From 8fec9e3f3e68b5826010b8d4aa524924143ca0e5 Mon Sep 17 00:00:00 2001
From: Daniel Modler <modler@linkbit.io>
Date: Wed, 9 Aug 2023 21:26:24 +0200
Subject: [PATCH] Certstore: Added `cert_match_skip_invalid` option

Replaces #4384.

Co-authored-by: Daniel Modler <modler@linkbit.io>
Co-authored-by: Neil Twigg <neil@nats.io>
Signed-off-by: Neil Twigg <neil@nats.io>
---
 server/certstore/certstore_other.go           |   3 +-
 server/certstore/certstore_windows.go         |  80 +++++++++++-------
 server/certstore/errors.go                    |   3 +
 server/certstore_windows_test.go              |  57 ++++++++++++-
 server/opts.go                                |  51 ++++++-----
 .../certstore/delete-cert-from-store.ps1      |   2 +-
 .../certs/tlsauth/certstore/expired.p12       | Bin 0 -> 2499 bytes
 .../tlsauth/certstore/import-p12-server.ps1   |   5 +-
 .../certs/tlsauth/certstore/not-expired.p12   | Bin 0 -> 2499 bytes
 9 files changed, 144 insertions(+), 57 deletions(-)
 create mode 100644 test/configs/certs/tlsauth/certstore/expired.p12
 create mode 100644 test/configs/certs/tlsauth/certstore/not-expired.p12

diff --git a/server/certstore/certstore_other.go b/server/certstore/certstore_other.go
index 32cd7cc029..459b8db64a 100644
--- a/server/certstore/certstore_other.go
+++ b/server/certstore/certstore_other.go
@@ -26,8 +26,7 @@ var _ = MATCHBYEMPTY
 // otherKey implements crypto.Signer and crypto.Decrypter to satisfy linter on platforms that don't implement certstore
 type otherKey struct{}
 
-func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, caCertsMatch []string, config *tls.Config) error {
-	_, _, _, _, _ = certStore, certMatchBy, certMatch, caCertsMatch, config
+func TLSConfig(_ StoreType, _ MatchByType, _ string, _ []string, _ bool, _ *tls.Config) error {
 	return ErrOSNotCompatCertStore
 }
 
diff --git a/server/certstore/certstore_windows.go b/server/certstore/certstore_windows.go
index d471afb91d..53d1d0b369 100644
--- a/server/certstore/certstore_windows.go
+++ b/server/certstore/certstore_windows.go
@@ -130,6 +130,7 @@ var (
 	winNCrypt  = windows.NewLazySystemDLL("ncrypt.dll")
 
 	winCertFindCertificateInStore        = winCrypt32.NewProc("CertFindCertificateInStore")
+	winCertVerifyTimeValidity            = winCrypt32.NewProc("CertVerifyTimeValidity")
 	winCryptAcquireCertificatePrivateKey = winCrypt32.NewProc("CryptAcquireCertificatePrivateKey")
 	winNCryptExportKey                   = winNCrypt.NewProc("NCryptExportKey")
 	winNCryptOpenStorageProvider         = winNCrypt.NewProc("NCryptOpenStorageProvider")
@@ -171,11 +172,11 @@ type winPSSPaddingInfo struct {
 // adding all matching certificates from the caCertsMatch array to the pool.
 // All matching certificates (vs first) are added to the pool based on a user
 // request. If no certificates are found an error is returned.
-func createCACertsPool(cs *winCertStore, storeType uint32, caCertsMatch []string) (*x509.CertPool, error) {
+func createCACertsPool(cs *winCertStore, storeType uint32, caCertsMatch []string, skipInvalid bool) (*x509.CertPool, error) {
 	var errs []error
 	caPool := x509.NewCertPool()
 	for _, s := range caCertsMatch {
-		lfs, err := cs.caCertsBySubjectMatch(s, storeType)
+		lfs, err := cs.caCertsBySubjectMatch(s, storeType, skipInvalid)
 		if err != nil {
 			errs = append(errs, err)
 		} else {
@@ -200,7 +201,7 @@ func createCACertsPool(cs *winCertStore, storeType uint32, caCertsMatch []string
 // Subjects matching the provided strings. If a match is found, the
 // certificate is added to the pool that is used to verify the certificate
 // chain.
-func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, caCertsMatch []string, config *tls.Config) error {
+func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, caCertsMatch []string, skipInvalid bool, config *tls.Config) error {
 	var (
 		leaf     *x509.Certificate
 		leafCtx  *windows.CertContext
@@ -227,11 +228,11 @@ func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, c
 
