internal/dag: reject certificates with CN or SubjectAltName

Fixes #1965 During cache insertion reject certificates which lack a Subject CommonName (CN) or SubjectAltName extension. This PR uncovered that, well basically, all our TLS fixtures don't fit this requirement which is extra sadface and thus this PR contains replacement fixtures for all the previous ones. This PR also adds a unit test for dag.isValidSecret as we are likely to continue to add to this function as further validation edge cases are uncovered. This necessitated a small addition to the internal/assert comparator logic to be able to compare error values. Signed-off-by: Dave Cheney <[email protected]>
projectcontour · Dec 6, 2019 · 11d5179 · 11d5179
1 parent a1138bc
commit 11d5179
Show file tree

Hide file tree

Showing 7 changed files with 384 additions and 395 deletions.
diff --git a/internal/assert/assert.go b/internal/assert/assert.go
@@ -40,6 +40,10 @@ func (a Assert) Equal(want, got interface{}) {
 	opts := []cmp.Option{
 		cmpopts.IgnoreFields(v2.DiscoveryResponse{}, "VersionInfo", "Nonce"),
 		cmpopts.AcyclicTransformer("UnmarshalAny", unmarshalAny),
+		// errors to be equal only if both are nil or both are non-nil.
+		cmp.Comparer(func(x, y error) bool {
+			return (x == nil) == (y == nil)
+		}),
 	}
 	diff := cmp.Diff(want, got, opts...)
 	if diff != "" {

diff --git a/internal/contour/listener_test.go b/internal/contour/listener_test.go
@@ -1068,7 +1068,7 @@ func TestListenerVisit(t *testing.T) {
 
 func transportSocket(tlsMinProtoVersion envoy_api_v2_auth.TlsParameters_TlsProtocol, alpnprotos ...string) *envoy_api_v2_core.TransportSocket {
 	return envoy.DownstreamTLSTransportSocket(
-		envoy.DownstreamTLSContext("default/secret/28337303ac", tlsMinProtoVersion, alpnprotos...),
+		envoy.DownstreamTLSContext("default/secret/68621186db", tlsMinProtoVersion, alpnprotos...),
 	)
 }
 

diff --git a/internal/contour/secret_test.go b/internal/contour/secret_test.go
diff --git a/internal/dag/secret.go b/internal/dag/secret.go
@@ -19,6 +19,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"strings"
 
 	v1 "k8s.io/api/core/v1"
 )
@@ -122,9 +123,15 @@ func validateCertificate(data []byte) error {
 		if block.Type != "CERTIFICATE" {
 			return fmt.Errorf("unexpected block type '%s'", block.Type)
 		}
-		if _, err := x509.ParseCertificate(block.Bytes); err != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
 			return err
 		}
+
+		if !hasCommonName(cert) && !hasSubjectAltNames(cert) {
+			return errors.New("certificate has no common name or subject alt name")
+		}
+
 		exists = true
 	}
 
@@ -135,6 +142,14 @@ func validateCertificate(data []byte) error {
 	return nil
 }
 
+func hasCommonName(c *x509.Certificate) bool {
+	return strings.TrimSpace(c.Subject.CommonName) != ""
+}
+
+func hasSubjectAltNames(c *x509.Certificate) bool {
+	return len(c.DNSNames) > 0 || len(c.IPAddresses) > 0
+}
+
 func validatePrivateKey(data []byte) error {
 	var keys int
 

diff --git a/internal/dag/secret_test.go b/internal/dag/secret_test.go
@@ -14,139 +14,193 @@
 package dag
 
 import (
+	"errors"
 	"fmt"
+	"testing"
 
+	"github.com/projectcontour/contour/internal/assert"
 	v1 "k8s.io/api/core/v1"
 )
 
