Distrust certs issued after 00:00:00 Oct. 21, 2016 by StartCom and WoSign

src/StartComAndWoSignData.inc

@@ -0,0 +1,89 @@
+// /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
+// Using a consistent naming convention, this would actually be called
+// 'CA沃通根证书DN', but since GCC 6.2.1 apparently can't handle UTF-8
+// identifiers, this will have to do.
+static const uint8_t CAWoSignRootDN[72] = {
+  0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x0C, 0x12, 0x43, 0x41, 0x20, 0xE6, 0xB2, 0x83, 0xE9, 0x80, 0x9A, 0xE6, 0xA0,
+  0xB9, 0xE8, 0xAF, 0x81, 0xE4, 0xB9, 0xA6,
+};
+
+// /C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root
+static const uint8_t CAWoSignECCRootDN[72] = {
+  0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x13, 0x12, 0x43, 0x41, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x45,
+  0x43, 0x43, 0x20, 0x52, 0x6F, 0x6F, 0x74,
+};
+
+// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
+static const uint8_t CertificationAuthorityofWoSignDN[87] = {
+  0x30, 0x55, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x2A, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x13, 0x21, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
+  0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
+  0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E,
+};
+
+// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2
+static const uint8_t CertificationAuthorityofWoSignG2DN[90] = {
+  0x30, 0x58, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x13, 0x24, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
+  0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
+  0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x47, 0x32,
+};
+
+// /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
+static const uint8_t StartComCertificationAuthorityDN[127] = {
+  0x30, 0x7D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
+  0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
+  0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x22, 0x53, 0x65,
+  0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6C, 0x20,
+  0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53,
+  0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55,
+  0x04, 0x03, 0x13, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20,
+  0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E,
+  0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79,
+};
+
+// /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
+static const uint8_t StartComCertificationAuthorityG2DN[85] = {
+  0x30, 0x53, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
+  0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
+  0x31, 0x2C, 0x30, 0x2A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74,
+  0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
+  0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F,
+  0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
+};
+
+struct DataAndLength {
+  const uint8_t* data;
+  uint32_t len;
+};
+
+static const DataAndLength StartComAndWoSignDNs[]= {
+ { CAWoSignRootDN,
+   sizeof(CAWoSignRootDN) },
+ { CAWoSignECCRootDN,
+   sizeof(CAWoSignECCRootDN) },
+ { CertificationAuthorityofWoSignDN,
+   sizeof(CertificationAuthorityofWoSignDN) },
+ { CertificationAuthorityofWoSignG2DN,
+   sizeof(CertificationAuthorityofWoSignG2DN) },
+ { StartComCertificationAuthorityDN,
+   sizeof(StartComCertificationAuthorityDN) },
+ { StartComCertificationAuthorityG2DN,
+   sizeof(StartComCertificationAuthorityG2DN) },
+};

src/node_crypto.cc

@@ -17,6 +17,10 @@
 // https://hg.mozilla.org/mozilla-central/raw-file/98820360ab66/security/
 // certverifier/CNNICHashWhitelist.inc
 #include "CNNICHashWhitelist.inc"
+// StartCom and WoSign root CA list is taken from
+// https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/
+// StartComAndWoSignData.inc
+#include "StartComAndWoSignData.inc"
 
 #include <errno.h>
 #include <limits.h>  // INT_MAX
@@ -2761,9 +2765,40 @@ inline X509* FindRoot(STACK_OF(X509)* sk) {
 }
 