 		// certByIssuer or certBySubject
 		if certMatchBy == matchBySubject || certMatchBy == MATCHBYEMPTY {
-			leaf, leafCtx, err = cs.certBySubject(certMatch, scope)
+			leaf, leafCtx, err = cs.certBySubject(certMatch, scope, skipInvalid)
 		} else if certMatchBy == matchByIssuer {
-			leaf, leafCtx, err = cs.certByIssuer(certMatch, scope)
+			leaf, leafCtx, err = cs.certByIssuer(certMatch, scope, skipInvalid)
 		} else if certMatchBy == matchByThumbprint {
-			leaf, leafCtx, err = cs.certByThumbprint(certMatch, scope)
+			leaf, leafCtx, err = cs.certByThumbprint(certMatch, scope, skipInvalid)
 		} else {
 			return ErrBadMatchByType
 		}
@@ -251,7 +252,7 @@ func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, c
 		}
 		// Look for CA Certificates
 		if len(caCertsMatch) != 0 {
-			caPool, err := createCACertsPool(cs, scope, caCertsMatch)
+			caPool, err := createCACertsPool(cs, scope, caCertsMatch, skipInvalid)
 			if err != nil {
 				return err
 			}
@@ -339,6 +340,16 @@ func winFindCert(store windows.Handle, enc, findFlags, findType uint32, para *ui
 	return (*windows.CertContext)(unsafe.Pointer(h)), nil
 }
 
+// winVerifyCertValid wraps the CertVerifyTimeValidity and simply returns true if the certificate is valid
+func winVerifyCertValid(timeToVerify *windows.Filetime, certInfo *windows.CertInfo) bool {
+	// this function does not document returning errors / setting lasterror
+	r, _, _ := winCertVerifyTimeValidity.Call(
+		uintptr(unsafe.Pointer(timeToVerify)),
+		uintptr(unsafe.Pointer(certInfo)),
+	)
+	return r == 0
+}
+
 // winCertStore is a store implementation for the Windows Certificate Store
 type winCertStore struct {
 	Prov     uintptr
@@ -378,23 +389,23 @@ func winCertContextToX509(ctx *windows.CertContext) (*x509.Certificate, error) {
 // CertContext pointer returned allows subsequent key operations like Sign. Caller specifies
 // current user's personal certs or local machine's personal certs using storeType.
 // See CERT_FIND_ISSUER_STR description at https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
-func (w *winCertStore) certByIssuer(issuer string, storeType uint32) (*x509.Certificate, *windows.CertContext, error) {
-	return w.certSearch(winFindIssuerStr, issuer, winMyStore, storeType)
+func (w *winCertStore) certByIssuer(issuer string, storeType uint32, skipInvalid bool) (*x509.Certificate, *windows.CertContext, error) {
+	return w.certSearch(winFindIssuerStr, issuer, winMyStore, storeType, skipInvalid)
 }
 
 // certBySubject matches and returns the first certificate found by passed subject field.
 // CertContext pointer returned allows subsequent key operations like Sign. Caller specifies
 // current user's personal certs or local machine's personal certs using storeType.
 // See CERT_FIND_SUBJECT_STR description at https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
-func (w *winCertStore) certBySubject(subject string, storeType uint32) (*x509.Certificate, *windows.CertContext, error) {
-	return w.certSearch(winFindSubjectStr, subject, winMyStore, storeType)
+func (w *winCertStore) certBySubject(subject string, storeType uint32, skipInvalid bool) (*x509.Certificate, *windows.CertContext, error) {
+	return w.certSearch(winFindSubjectStr, subject, winMyStore, storeType, skipInvalid)
 }
 
 // certByThumbprint matches and returns the first certificate found by passed SHA1 thumbprint.
 // CertContext pointer returned allows subsequent key operations like Sign. Caller specifies
 // current user's personal certs or local machine's personal certs using storeType.
 // See CERT_FIND_SUBJECT_STR description at https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
-func (w *winCertStore) certByThumbprint(hash string, storeType uint32) (*x509.Certificate, *windows.CertContext, error) {
+func (w *winCertStore) certByThumbprint(hash string, storeType uint32, skipInvalid bool) (*x509.Certificate, *windows.CertContext, error) {
 	hb, err := hex.DecodeString(hash)
 	if err != nil {
 		return nil, nil, err
@@ -402,7 +413,7 @@ func (w *winCertStore) certByThumbprint(hash string, storeType uint32) (*x509.Ce
 	if len(hb) != sha1.Size {
 		return nil, nil, fmt.Errorf("incorrect thumbprint length %d", len(hb))
 	}
-	return w.certSearch(winFindHashStr, string(hb), winMyStore, storeType)
+	return w.certSearch(winFindHashStr, string(hb), winMyStore, storeType, skipInvalid)
 }
 
