYJKoZIhvcNAQELBQADggEB
+AJ3WAGYnAzaHr/Q+ErPh5cwWwt2F+wfXTSesPH+L1u+3kZEi6EjZnLYiwz2OLsNK
+nAigZIHaDpVpSA1YWgDXmRHCfXquNkXCyXLpHsWqlwk+4vqcFF0AYG3U/WZBr6dn
+XyWbB4OMLLWTbc2sfjRuOtSJoDPsFLbmTjoQQAvw5v3kLxivj3fPA0tq22e8SbHG
+EvApHgzD/AWSyuP/wphgJtZYe1PMTxsqztTN1zaYXkYtFOYUhynOsc9T8WEfI8ow
+SBNsmdlAhs5MwvHm2x7o6YtowK9s3ExSXhU828cfAWK9zjqXwbW9udjvzRirk7CA
+V5ffMGsoT6F9WUTmGP2Z7vA=
 -----END X509 CRL-----

test/common/ssl/test_data/ca_cert.pem

@@ -1,18 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIICzTCCAjagAwIBAgIJAOJOBo05rI1nMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+MIID0jCCArqgAwIBAgIJANylJk5fPxXPMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
 c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNTE5MTE1OVoXDTIwMTIxNDE5MTE1OVow
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNjA3MzM1M1oXDTIwMTIxNTA3MzM1M1ow
 djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
 biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
-ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBANGmQxWksRzpoUeZPl+Yy7su++tLt3FSpCqhU3IzSzt51nTc9pf2AJe7Z/mj
-II/+yu81UZD83tcWrqk7MI77AeliSMjrDYAvkUuaJQwIMsP6743DgX9wn8PKZzkj
-zMTI2j6IVGH5S23J4tcp+ti5ePUy9LuwSJZDDpowGqy2v6SpAgMBAAGjYzBhMA8G
-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR3cijvvaNU
-bXPezmZS61zuvEBE3zAfBgNVHSMEGDAWgBR3cijvvaNUbXPezmZS61zuvEBE3zAN
-BgkqhkiG9w0BAQsFAAOBgQBocx79SMdmHdM56nk8u1KisDZmNDvjxJzreosKgShg
-qninMg7T2qlrHuPNzxBLM7EMddpHDQ9uBjQ0V9vIv77aXcEHXQqLLWC/G2fLLCq1
-mRyco8rZnyjn9IgkvlnpOSdyduPTdR1DZ7GgjDJv4TKlvcUmBjfhss4YzYQkreX/
-Rg==
+ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDSieHtBaocM+llhrXyWBePg2ux0n7Kd2nYL4pyL2TQLKVurOGyfotT
+2XLucOYcIB3lDvKJIuUmoKjQSPAGk0thcSWip3FcFYqhBsqVPRkeO2UG8YgYkONO
+8eb7PjqCb2OW7gdoV7VGn9vyugCfW61vxo//VqUTfRehhVCgnrjoRoK8xDUXRjYh
+ko4RpPoDtT74o45V2NhQudoS3c0hQPuC3bzz3rjIrajE5ERUWu498+EXBsKleJc9
+vZGaB2zmwTeOZSTfIGeD1OPLUmfsOuTnMhTAVJ2zfS3PRoJcFqqQe+ZHVv3/1FQn
+UYUJalF75Ntp3ND4mGfJvKRVWoiqnPD9AgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSkLI5XDZR39Oz/TrYHUwcKLzZU
+AzAfBgNVHSMEGDAWgBSkLI5XDZR39Oz/TrYHUwcKLzZUAzANBgkqhkiG9w0BAQsF