 
-// Whitelist check for certs issued by CNNIC. See
+inline bool CertIsStartComOrWoSign(X509_NAME* name) {
+  const unsigned char* startcom_wosign_data;
+  X509_NAME* startcom_wosign_name;
+
+  for (const auto& dn : StartComAndWoSignDNs) {
+    startcom_wosign_data = dn.data;
+    startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data,
+                                         dn.len);
+    if (X509_NAME_cmp(name, startcom_wosign_name) == 0)
+      return true;
+  }
+
+  return false;
+}
+
+// Revoke the certificates issued by StartCom or WoSign that has
+// notBefore after 00:00:00 on October 21, 2016 (1477008000 in epoch).
+inline bool CheckStartComOrWoSign(X509_NAME* root_name, X509* cert) {
+  if (!CertIsStartComOrWoSign(root_name))
+    return true;
+
+  time_t october_21_2016 = static_cast<time_t>(1477008000);
+  if (X509_cmp_time(X509_get_notBefore(cert), &october_21_2016) < 0)
+    return true;
+
+  return false;
+}
+
+
+// Whitelist check for certs issued by CNNIC, StartCom and WoSign. See
 // https://blog.mozilla.org/security/2015/04/02
-// /distrusting-new-cnnic-certificates/
+// /distrusting-new-cnnic-certificates/ and
+// https://blog.mozilla.org/security/2016/10/24/
+// distrusting-new-wosign-and-startcom-certificates
 inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
   unsigned char hash[CNNIC_WHITELIST_HASH_LEN];
   unsigned int hashlen = CNNIC_WHITELIST_HASH_LEN;
@@ -2782,11 +2817,14 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
     root_name = X509_get_subject_name(root_cert);
   }
 
+  X509* leaf_cert = sk_X509_value(chain, 0);
+  if (!CheckStartComOrWoSign(root_name, leaf_cert))
+    return CHECK_CERT_REVOKED;
+
   // When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
   // ROOT CA, check a hash of its leaf cert if it is in the whitelist.
   if (X509_NAME_cmp(root_name, cnnic_name) == 0 ||
       X509_NAME_cmp(root_name, cnnic_ev_name) == 0) {
-    X509* leaf_cert = sk_X509_value(chain, 0);
     int ret = X509_digest(leaf_cert, EVP_sha256(), hash,
                           &hashlen);
     CHECK(ret);

test/fixtures/keys/Makefile

@@ -57,6 +57,20 @@ fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem
 	        -out fake-cnnic-root-cert.pem \
 	        -config fake-cnnic-root.cnf
 
+#
+# Create Fake StartCom Root Certificate Authority: fake-startcom-root
+#
+fake-startcom-root-key.pem:
+	openssl genrsa -out fake-startcom-root-key.pem 2048
+
+fake-startcom-root-cert.pem: fake-startcom-root.cnf \
+	fake-startcom-root-key.pem
+	openssl req -new -x509 -days 9999 -config \
+	fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \
+	fake-startcom-root-cert.pem
+	echo '01' > fake-startcom-root-serial
+	touch fake-startcom-root-database.txt
+
 #
 # agent1 is signed by ca1.
 #
@@ -254,6 +268,60 @@ agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem
 agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem
 	openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem
 
+#
+# agent8 is signed by fake-startcom-root with notBefore
+# of Oct 20 23:59:59 2016 GMT
+#
+
+agent8-key.pem:
+	openssl genrsa -out agent8-key.pem 2048
+
+agent8-csr.pem: agent8.cnf agent8-key.pem
+	openssl req -new -config agent8.cnf -key agent8-key.pem \
+	-out agent8-csr.pem
+
+agent8-cert.pem: agent8-csr.pem
+	openssl ca \
+		-config fake-startcom-root.cnf \
+		-keyfile fake-startcom-root-key.pem \
+		-cert fake-startcom-root-cert.pem \
+		-batch \
+		-days 9999 \
+		-passin "pass:password" \
+		-in agent8-csr.pem \
+		-startdate 20161020235959Z \
+		-notext -out agent8-cert.pem
+
+
+agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem
+	openssl verify -CAfile fake-startcom-root-cert.pem \
+	agent8-cert.pem
+
+
+#
+# agent9 is signed by fake-startcom-root with notBefore
+# of Oct 21 00:00:01 2016 GMT
+#
+agent9-key.pem:
+	openssl genrsa -out agent9-key.pem 2048
+
+agent9-csr.pem: agent9.cnf agent9-key.pem
+	openssl req -new -config agent9.cnf -key agent9-key.pem \
+	-out agent9-csr.pem
+
+
+agent9-cert.pem: agent9-csr.pem
+	openssl ca \
+		-config fake-startcom-root.cnf \
+		-keyfile fake-startcom-root-key.pem \
+		-cert fake-startcom-root-cert.pem \
+		-batch \
+		-days 9999 \
+		-passin "pass:password" \
+		-in agent9-csr.pem \
+		-startdate 20161021000001Z \
+		-notext -out agent9-cert.pem
+
 ec-key.pem:
 	openssl ecparam -genkey -out ec-key.pem -name prime256v1
 