 // caCertsBySubjectMatch matches and returns all matching certificates of the subject field.
@@ -414,7 +425,7 @@ func (w *winCertStore) certByThumbprint(hash string, storeType uint32) (*x509.Ce
 //
 // Caller specifies current user's personal certs or local machine's personal certs using storeType.
 // See CERT_FIND_SUBJECT_STR description at https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore
-func (w *winCertStore) caCertsBySubjectMatch(subject string, storeType uint32) ([]*x509.Certificate, error) {
+func (w *winCertStore) caCertsBySubjectMatch(subject string, storeType uint32, skipInvalid bool) ([]*x509.Certificate, error) {
 	var (
 		leaf            *x509.Certificate
 		searchLocations = [3]*uint16{winRootStore, winAuthRootStore, winIntermediateCAStore}
@@ -426,7 +437,7 @@ func (w *winCertStore) caCertsBySubjectMatch(subject string, storeType uint32) (
 	}
 	for _, sr := range searchLocations {
 		var err error
-		if leaf, _, err = w.certSearch(winFindSubjectStr, subject, sr, storeType); err == nil {
+		if leaf, _, err = w.certSearch(winFindSubjectStr, subject, sr, storeType, skipInvalid); err == nil {
 			rv = append(rv, leaf)
 		} else {
 			// Ignore the failed search from a single location. Errors we catch include
@@ -448,7 +459,7 @@ func (w *winCertStore) caCertsBySubjectMatch(subject string, storeType uint32) (
 
 // certSearch is a helper function to lookup certificates based on search type and match value.
 // store is used to specify which store to perform the lookup in (system or user).
-func (w *winCertStore) certSearch(searchType uint32, matchValue string, searchRoot *uint16, store uint32) (*x509.Certificate, *windows.CertContext, error) {
+func (w *winCertStore) certSearch(searchType uint32, matchValue string, searchRoot *uint16, store uint32, skipInvalid bool) (*x509.Certificate, *windows.CertContext, error) {
 	// store handle to "MY" store
 	h, err := w.storeHandle(store, searchRoot)
 	if err != nil {
@@ -465,23 +476,32 @@ func (w *winCertStore) certSearch(searchType uint32, matchValue string, searchRo
 
 	// pass 0 as the third parameter because it is not used
 	// https://msdn.microsoft.com/en-us/library/windows/desktop/aa376064(v=vs.85).aspx
-	nc, err := winFindCert(h, winEncodingX509ASN|winEncodingPKCS7, 0, searchType, i, prev)
-	if err != nil {
-		return nil, nil, err
-	}
-	if nc != nil {
-		// certificate found
-		prev = nc
 
-		// Extract the DER-encoded certificate from the cert context
-		xc, err := winCertContextToX509(nc)
-		if err == nil {
-			cert = xc
+	for {
+		nc, err := winFindCert(h, winEncodingX509ASN|winEncodingPKCS7, 0, searchType, i, prev)
+		if err != nil {
+			return nil, nil, err
+		}
+		if nc != nil {
+			// certificate found
+			prev = nc
+
+			var now *windows.Filetime
+			if skipInvalid && !winVerifyCertValid(now, nc.CertInfo) {
+				continue
+			}
+
+			// Extract the DER-encoded certificate from the cert context
+			xc, err := winCertContextToX509(nc)
+			if err == nil {
+				cert = xc
+				break
+			} else {
+				return nil, nil, ErrFailedX509Extract
+			}
 		} else {
-			return nil, nil, ErrFailedX509Extract
+			return nil, nil, ErrFailedCertSearch
 		}
-	} else {
-		return nil, nil, ErrFailedCertSearch
 	}
 
 	if cert == nil {
diff --git a/server/certstore/errors.go b/server/certstore/errors.go
index be8b888c05..be545cf0b8 100644
--- a/server/certstore/errors.go
+++ b/server/certstore/errors.go
@@ -71,6 +71,9 @@ var (
 	// ErrBadCaCertMatchField represents malformed cert_match option
 	ErrBadCaCertMatchField = errors.New("expected 'ca_certs_match' to be a valid non-empty string array")
 
+	// ErrBadCertMatchSkipInvalidField represents malformed cert_match_skip_invalid option
+	ErrBadCertMatchSkipInvalidField = errors.New("expected 'cert_match_skip_invalid' to be a boolean")
+
 	// ErrOSNotCompatCertStore represents cert_store passed that exists but is not valid on current OS
 	ErrOSNotCompatCertStore = errors.New("cert_store not compatible with current operating system")
 )
diff --git a/server/certstore_windows_test.go b/server/certstore_windows_test.go
index 93ea441f57..d68b70ad38 100644
--- a/server/certstore_windows_test.go
+++ b/server/certstore_windows_test.go
@@ -28,9 +28,12 @@ import (
 )
 