+AAOCAQEAB+Uul7u8+rjIuiGfZRdiLSPMtWHH5sqG8S4UDwcNvqGDjn+MODVOyuHe
+Fqly3eArTIFFoS5B+C1GHQzti1Eljr/W4ZCjSjChhup0vf6FXjCj/ZojNIIWGFt+
+7ggfDIUOB2uTbssHU5Q8wus/g0ZyWHURaGKCPJD6XLcYVqbbxCZ4iMokvSl4Nu64
+WbsOuuxEomK1iMCrcghckArxdUOom7gZgSTc/Ya2pGeEo5cbtxL0PXOKSqTvuAGO
+EtWD4/OElPc+cvx1aYUsqWBqHXEwmNgESGWkOfwygjX4M+i/k/Azf79wbXofbbsq
+XQ6sraf3cGi21W4GrIAz67Os2lxE/w==
 -----END CERTIFICATE-----

test/common/ssl/test_data/ca_cert_with_crl.pem

@@ -1,28 +1,36 @@
 -----BEGIN CERTIFICATE-----
-MIICzTCCAjagAwIBAgIJAOJOBo05rI1nMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+MIID0jCCArqgAwIBAgIJANylJk5fPxXPMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
 c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNTE5MTE1OVoXDTIwMTIxNDE5MTE1OVow
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNjA3MzM1M1oXDTIwMTIxNTA3MzM1M1ow
 djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
 biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
-ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBANGmQxWksRzpoUeZPl+Yy7su++tLt3FSpCqhU3IzSzt51nTc9pf2AJe7Z/mj
-II/+yu81UZD83tcWrqk7MI77AeliSMjrDYAvkUuaJQwIMsP6743DgX9wn8PKZzkj
-zMTI2j6IVGH5S23J4tcp+ti5ePUy9LuwSJZDDpowGqy2v6SpAgMBAAGjYzBhMA8G
-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR3cijvvaNU
-bXPezmZS61zuvEBE3zAfBgNVHSMEGDAWgBR3cijvvaNUbXPezmZS61zuvEBE3zAN
-BgkqhkiG9w0BAQsFAAOBgQBocx79SMdmHdM56nk8u1KisDZmNDvjxJzreosKgShg
-qninMg7T2qlrHuPNzxBLM7EMddpHDQ9uBjQ0V9vIv77aXcEHXQqLLWC/G2fLLCq1
-mRyco8rZnyjn9IgkvlnpOSdyduPTdR1DZ7GgjDJv4TKlvcUmBjfhss4YzYQkreX/
-Rg==
+ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDSieHtBaocM+llhrXyWBePg2ux0n7Kd2nYL4pyL2TQLKVurOGyfotT
+2XLucOYcIB3lDvKJIuUmoKjQSPAGk0thcSWip3FcFYqhBsqVPRkeO2UG8YgYkONO
+8eb7PjqCb2OW7gdoV7VGn9vyugCfW61vxo//VqUTfRehhVCgnrjoRoK8xDUXRjYh
+ko4RpPoDtT74o45V2NhQudoS3c0hQPuC3bzz3rjIrajE5ERUWu498+EXBsKleJc9
+vZGaB2zmwTeOZSTfIGeD1OPLUmfsOuTnMhTAVJ2zfS3PRoJcFqqQe+ZHVv3/1FQn
+UYUJalF75Ntp3ND4mGfJvKRVWoiqnPD9AgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSkLI5XDZR39Oz/TrYHUwcKLzZU
+AzAfBgNVHSMEGDAWgBSkLI5XDZR39Oz/TrYHUwcKLzZUAzANBgkqhkiG9w0BAQsF