+func TestIsValidSecret(t *testing.T) {
+	tests := map[string]struct {
+		cert, key string
+		valid     bool
+		err       error
+	}{
+		"normal": {
+			cert:  CERTIFICATE,
+			key:   RSA_PRIVATE_KEY,
+			valid: true,
+			err:   nil,
+		},
+		"missing CN": {
+			cert:  MISSING_CN_CERT,
+			key:   MISSING_CN_KEY,
+			valid: false,
+			err:   errors.New("certificate has no common name or subject alt name"),
+		},
+		"EC cert with SubjectAltName only": {
+			cert:  EC_CERTIFICATE,
+			key:   EC_PRIVATE_KEY,
+			valid: true,
+			err:   nil,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			type Result struct {
+				Valid bool
+				Err   error
+			}
+
+			want := Result{Valid: tc.valid, Err: tc.err}
+
+			valid, err := isValidSecret(&v1.Secret{
+				// objectmeta omitted
+				Type: v1.SecretTypeTLS,
+				Data: secretdata(tc.cert, tc.key),
+			})
+			got := Result{Valid: valid, Err: err}
+
+			assert.Equal(t, want, got)
+		})
+	}
+}
+
 const (
-	// sample data from https://8gwifi.org/PemParserFunctions.jsp
+	// generated by https://www.selfsignedcertificate.com
 	CERTIFICATE = `-----BEGIN CERTIFICATE-----
-MIIFtTCCA52gAwIBAgIJAO0cq2lJPZZJMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMTQwMzEyMTc0NzU5WhcNMTkwMzEyMTc0NzU5WjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAsgzs6vN2sveHVraXV0zdoVyhWUHWNQ0xnhHTPhjt5ggHmSvrUxvUpXfK
-WCP9gZo59Q7dx0ydjqBsdooXComVP4kGDjulvOHWgvcVmwTsL0bAMqmsCyyJKM6J
-Wqi8E+CPTOpMBWdapUxvwaSmop8geiTtnX0aV4zGXwsz2mwdogbounQjMB/Ew7vv
-8XtqwXSpnR7kM5HPfM7wb9F8MjlRuna6Nt2V7i0oUr+EEt6fIYEVZFiHTSUzDLaz
-2eClJeCNdvyqaeGCCqs+LunMq3kZjO9ahtS2+1qZxfBzac/0KXRYnLa0kGQHZbw0
-ecgdZC9YpqqMeTeSnJPPX4/TQt54qVLQXM3+h8xvwt3lItcJPZR0v+0yQe5QEwPL
-4c5UF81jfGrYfEzmGth6KRImRMdFLF9+F7ozAgGqCLQt3eV2YMXIBYfZS9L/lO/Q
-3m4MGARZXUE3jlkcfFlcbnA0uwMBSjdNUsw4zHjVwk6aG5CwYFYVHG9n5v4qCxKV
-ENRinzgGRnwkNyADecvbcQ30/UOuhU5YBnfFSYrrhq/fyCbpneuxk2EouL3pk/GA
-7mGzqhjPYzaaNGVZ8n+Yys0kxuP9XDOUEDkjXpa/SzeZEk9FXMlLc7Wydj/7ES4r
-6SYCs4KMr+p7CjFg/a7IdepLQ3txrZecrBxoG5mBDYgCJCfLBu0CAwEAAaOBpzCB
-pDAdBgNVHQ4EFgQUWQI/JOoU+RrUPUED63dMfd2JMFkwdQYDVR0jBG4wbIAUWQI/
-JOoU+RrUPUED63dMfd2JMFmhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
-b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDt
-HKtpST2WSTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQBwGbAmiLHE
-jubdLeMygwrV8VjlOVxV41wvRi6y1B5Bdvh71HPoOZdvuiZOogzxB22Tzon6Uv5q
-8uuAy37rHLlQTOqLwdLJOu/ijMirAkh13gQWt4oZGUDikyiI4PMNo/hr6XoZWUfU
-fwmcAzoEMln8HyISluTau1mtQIDgvGprU472GqC4AC7bYeED+ChCevc7Ytjl4zte
-/tw8u3nqrkESYBIA2yEgyFAr1pRwJPM/T1U6Ehalp1ZTeQcAXEa7IC6ht2NlN1FC
-fk2KQmrk4Z3jaSVv8GxshA354W+UEpti0o6Fv+2ozkAaQ1/xjiNwBTHtgJ1/AG1j
-bDYcCFfmYmND0RFjvVu7ma+UNdKQ+t1o7ip4tHQUTEFvdqoaCLN09PcTVgvm71Lr
-s8IOldiMgiCjQK3e0jwXx78tXs/msMzVI+9AR9aNzo0Y42C97ctlGu3+v07Zp+x4
-6w1rg3eklJM02davNWK2EUSetn9EWsIJXU34Bj7mnI/2DFo292GVNw1kT5Bf4IvA
-T74gsJLB6wacN4Ue6zPtIvrK93DABAfRUmrAWmH8+7MJolSC/rabJF3E2CeBTYqZ
-R5M5azDV1CIhIeOTiPA/mq5fL1UrgVbB+IATIsUAQfuWivDyoeu96LB/QswyHAWG
-8k2fPbA2QVWJpcnryesCy3qtzwbHSYbshQ==
+MIIDHTCCAgWgAwIBAgIJAOv27DGlF3qdMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNV
+BAMMGmJvcmluZy13b3puaWFrLmV4YW1wbGUuY29tMB4XDTE5MTIwNTAxMzQzM1oX
+DTI5MTIwMjAxMzQzM1owJTEjMCEGA1UEAwwaYm9yaW5nLXdvem5pYWsuZXhhbXBs
+ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbgwFwfbikZxPb
+NYidPuNJoexq5W9fJrB/3jqsWox8pfess0bw/EL/VcEUqlrcuo40Md0MxApPuoPj
+eZCOZYhrA2XgcVTMnq61vusnuvmeG/qcrd5apSOoopSo2pmmI1rsJ1AVpheA+eR6
+uoWVILK8uYtPmcOQAoCU/E6iZYDLZ0AEiU16kz/cGfWx9lBukd+LQ+ZRQnLDiEI/
+4hRmrZrEdJoDglzIgJVI+c8OfwbLq5eRMY2fYnxqm/1BJhqjDBc4Q8ufYgfOwobu
+JdVoSgiFy7wyH0GxMk4LRR6yJXLs1yjaihLERbjzlStvFVl4yidpE6Bi0amKW8HT
+Qxgk7iRRAgMBAAGjUDBOMB0GA1UdDgQWBBTLcIMeWLFiL2waFL6FPomNZR7gFDAf
+BgNVHSMEGDAWgBTLcIMeWLFiL2waFL6FPomNZR7gFDAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4IBAQBQLWokaWuFeSWLpxxaBX6aatgKAKNUSqDWNzM9zVMH
+xJVDywWJT3pwq7JUXujVS/c9mzCPJEsn7OQPihQECRq09l/nBK0kn9I1X6X1SMtD
+OJbpEWfQQxgstdgeC6pxrZRanF5a7EWO0pFSfjuM1ABjsdExaG3C8+wgEqOjHFDS
+NaW826GOFf/uMOnavpG6QePECAtJVpLAZPw6Rah6cAZrYUUezM/Tg+8JUhYUS20F
+STZG5knGQIe6kksWGkJUhMu8xLdH2HKtUVAkDu7jITy2WZbg0O/Pxe30b4qyt29Y
+813p8G+7188EFDBGNihYYVJ+GJ/d/WPoptSHJOfShtbk
 -----END CERTIFICATE-----`
 