 func runPowershellScript(scriptFile string, args []string) error {
-	_ = args
 	psExec, _ := exec.LookPath("powershell.exe")
+
 	execArgs := []string{psExec, "-command", fmt.Sprintf("& '%s'", scriptFile)}
+	if len(args) > 0 {
+		execArgs = append(execArgs, args...)
+	}
 
 	cmdImport := &exec.Cmd{
 		Path:   psExec,
@@ -251,3 +254,55 @@ func TestServerTLSWindowsCertStore(t *testing.T) {
 		})
 	}
 }
+
+// TestServerIgnoreExpiredCerts tests if the server skips expired certificates in configuration, and finds non-expired ones
+func TestServerIgnoreExpiredCerts(t *testing.T) {
+
+	// Server Identities: expired.pem; not-expired.pem
+	// Issuer: OU = NATS.io, CN = localhost
+	// Subject: OU = NATS.io Operators, CN = localhost
+
+	testCases := []struct {
+		certFile string
+		expect   bool
+	}{
+		{"expired.p12", false},
+		{"not-expired.p12", true},
+	}
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("Server certificate: %s", tc.certFile), func(t *testing.T) {
+			// Make sure windows cert store is reset to avoid conflict with other tests
+			err := runPowershellScript("../test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1", nil)
+			if err != nil {
+				t.Fatalf("expected powershell cert delete to succeed: %s", err.Error())
+			}
+
+			// Provision Windows cert store with server cert and secret
+			err = runPowershellScript("../test/configs/certs/tlsauth/certstore/import-p12-server.ps1", []string{tc.certFile})
+			if err != nil {
+				t.Fatalf("expected powershell provision to succeed: %s", err.Error())
+			}
+			// Fire up the server
+			srvConfig := createConfFile(t, []byte(`
+			listen: "localhost:-1"
+			tls {
+				cert_store: "WindowsCurrentUser"
+				cert_match_by: "Subject"
+				cert_match: "NATS.io Operators"
+				cert_match_skip_invalid: true
+				timeout: 5
+			}
+			`))
+			defer removeFile(t, srvConfig)
+			cfg, _ := ProcessConfigFile(srvConfig)
+			if (cfg != nil) == tc.expect {
+				return
+			}
+			if tc.expect == false {
+				t.Fatalf("expected server start to fail with expired certificate")
+			} else {
+				t.Fatalf("expected server to start with non expired certificate")
+			}
+		})
+	}
+}
diff --git a/server/opts.go b/server/opts.go
index 0cc52d5b1d..c80866115b 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -714,27 +714,28 @@ type authorization struct {
 // TLSConfigOpts holds the parsed tls config information,
 // used with flag parsing
 type TLSConfigOpts struct {
-	CertFile          string
-	KeyFile           string
-	CaFile            string
-	Verify            bool
-	Insecure          bool
-	Map               bool
-	TLSCheckKnownURLs bool
-	HandshakeFirst    bool          // Indicate that the TLS handshake should occur first, before sending the INFO protocol.
-	FallbackDelay     time.Duration // Where supported, indicates how long to wait for the handshake before falling back to sending the INFO protocol first.
-	Timeout           float64
-	RateLimit         int64
-	Ciphers           []uint16
-	CurvePreferences  []tls.CurveID
-	PinnedCerts       PinnedCertSet
-	CertStore         certstore.StoreType
-	CertMatchBy       certstore.MatchByType
-	CertMatch         string
-	CaCertsMatch      []string
-	OCSPPeerConfig    *certidp.OCSPPeerConfig
-	Certificates      []*TLSCertPairOpt
-	MinVersion        uint16
+	CertFile             string
+	KeyFile              string
+	CaFile               string
+	Verify               bool
+	Insecure             bool
+	Map                  bool
+	TLSCheckKnownURLs    bool
+	HandshakeFirst       bool          // Indicate that the TLS handshake should occur first, before sending the INFO protocol.
+	FallbackDelay        time.Duration // Where supported, indicates how long to wait for the handshake before falling back to sending the INFO protocol first.
+	Timeout              float64
+	RateLimit            int64
+	Ciphers              []uint16
+	CurvePreferences     []tls.CurveID
+	PinnedCerts          PinnedCertSet
+	CertStore            certstore.StoreType
+	CertMatchBy          certstore.MatchByType
+	CertMatch            string
+	CertMatchSkipInvalid bool
+	CaCertsMatch         []string
+	OCSPPeerConfig       *certidp.OCSPPeerConfig
+	Certificates         []*TLSCertPairOpt
+	MinVersion           uint16
 }
 