+AAOCAQEAB+Uul7u8+rjIuiGfZRdiLSPMtWHH5sqG8S4UDwcNvqGDjn+MODVOyuHe
+Fqly3eArTIFFoS5B+C1GHQzti1Eljr/W4ZCjSjChhup0vf6FXjCj/ZojNIIWGFt+
+7ggfDIUOB2uTbssHU5Q8wus/g0ZyWHURaGKCPJD6XLcYVqbbxCZ4iMokvSl4Nu64
+WbsOuuxEomK1iMCrcghckArxdUOom7gZgSTc/Ya2pGeEo5cbtxL0PXOKSqTvuAGO
+EtWD4/OElPc+cvx1aYUsqWBqHXEwmNgESGWkOfwygjX4M+i/k/Azf79wbXofbbsq
+XQ6sraf3cGi21W4GrIAz67Os2lxE/w==
 -----END CERTIFICATE-----
 -----BEGIN X509 CRL-----
-MIIBbDCB1gIBATANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJVUzETMBEGA1UE
+MIIB7TCB1gIBATANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJVUzETMBEGA1UE
 CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwE
 THlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBD
-QRcNMTgxMjE1MTkxMjAwWhcNMjgxMjEyMTkxMjAwWjAcMBoCCQD+8SxKyqbtARcN
-MTgxMjE1MTkxMjAwWqAOMAwwCgYDVR0UBAMCAQAwDQYJKoZIhvcNAQELBQADgYEA
-arzfusk7gI3gGaVORRydhcSMvkfwGY9tKCh5sEYREEZ2uKvg1WwkCfZZhEjvdkcA
-9u3qJ1nC7gcEtUKjfjzL3x9eRwx4rpu/+qI2zNqCDPm4NqElpF+bGdZ+VeOtc5pa
-V8CvimEZfXwETpBogMHa62gYpZE59VxssAFyWNge8wc=
+QRcNMTgxMjE2MDczMzU1WhcNMjgxMjEzMDczMzU1WjAcMBoCCQCXsSoXHUplgBcN
+MTgxMjE2MDczMzU1WqAOMAwwCgYDVR0UBAMCAQAwDQYJKoZIhvcNAQELBQADggEB
+AJ3WAGYnAzaHr/Q+ErPh5cwWwt2F+wfXTSesPH+L1u+3kZEi6EjZnLYiwz2OLsNK
+nAigZIHaDpVpSA1YWgDXmRHCfXquNkXCyXLpHsWqlwk+4vqcFF0AYG3U/WZBr6dn
+XyWbB4OMLLWTbc2sfjRuOtSJoDPsFLbmTjoQQAvw5v3kLxivj3fPA0tq22e8SbHG
+EvApHgzD/AWSyuP/wphgJtZYe1PMTxsqztTN1zaYXkYtFOYUhynOsc9T8WEfI8ow
+SBNsmdlAhs5MwvHm2x7o6YtowK9s3ExSXhU828cfAWK9zjqXwbW9udjvzRirk7CA
+V5ffMGsoT6F9WUTmGP2Z7vA=
 -----END X509 CRL-----

test/common/ssl/test_data/ca_certificates.pem

@@ -1,36 +1,46 @@
 -----BEGIN CERTIFICATE-----
-MIICzTCCAjagAwIBAgIJAP73YFy3RVqAMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+MIID0jCCArqgAwIBAgIJAMa9rF12Fj0cMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
 c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdGYWtlIENBMB4XDTE4MTIxNTE5MTE1OVoXDTIwMTIxNDE5MTE1OVow
+DgYDVQQDDAdGYWtlIENBMB4XDTE4MTIxNjA3MzM1M1oXDTIwMTIxNTA3MzM1M1ow
 djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
 biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