-	// Sample certificate from https://tools.ietf.org/html/rfc7468#section-5.2
-	CERTIFICATE_WITH_TEXT = `
-Subject: CN=Atlantis
-Issuer: CN=Atlantis
-Validity: from 7/9/2012 3:10:38 AM UTC to 7/9/2013 3:10:37 AM UTC
------BEGIN CERTIFICATE-----
-MIIBmTCCAUegAwIBAgIBKjAJBgUrDgMCHQUAMBMxETAPBgNVBAMTCEF0bGFudGlz
-MB4XDTEyMDcwOTAzMTAzOFoXDTEzMDcwOTAzMTAzN1owEzERMA8GA1UEAxMIQXRs
-YW50aXMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAu+BXo+miabDIHHx+yquqzqNh
-Ryn/XtkJIIHVcYtHvIX+S1x5ErgMoHehycpoxbErZmVR4GCq1S2diNmRFZCRtQID
-AQABo4GJMIGGMAwGA1UdEwEB/wQCMAAwIAYDVR0EAQH/BBYwFDAOMAwGCisGAQQB
-gjcCARUDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzA1BgNVHQEE
-LjAsgBA0jOnSSuIHYmnVryHAdywMoRUwEzERMA8GA1UEAxMIQXRsYW50aXOCASow
-CQYFKw4DAh0FAANBAKi6HRBaNEL5R0n56nvfclQNaXiDT174uf+lojzA4lhVInc0
-ILwpnZ1izL4MlI9eCSHhVQBHEp2uQdXJB+d5Byg=
------END CERTIFICATE-----
-` + "\t\r\n"
+	CERTIFICATE_WITH_TEXT = CERTIFICATE + "\t\r\n"
 