 // TLSCertPairOpt are the paths to a certificate and private key.
@@ -4819,6 +4820,12 @@ func parseTLS(v any, isClientCtx bool) (t *TLSConfigOpts, retErr error) {
 			default:
 				return nil, &configErr{tk, fmt.Sprintf("field %q should be a boolean or a string, got %T", mk, mv)}
 			}
+		case "cert_match_skip_invalid":
+			certMatchSkipInvalid, ok := mv.(bool)
+			if !ok {
+				return nil, &configErr{tk, certstore.ErrBadCertMatchSkipInvalidField.Error()}
+			}
+			tc.CertMatchSkipInvalid = certMatchSkipInvalid
 		case "ocsp_peer":
 			switch vv := mv.(type) {
 			case bool:
@@ -5217,7 +5224,7 @@ func GenTLSConfig(tc *TLSConfigOpts) (*tls.Config, error) {
 		}
 		config.Certificates = []tls.Certificate{cert}
 	case tc.CertStore != certstore.STOREEMPTY:
-		err := certstore.TLSConfig(tc.CertStore, tc.CertMatchBy, tc.CertMatch, tc.CaCertsMatch, &config)
+		err := certstore.TLSConfig(tc.CertStore, tc.CertMatchBy, tc.CertMatch, tc.CaCertsMatch, tc.CertMatchSkipInvalid, &config)
 		if err != nil {
 			return nil, err
 		}
diff --git a/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1 b/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1
index 1cc43ddf25..3f2eccd732 100644
--- a/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1
+++ b/test/configs/certs/tlsauth/certstore/delete-cert-from-store.ps1
@@ -2,4 +2,4 @@ $issuer="NATS CA"
 Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Issuer -match $issuer} | Remove-Item
 Get-ChildItem Cert:\CurrentUser\CA| Where-Object {$_.Issuer -match $issuer} | Remove-Item
 Get-ChildItem Cert:\CurrentUser\AuthRoot | Where-Object {$_.Issuer -match $issuer} | Remove-Item
-Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Issuer -match $issuer} | Remove-Item
\ No newline at end of file
+Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Issuer -match $issuer} | Remove-Item
diff --git a/test/configs/certs/tlsauth/certstore/expired.p12 b/test/configs/certs/tlsauth/certstore/expired.p12
new file mode 100644
index 0000000000000000000000000000000000000000..5870bbc3d003ece6ed12159629f06613ca7d630c
GIT binary patch
literal 2499
zcmai0X*3iH8#XIr8QV|{SxaP@p)r_{bR|@-YboIx8a^7vQVk75lW~PXvL<Vk>>|t9
zvP2>bBI{6Mn6i_SeD3+a)BSmWyyrd7^PK0rzn<s3C>pE<2mqmIu$xerTBLd8S0Ml|
zAcqF?0MlS@2eb={1{(ZFg67ab?FZC>iRWO|{i6U-4!;0I2xWm%{Rax7WWaoo|5(jS
zHH1|FfqXnDK`7t<t^r{X9+WH;<{D`ZAb`LCHL!?^_!G8(UtgeNvJ-V9__}O34P-4S
zPiuDOaje|FrhfHC{*nu^_-2!_n}&b}a%q-c9|R?I6qB0Zqnqk6o1w1yhh_f^oG+g{
z=Ho74zy1fZg=H8KxZ<8tXbG%Mst)M9`qX2I@0|RpNW%>u98cWK+fGJ)5@!0%&p=!U
zSk3ryPtG4TmyBW_N3>oOwNdJ&J#r_3;-|j=md@8cP^ss65oNbjY^9uc9<}L)!)*Tu
zT<+=l-j3sJOiL1KR3jAuHB*IeQuJ~k85qA$%j!4ZKa@SE0_g`Tw<G~Y+Y-)PR1lXJ