-ZXJpbmcxEDAOBgNVBAMMB0Zha2UgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAKf2JHeDvgyuYdEjo54spZjaskGTiHZfr1BWL+F9lR54C72rhAEqRmHtmo0s
-gO15eLjsfVf2RDDZKNYnHHJERLMsYarV+QkHU5ZQYDaFd4zEc86GN8HHqou3cwjs
-nmf2o35NiF/CaPJYK+BB+o5IXTX3Ze8i4dbW9Wg+CXJsXVyPAgMBAAGjYzBhMA8G
-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRKMIdtZhp5
-pj0iMuTgewpuq4j4MjAfBgNVHSMEGDAWgBRKMIdtZhp5pj0iMuTgewpuq4j4MjAN
-BgkqhkiG9w0BAQsFAAOBgQCWXLbeAf7jwQV6HnHxSjYaGhZG6LKag/PSRkXKdUKs
-PZR/yQvjCUUhmd96nj6jc2LsKroTkb90HZt/CKQ3Wzfocicf1vftCkFHI8YiuN2x
-x2PrQ9U7SP70K1yz5dLMLca0vMiCblA0okrkTsP6tm6lie7q6ioI6J38G/QTwZhX
-1w==
+ZXJpbmcxEDAOBgNVBAMMB0Zha2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC+FVsWxhQBww6ZtwF9xqxA+hHqXqOTP8f9R4Hszeoce33/Ek2kPOsL
+sUIG9ah52JUR0x80GoUkqd66UeZcN/rJudEusd3KdRfyQOEbbIrbozQ4bjY+y14k
+FglSUuonvtiqafzOuoaNUpeDoNhP8z6RRdqn1K2G2ia22lzK4q5vRhjxQMOCrlB6
+Nn1QBb0Q0nGU+HB1YxRWQjRg8EhpI7cuB3GwSiixilhspVH6cdu/pmMMRahA24AP
+yUfzk6R/bq/NFVCgIH1iwPKf4fz9tlKaJZ8UeslqJLH1cH8u43BfJL6Jjq1BDhFH
+i7Lbq+kvC/oRWhLvRg/k7vJfRs+STN4XAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR9RcIGjJajVzL2gQBI4sZ0Mj10
+TzAfBgNVHSMEGDAWgBR9RcIGjJajVzL2gQBI4sZ0Mj10TzANBgkqhkiG9w0BAQsF
+AAOCAQEARM6/5M8gYr+ArYUvRLnbcxYiHyImCtcI8NhvqdvSx/369hvemUD8Ffi8
+uv6L4d/qqB8m0Bng2c5NmuxNmeITRb5J5HODWD0grkb27S9Bis40Izw8ur/+S3Wv
+dcgbUG1SuWYfWb0fu9S3I+j2wolVuPgMWv/VK6CPPhkmUgWwTTJqxUXDQg2JsG4n
+bzJhjk0+oL2mSQgPmkPMDmra46R5saKHXsRTKaiYCCezk4jB3gZwiYpJm75HFIMi
+gQWnGpk86aGb5BSouZxiLXjG9q0cfiWDcBnsxM7Jiyp4rujXD1fcfhd+A/2QFC/Q
+CD+oPr6GSMAZ3UBZeTLXfLzPXSOpsQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICzTCCAjagAwIBAgIJAOJOBo05rI1nMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+MIID0jCCArqgAwIBAgIJANylJk5fPxXPMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
 c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw
-DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNTE5MTE1OVoXDTIwMTIxNDE5MTE1OVow
+DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNjA3MzM1M1oXDTIwMTIxNTA3MzM1M1ow
 djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
 biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l
-ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBANGmQxWksRzpoUeZPl+Yy7su++tLt3FSpCqhU3IzSzt51nTc9pf2AJe7Z/mj
-II/+yu81UZD83tcWrqk7MI77AeliSMjrDYAvkUuaJQwIMsP6743DgX9wn8PKZzkj
-zMTI2j6IVGH5S23J4tcp+ti5ePUy9LuwSJZDDpowGqy2v6SpAgMBAAGjYzBhMA8G
-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR3cijvvaNU
-bXPezmZS61zuvEBE3zAfBgNVHSMEGDAWgBR3cijvvaNUbXPezmZS61zuvEBE3zAN
-BgkqhkiG9w0BAQsFAAOBgQBocx79SMdmHdM56nk8u1KisDZmNDvjxJzreosKgShg
-qninMg7T2qlrHuPNzxBLM7EMddpHDQ9uBjQ0V9vIv77aXcEHXQqLLWC/G2fLLCq1
-mRyco8rZnyjn9IgkvlnpOSdyduPTdR1DZ7GgjDJv4TKlvcUmBjfhss4YzYQkreX/
-Rg==
+ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDSieHtBaocM+llhrXyWBePg2ux0n7Kd2nYL4pyL2TQLKVurOGyfotT
+2XLucOYcIB3lDvKJIuUmoKjQSPAGk0thcSWip3FcFYqhBsqVPRkeO2UG8YgYkONO
+8eb7PjqCb2OW7gdoV7VGn9vyugCfW61vxo//VqUTfRehhVCgnrjoRoK8xDUXRjYh
+ko4RpPoDtT74o45V2NhQudoS3c0hQPuC3bzz3rjIrajE5ERUWu498+EXBsKleJc9
+vZGaB2zmwTeOZSTfIGeD1OPLUmfsOuTnMhTAVJ2zfS3PRoJcFqqQe+ZHVv3/1FQn
+UYUJalF75Ntp3ND4mGfJvKRVWoiqnPD9AgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSkLI5XDZR39Oz/TrYHUwcKLzZU
+AzAfBgNVHSMEGDAWgBSkLI5XDZR39Oz/TrYHUwcKLzZUAzANBgkqhkiG9w0BAQsF
+AAOCAQEAB+Uul7u8+rjIuiGfZRdiLSPMtWHH5sqG8S4UDwcNvqGDjn+MODVOyuHe
+Fqly3eArTIFFoS5B+C1GHQzti1Eljr/W4ZCjSjChhup0vf6FXjCj/ZojNIIWGFt+
+7ggfDIUOB2uTbssHU5Q8wus/g0ZyWHURaGKCPJD6XLcYVqbbxCZ4iMokvSl4Nu64
+WbsOuuxEomK1iMCrcghckArxdUOom7gZgSTc/Ya2pGeEo5cbtxL0PXOKSqTvuAGO
+EtWD4/OElPc+cvx1aYUsqWBqHXEwmNgESGWkOfwygjX4M+i/k/Azf79wbXofbbsq
+XQ6sraf3cGi21W4GrIAz67Os2lxE/w==
 -----END CERTIFICATE-----

test/common/ssl/test_data/ca_key.pem

@@ -1,15 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDRpkMVpLEc6aFHmT5fmMu7LvvrS7dxUqQqoVNyM0s7edZ03PaX
-9gCXu2f5oyCP/srvNVGQ/N7XFq6pOzCO+wHpYkjI6w2AL5FLmiUMCDLD+u+Nw4F/
-cJ/Dymc5I8zEyNo+iFRh+UttyeLXKfrYuXj1MvS7sEiWQw6aMBqstr+kqQIDAQAB
-AoGAZO4VN9M8zT2QvoaBJ8bItkntUB74pp7xl/Bo2v7kxjJm04YZVZlCOcooSV+G
-aqxwiG7z4MhMg+JQnfp36y3egd0MN9xDZrvZ3DJPPxrlq/U6NwVv7HLYLwbMWIz4
-gpOrnaMk89XgIFO4tetX1CRft3tVnkFPFPBdMCy3ZKzQkLECQQDr9aaWtWwzQypn