test/fixtures/keys/agent8-cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
+BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
+ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw
+CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
+T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ
+qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F
+9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN
+N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB
+ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U
+C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO
+6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr
+i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf
++LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6
+LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ
+65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT
+-----END CERTIFICATE-----

test/fixtures/keys/agent8-csr.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
+EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDgxEjAQBgNVBAMT
+CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5FUj+l
+8VqQZUo6qmr8Doaad+mhSaiyu30acUfn9D3UPViWowxInMcClhhakARPneQY6qwA
++fS9kBmUNlThfVS2chc9xfUyJZHeMrfTndKhPfMiKLgwTVru1GarzcpwHuXGg+Yt
+TIMiFEKiFDp2cDNtYcKmDTfzhEn9/APE37r4dwC1J+8wRFclD1iFk2D4RR0gliLE
+tlEWf6gy5PBmr6YZKl3RQYot1fE4eZ4j7aSLERekIcIfEivrNM4ed6NKpJgjaVy3
+fzyUEAMAu9Fkau53C+A/lAtYJwy9I/Us6I10Lt9ZF7PFGU2u0RZ8ea/oA4gP4Bqy
+7OCIsAyYVRzMdJ0CAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
+YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAykAWr5pOZh1BMc7NZgc66J16VkjN
+KM2deMQNl7r3BFB336At+zmpudnjdT/tPaH34FT/Idh/DPfiSdpuDQWDA+E7xady
+S7KoKfNesPFjV4rR1WgNtoix0B5EaaNxdR8ljwL30N/LbsMDWxIK7rWyhvuw3DXr
+C90PbsOTCLbW1HGItgYCQFJnpXK1O1Vx0Bo55F//oxDGVTzkUqb0lsVGHLLCg0s2
+DxX3++FqFy/NjzZ5R/k1o+WIom1PzhLXJ+cqQsqYT9kBIVHTtvTAnDM70dZ8EeSW
+/O4w+gb+OSJjClz7p4DuX4idDG+0cISxBOYFPyTFlGrXQ0ZXULP4pihsUA==
+-----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent8-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJqLK7fRpxR+f0PdQ9WJaj
+DEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F9TIlkd4yt9Od0qE98yIo
+uDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYNN/OESf38A8Tfuvh3ALUn
+7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFBii3V8Th5niPtpIsRF6Qh
+wh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+UC1gnDL0j9SzojXQu31kX
+s8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQABAoIBAHHp5KdT3Ht4XQfm
+aDEXLGp3qhtzQDuTIWnQjZj5Z3Ax4wMmhbsF6tcY/Y1LjldjJL5QaGE/VMstWQRX
+Tr4HnXCIJW/iZI2p+Qean4XXr0QgWhcI2VYHDuFWHiTpYogW7WlV/YfDooqU6n12
+BxfWStaL5L5bd9dbe8ZlJqVqN2iISfqGNIz9YKM04rHycTcicNmf0J0smkHlnHJE
+ROQR73IXjDDOmkwdG75qyGRBQ0j0KEDu//n1axcOKf48F+8BQk2PFMq+RhkGGqJD
+zTQK3kB33HRWeNWbykLPzYGcPtSlvaecCTc/q9wbbxh5AFlvSrPz3VzdRHECocM3
+v/o2vqECgYEA/uZib1ZYczuihcvLKxo8e/IBNYUKUcyosHDqAmJ5q8Y+Vg35ACfM
+mJAhT1SXXAmm2tHuTnztfLDMQAOGVItuf5U8nuJYuWrvhMCtBT40XPeUVPD8b2D1
+9y5EipiB7huH8kMb1aAPUNgQhmqT93+4qcGf6PcNTkk6uHCCXFZEc7UCgYEAzyk1
+/T+Ah3p9+c1s+AjqkWj3Qa9lOKclJOT2O88AG+4fGQhSdUvkLDAMX3L6ri3gVZzr
+wH3DJIwJx1uCW4eNJFVmh8AyP4SkfzQp1FqsIzBMQuPz6Hqtclh/UPx1yOe3NseO
+xVM6Z5RbOOWyDaWxxbQHZnHkqSKcTB8K1lJ/XkkCgYAaStlMcrOc70HMW0ERqRsk
+DcpiIt71oQ6lZIA+zrmOJly3s6lDgtdvxS4qaKdULwqu94iFQA2fFv16fOKWReuX
+7WTbXq2YMpeSMe2m5Mux6ze5q0HemznDzVn0kdaVIPHc418zodbyl9bchpHMrbf2
+iqpb9V/B+3u7Gp/Xtm5JIQKBgBFrjr2wBFfgJg3Gh35ICamWoQwl+qYL8CStGEOp
+QYIXwQey2nRAoHxSwgeYvJm/A9lPK8fxC2LcX8oi2NBnkqfWgpuxvsf2mHqV4VqZ
+EVaYLiGF17HZ9xHhfTtLL4Boc9CocUoImKWzJQSg1BsvrsZIQEMOGsNaRLhl99xT
+7Z/5AoGBAIxgzOGLVVrIv8vRc4YouPf0OGBmUawnEZxYVD1Mo4Tt97XjxH93B1iz
+hof62zDCL7WEdKuwnOs1towBmLjC7qrAbkUgNVYmI5sG9c8+1NKClTOJGsHHiMLF
+n8GxnsNU5FVTmJ/PZfOU+eru7uDYZHTkii0tkaHWUzg13pkhka5E
+-----END RSA PRIVATE KEY-----