zg6u0NTJMc<9cM{@HRh<PQ;^KjS<l9a&QuD*za&Lcjwlg=2G)1$7#ZPCOnmi+H_iDL
zXLUz2d_1zIwn+xAnltL*6{S+Qt2;Ax8*p?>``zfwNM96BEQ{PMM6Rwx^}nA+2B!y4
z6wg&?*BU(50qyN*<Ybs2dr24DU{(OU4E4qE>Cw4Sc+Z`CcCstd6*UlSbP*$HVj^%+
z`OmPLT&HlHG5Kk%A$VA)>cGAka70_6QYaKmoR@lomd*I;f5B$PT0EG0(Z@H_;5Eqd
z&gS=>lNQ1w<c^ynzO%WuqHs#}zSgZ1{Dys4OMz8x8#e+cdQGu(uZaDsa4;$-M)2hC
z0AslhdC+9ZCns+$&2qK)SBBbpEaWC@=8;{+3DO|Z=N<hy#D4=H9QZmBMOk(}n=UqJ
zZVA^LX-*0dO_y%CE*2RZC*^+@N3q7&Dpe26wDjq%&3g|gu&Gr7m;TsVSn(^)-hI6H
zVA1TaAOINmom@ErZ7DMCrt>S$W=Jl_w#D(L>?ISN$IkJ!S5!%^`34dzi1E)Xf{G%D
z1hLC-`coB$s0Pgf@kx=kW9dy?#CeuZuJwxd?e_!4gIjSINUtgguP^{1?XJbi{+5`>
zJwpqIX6@6hPujxk)yg@IyjrSj?Ln(`5&UpDt(+wnPt?BuK;A;Fuc|?cMC&5V?;A&=
zwzqEh^|2x3_<Lk}Mj4|L%(bYO*5#2<w*2Oq+riQ#$v2Uj1KJ-OB*spDo<3*EqL713
za)0{JgAyg)x)SRj3a*OF4Sp(|{#h`yv3?`##*yVsQj_rUSsBq$1+E+-_5#8xfH}-B
zY~mo=bLX;c<+weH28sBU&%Xl?xe2C0{10fKgYkk2{J#qX`2oNK5q&^v{9C}??0Yt_
z40E-A4Y;&(LgVfZ@2&UudY%S0<bDOyzysA|Df0@~(@)z6tOhdCcZQ64+vBIYL8hs<
zMW)tV{Kv&qlNj^5*CsN(exNki#dvG9;#3zRYHRemn411@pgw}?R)xs@PL@gWIiF3d
zGN1L6oXUUr8%JrVmQYVEt6M(Fi(!C93{@5?jWdN!LY($H2<s0|-3**W<QhdNU)sW~
zTZF||iHz8fwq?r?9o;Az;H*9IYwVmIi)pYhyziw<t6&rQ?QFXG)_(IVB^=V@5G~ZQ
z7g~fYtFr|v_X|Uf#X1s{I1AYhqr^D(ay8c@Pz^bJ?|R7voxRINHLb;VnQzA&<1dC=
zJR+V!zd`bqNo@foKUcyZoFSsab`UJU7r*dC{?lYc>|ofAL|9{I^#DoW>^lSDE%<$p
zRtL;v7S=(l-#PuNATf=-ex&VF+NR>+3#O$!!Q<+C><)ihoLRV&!uq(ClhIPas6`GC
ztE-@aD*Mpt<vp2M7gs~~jv)MW7{Y~RK}E{``n^QkGP;XglIo<DG)~x2FXBY*RoNyR
zm5$p`-oiUCn+AeKqS(6&#6fA6(^hkR#!69|*L&_L+QU112XmBY+p=PziC~R9jklwB
z&#V^?OeNbPPkCZ4#ST@!tPvhE<EMNJH2<_)$q_g_XT8ujB9zN?A)8vn%Fslhp>$TH
z{Lf}CkXZmq)nQnIfA}{Wq`gt^T)Qht(83g)DxD2Dev8vh?ajpQLLo|+yLnw~n&)wD
zNMG2aa%9GN2#r^0Oow|y!uAc+XFFQg>MAq(r&3|O#PNqC<atv!R%Gvd_-7ShS=58N
z^ouNx|0{?5PEd^FFw?E-m{<Nzo36B47xQz-iM+aCmVK+*B?gc~c8@qNoJOEx{q3&A
z`@~F^gf6E3UVV4CZ&P{t-fao*RGnJ652jO$jr|(&mbA^LGo51LI`s&i)ftqE?#KS#
z^gUamOT&NCg_Aw)=Zic%_0psqut(weJ7#l+32vog$(gDG?L>?q(n#8J0H#|Nk_4iL
z+^arQd=snN|B)Ld^89PqZdLh^)rkn=hm{?5XW0}D)4a?2s_#Tv7%>`;f*L}Rr$1gY
zaS(&h3bbEN$uB-@U7~BmI2Vw5^)O1$6tOn)Z0v@6*m6bgCuCSsy_L<Yl%amQ$(?57
zjzQ{iYAmkdV~xs5IaN*pLwZiP&{2Q?0!t<#S*Ua3#rVg>_@rR&v&I&tLIfC3UyD}5
zuV(##rgg2U_@2$Xg}=PLO5UA4WOcYMNl9Nb%JIv-*Y4KKZ#llkK3A5xnv*wrB;UFe
z)b)6Oye-fdZ>S^7{zi41#$4%3_|RQIs^!*q4?&_<!c`C{?(pAOLA<p<Uy%Y+l?8oY
zdN#if-{J21?q)Q$&;B#h78`(jp@5c^-Y^6dP1-yD{PZl2eXS_|Vrysgz!!>34%0}}
zxLcv`!C8Cv`*q)iVAvISe)+n~i|lKq**@OvrfmGNL{F;{XLsX2#Z&K6DXSrNu*Qz5
z$03L;3MS+E)HZ*M-DeaX^cpdmLCJea`;shmAHghZwQ|Li1sBb(E;$7}Uwwm6T)+M_
zS}Nz14RCuQgd#a9<7167#N;PZnd5q2@Dza+8)5q+@fB~kY8<W$4_~?Wz)#0Ul3ML}
z=*j(CCdKHZD5YNo3zI-gf)O4cjMugD&DEn~Qs&WSA*2amh6Tz5g+>YedVhcb2oG33
xcQJ(DRi%dU_1wGA^GTWw+6Crg8mAT~@O2?!d8z3|V7~NDZo}Y6<iy`q`(KH8kD~wp