-hvmOGEiX2RIcb4YucNM8yiCYCwLj5lX7Rhiu8pH1zRxq58V2cUJVA8xYqrzqazRS
-UiO4pIilAkEA43SQW4GnSEU0PVL7t2naUeSnY5qgxVKFGgVQv3tuJEmzpH3u2MUQ
-NnLhHcgI0VLh/eSGKbz4wmrfWxKgqshotQJBAIveUaGEaV75sWks2UEho+ZfBh1U
-/nUI7C5conV+EXiGUPFh27/YiizqKK42NRbAjFFYrwjgLJvIcHtbtVD+NwECQAX8
-onQWJI4NbEOU9JUuTxXKu/EuN78Z3fECZM61c/+2hOj2e5vvC+8y9OPwyPKhiNtC
-8ZkVpUKQx5JBGkOEhOUCQQCdmeR47MkrFvDkDoePbhYQ53Zx4WlFoIWL2Umr6q12
-bQxZJFGofm0HPtQ4Lfmq/fdOuWeeo00x2+gpI38OhDR8
+MIIEpAIBAAKCAQEA0onh7QWqHDPpZYa18lgXj4NrsdJ+yndp2C+Kci9k0Cylbqzh
+sn6LU9ly7nDmHCAd5Q7yiSLlJqCo0EjwBpNLYXEloqdxXBWKoQbKlT0ZHjtlBvGI
+GJDjTvHm+z46gm9jlu4HaFe1Rp/b8roAn1utb8aP/1alE30XoYVQoJ646EaCvMQ1
+F0Y2IZKOEaT6A7U++KOOVdjYULnaEt3NIUD7gt288964yK2oxOREVFruPfPhFwbC
+pXiXPb2Rmgds5sE3jmUk3yBng9Tjy1Jn7Drk5zIUwFSds30tz0aCXBaqkHvmR1b9
+/9RUJ1GFCWpRe+TbadzQ+JhnybykVVqIqpzw/QIDAQABAoIBAQCUBrnAKmFmHuGU
+rlgyodk+4AnSJstakwbqJtLSYZwh+aH+5LJzCyHuvE5gcyR21eXu7Ml9vfkbZY4L
+k5yfIuS3CBSL/epn8gVcHihFMYX9iYkIjr0/eG85TD84mpIMr0B4F7dBl5kupKrC
+SCCz6oNQuWz4+/RodWUt/UupAq/DLrmcd5MK9JtMmNO1yaQ/lK5dMbAKS5dyn2JE
+HmJRA77dx+NB1k3Jr1MrpQGeC71HQDhJa9W9GMQsprRIbhp9ZAX4eb8s6sno9rt+
+3DwzemvVMcS4TrQYCnoWy5tI1rEteDHA3A34WwDw81XQ0ZF48uEWeH9rhFXW9z+D
+GMhIVShBAoGBAO6NWkMIOhKC2TtX+GkKc0A0JfD7dZQNhBp9iyHVRAl4LG0PVvfX
+8YIH1oNCsB8BYhUVdrRX2pfbmYlgZlwt0FEgO4wukGBNci2Vof2fbFd23Izrqv1y
+FSTZ/ouYnzAY66BE1E4LK0s8of6mOwadtxfcPHNBxDk5OqbFurwyHmFlAoGBAOHw
+ASeizNtxiyFrc7r1JC7ezXpaBetpvYbwbFtRpL4H8aGet/U1mTNbGqL5FLIV3Ak4
+zDrVUfy7HhUNfeRbTP8eFTKPMdd6eU9oU36De8k7gC1ndghbGrVs2srFMGtuoiJV
+8tInqDdrRHi6/fG6UdfQMsMNRGx1vrlKG8NaXOO5AoGBAIwKTSe2x6igSfhtfzXi
+3Z+ePXvHktG0UY3fj3LwKL3KX4IylCJxEaT9BvANkSjSfgrUi9f5DylA0FR2VADf
+IEDPxEVZ/IWcUV/zTKKAGXELJRRRMRMSCtmUY7r9gM4SgxiV73BVXDgRwyOj4FjU
+82w9bPtYa2IQd575ytK6NV2FAoGACwrS06AWSQdUmG6K+nEusoe7HSa3MVk6pRSt
+Bw2Hcq4qtg5uyTI0aZkjRSHNTCLbXSwEdz+jwSlYAAlnxLhdm/5ZZN4wvmpC8YmU
+wxMkAqLA0fdDgocJWCKY0t4uTqHalLkEpBbCFutMLmZdMOo9Q8HuKTBFztM2XhHs
+J3EMJykCgYBLNLkKSmecY3tuSWHZJhD2b7sH6e2yy+Zjd5u2nijbWNpCovanvwnu
+pj1RUuXSgdD31lH6r2XnF25xy6DE1Cp7q9HvfRyI7ULwQhYNHU1+Wul0sl0GbwNj
+t1qPcNv3S+LJ93kLblsTB1Oya0/YLP1WIre9JvD/eklXFG+utXPcMg==
 -----END RSA PRIVATE KEY-----