test/fixtures/keys/agent8.cnf

@@ -0,0 +1,17 @@
+[ req ]
+default_bits           = 2048
+days                   = 999
+distinguished_name     = req_distinguished_name
+attributes             = req_attributes
+prompt                 = no
+
+[ req_distinguished_name ]
+C                      = US
+ST                     = CA
+L                      = SF
+O                      = NODEJS
+OU                     = agent8
+CN                     = localhost
+
+[ req_attributes ]
+challengePassword              = A challenge password

test/fixtures/keys/agent9-cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
+BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
+ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw
+CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
+T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o
+33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x
+TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga
+bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+
+4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2
+0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD
+4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe
+iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0
+0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl
+QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/
+u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb
+-----END CERTIFICATE-----

test/fixtures/keys/agent9-csr.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
+EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDkxEjAQBgNVBAMT
+CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKU+pwEk
+sfXtov7dGh0nfQcTEQ/dqN9/4mol1swTijCae48QlgIOkp6Y6xbMo08WgKoPntc5
+ZtdGAU+g4aJbLX380KitsUyhlTkCuI8V9t8CZa5+Zg5NH2oAbWOPS9ShcvA8Saio
+Le7sc+tRhlFsCllxu1Z4Gm5Kg3faN2Re2zqu5jEL3w8z68GCPLk408UfEdfbsTTT
+hrRzE58Lw3nM05rU6MfFPuDdoTdrHA2b0QceWkALZ10cmYQKJACTGKI4p8fYqpVR
+UIt3LediyIbHGuspqXw3NtMgOGklX6FuzZarJ760zleJ7d1G68RhqYhOxJvB3XMN
+hDBfo6gkyxrbKmECAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
+YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAKlz52i1TpqNFQQu2YCl2YlTKbu2s
++92Qq+9b8wKoTweEFxDYtfq8d6rgYtetDbJDh+CDSjG3REINHtbPB0BjFdmZq/Q6
+7JHLjmWKacmhaZJIp6xtrAX93qXYfbqH2S/DNSAO1e1sUa/gKL+wuVcrM8My7mzo
+cMEgc7mHJCbSjYIcYPELas+rADoCE4mgiX8wwYQjFqxj/cdlcMzVS3ZuARAiPzA7
+60Zk3/NnbXd/OBOcf/FvbrYIQ45eV4JlMowtcdLtxP91N5/X3BBMFsXt4mPoXETC
+V78wipSWtfiKTox1Ze7PSJsYm9E9TOYYPh9kSGizIFzrgnk9H15+Iy5Ixg==
+-----END CERTIFICATE REQUEST-----