literal 0
HcmV?d00001

diff --git a/test/configs/certs/tlsauth/certstore/import-p12-server.ps1 b/test/configs/certs/tlsauth/certstore/import-p12-server.ps1
index 14a006d824..006a1e4a51 100644
--- a/test/configs/certs/tlsauth/certstore/import-p12-server.ps1
+++ b/test/configs/certs/tlsauth/certstore/import-p12-server.ps1
@@ -1,4 +1,7 @@
-$fileLocale = $PSScriptRoot + "\server.p12"
+$file=$args[0]
+if (!$file) { $file="server.p12 "}
+$fileLocale = $PSScriptRoot + "\" + $file
+echo "Installing certificate $fileLocale"
 $Pass = ConvertTo-SecureString -String 's3cr3t' -Force -AsPlainText
 $User = "whatever"
 $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $Pass
diff --git a/test/configs/certs/tlsauth/certstore/not-expired.p12 b/test/configs/certs/tlsauth/certstore/not-expired.p12
new file mode 100644
index 0000000000000000000000000000000000000000..d99cb55a94685e8ad855cb57ec9623856cfe80f8
GIT binary patch
literal 2499
zcmai$X*3jy8^+C8nsKS@WGvZtGb+(o%DxlVo=8phiEzns%P?a!S+mS!8I8uIklh$t
zC6X--E?LIDCLx+h<htkoKi!Y_!+YNIKF@j2`|0<b7m5P60|D$%6gZL#tb(z?FnIyT
z0L3WqO%4>;_ej19MX}TWwYZ8=>>Wqa(GuHHqyFmvpsv3LPF|=LRQcbL2MXZ;8G5aU
zj4!601Oh>9P#!MO|E>YSoNQ1DF0c>A0)SxW0H|=BY_CNbV*FZjA@MC@YL4M@_fYH(
z6Mdbzg}q9*U4G2jD>;X$#OvOn+oIJ)9Tf+xTjfQ&zvkd^?&yc^7`xu2anFyCbiFZ{
z2lD;9H$C1shvP8==DnrW9h_+W=1%g`i1DmisEmQa&eG=9ZAdNsth0W1qq+8McDm=a
z5~)~z7}$-b)uny4-m@qek(~1tbXmrqS;lSfj+7?xGTL?JI+Cux7v{6=G^&v9_?Nwz
zkz`ht#_Xkl+KfkEmK=T{b+6~2kMCUwm&#*KEp^sqRUQ%p?^k}?x~t*jeAh0j4zAp?
zAk(^Q9c#LO_>NrcK*6Nz49FxJNjXyzx^hifC(pXFeGI&7_mB*WAuamWvtVbM@C$;H
zv(E+qw69y40LcP#rpDN)?0i<pTxkv$z~ET^Nw1(#>siZ4@rSRkcPxNYnZDy`Z1>iG
znm8-qGU*8-KXd?C-kovP_Ej&{d4V85?h9Un#f<6?3Q1G~*KKLJ$>+9|VUzC6i}8u5
zzZ_l+74q^4dTU7MRVaNFp~IymuQd(Nke2<q!f2GFq~Gg=;6EzIy{)boJ-RUX)>!j_
zQTbNRsb@El9n6WgJ9l;Rh%bMq%&WIx?-4|Gr{lV``e3Txt;sr(J6F{^^Sc{#pBPmi
zQ+sLiEiy;TqB#P@QBNs|{A9I1!M>_2H$E!FHcdCiMbA(2Xx?(h)JIE_wf*&cJ-L)Y
zrgHx5q49jF#)}PyE1=<-cA<IEa9zI|-MI?@Pv!DE?<-rwHdGA__qBS=8dkHMX=?9n
zxHqNh6gtg%;KQv^5qf^ZZm9_l`FjL)FS4`)bX6tJWy<?F)sH%EC7nBVLeCLPZokP)
z7RCw6IB~*&f+!BvGy8}z!239^F(&AHJWrqZrM3{0G?7HaTw&)InLu_CvQu4Y;xuVU