test/fixtures/keys/agent9-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o33/iaiXWzBOKMJp7jxCW
+Ag6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2xTKGVOQK4jxX23wJlrn5m
+Dk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7VngabkqDd9o3ZF7bOq7mMQvf
+DzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+4N2hN2scDZvRBx5aQAtn
+XRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc20yA4aSVfoW7NlqsnvrTO
+V4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQABAoIBAE7FXAUOggry2hVW
+PuGQ9mfN7f87MgpAwyTInukvk1tx+N6NEIUwfzI9QSvgJyVHW9Q1mAmO4nhSdcOI
+tKaZgkkhoDIYgoE+MY04v9Ptq35JfUE+HdZJa2UziPHB2Gsm/0yH4LEWYrcXXnbZ
+qQbdUt2qepxQqoDS4nLawjcFhMom24ns24eMCsFW7yrxhyvQwFKqGOKXauCpClp2
+oPXhd2wljutuIGJjMmeqMw7CuyfZMee6BsuXNWWr/kso0NaQwxKoFnGlyaOl6oUV
+ypr5ADXv0NNaSqDgyfEfJedsGQul+WWnkjz6PFbWZtbG5SIKb5PCJ2aWD7mvcHdI
+85BL4jUCgYEA0yPogvmlK/hSpckk/AkRtHWwjUdkgdoZzxiJV/D01y8EtB+yL46t
+Gzl23Y1VtLXxn+CZdj2putS5z1Rg1LA0oMZ+TwhxGskURBPP7mym83Qn1huRcnWw
+df9flCg4IwRLqI6QfsQ2Q6j549j5u8P+tqVi/yZQY0V2SGcXTXaqIksCgYEAyFpy
+24+AW33ypNxr9sOIx2YQyn0UDK2K6LQYRmjwhpCZEtBdoUqKGP/9UUycM4TN9D32
+p0le+3TJVk9tVqyvwFeGBkguO/3dXD6KTsqrCfMFNj/R6QRYFEaLWjkG8EI5TXOK
+a/CbhtyGaRY5QzwLRjLdEYIph3r1d2uedVzwGoMCgYEAvPV59R2u8LcAYFavvs/v
+BG3/X7DxBjVGu8zdvdJrjNkLgJiNQ3qQ+bhn5MfEWEIsyESdkvCEoiwXTrHZJv+7
+WdfK2rhXYP1sIbEJefvLPj5KGJf7h1BEaJXv2AxWkSAbBfLw5kJ7vfnQClX4yk4R
++yvweSC0+OMFhK6ecDku8hkCgYAJPRJ6yV0z2tTrgTaBRHb0KuKvU6EvDHmRTWyp
+IoGk0tocIfuPSm6fxH4b15qETaVpk8nh4OI+Wh5GmpcCHihkiCSn+YAYSBaDAGdE
+RtgoN0qQO9UkF40wMiiO2n5VadhWl/NUEt45E8Ym5l1xmj0y2XmUKxpbIvJatV2z
+L7vqnQKBgCuV47rGYLaPz+gVgwIz0PvNFgp2fdSBYYQUf70XsaEU1bQtim6q5jxd
++ePUiT65k42Iw7oLWyGtxdyxmmKgQ18i5aDNjT2SLr3RAC2BSR5Fs1W1PLi24nV6
+QW7fepI9tOBTbwbLG8ARRzx2YXrBf9PqvmDbrMiTi0WGFGlVJatX
+-----END RSA PRIVATE KEY-----