zTPFNkX$i`x0Qq}eModZyWqA@owBxo2jO$=~EI5B!A+p$Qvgb?2o6vL<4|^o?3n#6t
zg7*4UgS_Kta7+GoWn$443pnATKujcwH8xn;a8W8tC`5~NI94Y@4X(&x##De;UTAL`
zgB_ioDtz}HS+xX~LAUOg8!c2sX)$mctiqDL`;kFXHY@joBW)V$Kfm6EaZ_?Wk2;L5
zU5dc?`xZL;%y<PX*0k(HQJhJ?`1}WW&PWavXV{S(a#R6azx_W8c(?(;BNKKcs{a?@
zr79@nseuO6e*)g|O^o1C<!7cVec^qnf3gM#ier%H49Kkf#JPe`x{cHPXz>-^Huo5;
zcy+$84cl%<v4wB9ll>*51zg{?;i*w8t1?eZkbcUblMZY~(JpGofTv2xb})}WRq6Sz
z%NDELIIy{5Q)f#7_(;q6!UspADF?acS%KOOK$1XOg{<5Vt6%z7fXQ|q{DaIVI&pyi
z0-+tYD5!xp_`_`!on|pDVo6ns=hL|8T)FsxkTW7(B96I@Zxi0FT|X=_Qo!t+ifufV
zP4#&yYB<zAPK2BTJ=_xo1z5;NJ||*MK=^I|vs;3%fx|>-tMvqiMCokPezr>^1|Ms2
z(f_W`3AH(_!fj0tk9Wv=S>6x<J<CN&$trUL{8fj5EWN|SClOtf6E(G*5g$KWYZ~pL
z*E0`pj=S~?5=^=RTn`Y33DADl;Q)&<(AYfWD(G2O_IOtLSk`H&vrr{GztM8S9H=)(
ze1tEVaV6BdDUAI=D7n;~t#acs7%#FQ>+I7C#~N6pE8@|n&$6k8BcA6hdk{gg)BH3y
z7q0A$Kf|*5f)ELdg&krs+No82rp1%H^6D)9nyly%aVJcNS9ihCOZ;qVUX+<P?kUT(
zAYe+ECR8kz&`moywQg*l^-~8@gs<G-J$5?XcDyQbwOz;MKxn$$EyO+ZMJ~BUYxOt_
zKWA1kY^xX>cDx{>d8aO};m)mSu3Yo{cZ0~Okb)BP?N^2Su?l7)O9A9Pb5-rr&3Lg_
z<v5S!Qo7qlQH+kYW1=47EB4z5Igo_P`Re-!nI=!#FnaXI!;^rtiI-c%KT_lq91`gg
z3@Yh0(+O^RS*@w)Q`z#l42|z8S>;%PesN`Lebgz<g(utQbfFMes$qNEVOGPoUEh=7
zT=Z5YUWnnTlCL;JuP9nA%%q;9?FTaK7E<JaEk21qfs!|2VBPQAp^c_)mhdJet)O|-
zJ+0na;uKB)G7JvX)lY$Ne|4tVcD4i8Ts8g#APH-@SV~^>1a&7ldPXH6k<~uu)n>2m
zl-z9N$>de6WiL{*eel{N@q7~-Sf@IN`{cpSH4A}C1LCF>@f#npRgIaJQn4GLA5khI
zZnx9ZQn8tD;QII=Nvv&bE`380S%W9rq^B(+^AGwPZQmXQVoU3~=&?;q-?HR_pHnM0
z=E_g_X^y($>-3BX<4)^qj3pJO!Ru%3Le*ptZjE(C`xZx&{7iT*6+X;qYVXfakeAd}
z4nGSVAXJ@>@b#O&4u93?b<0i>a))0qhf)LKp5A=X?jxEQ|79ch?5uFdpZ2gIM4P&m
zLv}K8RJ$NgQxxki;Wv=rB_2=77{9sHL${#1G)a=Ya+Op~fMmJ6<sqGte&bS&^>^W;
zYb-uD;&nS=h;E+ELh-`R!JfeMnT)3!bKH}~lh1zE*)kfJGF?L&kZVDx`k4J?h(<qu
z*@nf`=38~DUuLK_=~R*ZbG}*$`56hf<;b~X8Pg^S>I6mIH}URp@ucVa2RbAa)(O06
zZqeVv{@lD01IfNSPO2ggej;J@gh_A0&~X%oYWQklQ3@6ipFIdC0Cv}e_oX2<D{)Cz
zDQMxEpx`r%MZLLO3VoByukJn4{>Xp!;!nBvRrm5|#h;vCWedu>Z`)bZiz!#CW|Iny
zSd1qDMD-A1FnOr#uYd&$!Gt*kVU>CwlF=P+DGVE9DK`(&hce0@^b!;X<^A>k00EqA
z9MV#@!(CAmD}RjOsE+4sfAbB=*m?j%jN<)qS7HYJEO|LVCH5w|Hy$NE{wHex2I=^a
Aod5s;

literal 0
HcmV?d00001