 	RSA_PRIVATE_KEY = `-----BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAsgzs6vN2sveHVraXV0zdoVyhWUHWNQ0xnhHTPhjt5ggHmSvr
-UxvUpXfKWCP9gZo59Q7dx0ydjqBsdooXComVP4kGDjulvOHWgvcVmwTsL0bAMqms
-CyyJKM6JWqi8E+CPTOpMBWdapUxvwaSmop8geiTtnX0aV4zGXwsz2mwdogbounQj
-MB/Ew7vv8XtqwXSpnR7kM5HPfM7wb9F8MjlRuna6Nt2V7i0oUr+EEt6fIYEVZFiH
-TSUzDLaz2eClJeCNdvyqaeGCCqs+LunMq3kZjO9ahtS2+1qZxfBzac/0KXRYnLa0
-kGQHZbw0ecgdZC9YpqqMeTeSnJPPX4/TQt54qVLQXM3+h8xvwt3lItcJPZR0v+0y
-Qe5QEwPL4c5UF81jfGrYfEzmGth6KRImRMdFLF9+F7ozAgGqCLQt3eV2YMXIBYfZ
-S9L/lO/Q3m4MGARZXUE3jlkcfFlcbnA0uwMBSjdNUsw4zHjVwk6aG5CwYFYVHG9n
-5v4qCxKVENRinzgGRnwkNyADecvbcQ30/UOuhU5YBnfFSYrrhq/fyCbpneuxk2Eo
-uL3pk/GA7mGzqhjPYzaaNGVZ8n+Yys0kxuP9XDOUEDkjXpa/SzeZEk9FXMlLc7Wy
-dj/7ES4r6SYCs4KMr+p7CjFg/a7IdepLQ3txrZecrBxoG5mBDYgCJCfLBu0CAwEA
-AQKCAgA1Vrvu0sq/aHnp1z9VTtiiS26mn5t9PxubH/npg2xZWhR0pXyU5CR7AXzj
-lLyQA9TS/gYge2pD3PlBNbMbXAYTB4iB4QqQoBM0HrMhQoNC0m4nfz7kBg585Aqv
-1xao2b/0KchmYgT8uf5Mw3eMBiGjlcZ9RIoMqkaPGHsLNxJVhL5ZhQs5knrOrFGA
-RRnBJKLfR+7TKB5BZHkQ9m+/V/6M3p6AazdMJ8kJqQf24yxGzDXNXtwBl2BIsb8F
-SVAQHcojWCPxHjZn3c7+HNpMkDXAS8AR3k2G1Sh17MeWbk7V0F3vbKiBDQZOSuhp
-hzKO3cQwAa2dbrGEKJ+aICsIwD7i8sbvw3E7sWsEhJHrXuG51alrD2NpB1QiCVgv
-a3ikF5SPbqtX4htlRYmzYwZM8jtB79yStORWKou0+v5SsCliT7xqU1exrygsVGdz
-lWnYu8R/YIQoWEn6rC3CwhcwwHBBKeDjjaMMD7SYIIiC11vjANnKCobVcaPrpENS
-Dycct8acc8SkP5XLTwcqSv66D/O2EU/+mnwJCpBqXa8SC7Bnku9WyncJBfuDFQQl
-JFrV5uhxtzhfYRCE7UcsTRX82yrA0BIsV+SWnAQEh4zIvuEwSmPcF0mY518+/kpk
-HSxGNrBwb1ja4+vsXHkUuNXOWG6BLiZ70yDOXZeZwYkCIgQSHQKCAQEA3P0ADDW+
-ZuDBBMMPscnwTakFnIaS7od2W6eJhKdnu10afW0rhbug1Y7w7gzLF3CtESWo/tWb
-fl9ndsXAEtLpSZgFOFuMA+H9iQOsTMz6tx4zXhXA2jGt98fahYsWjdyFq7UhEijr
-mQCr13FMc9KEfh/lEeSfBERdRnhCBpGAqYAXfdp/l19EIMWTofxa51q64LDjQ55u
-nVTz2G8nr7HVp+rBKk2gnLFyweSBXkrLGxaLTCaxJEeFrBga2jv5WJGcXX4LXncu
-1egUqsqmlzOepL6Q/W9QId9iWltcVTDW3wRuO9MkDURkqAP24RLFNXcOoAbI8ePR
-R6PaINsQbYk+UwKCAQEAzkJsfYzD4rnyRYkwq0N9vQuwZQ7UKhtkvPnQWEcawTz2
-+fCYg6HEmM475mAstYaL3H4v1mGz4Fq9UTxIWcAiSPJdIJAHq5/i8Y4mruLzc14y
-wPZRjTroK7j4okhHvXxENge2p8KV5tocLM0ZVX/uovgPbABGpyvaQkMI5povxSDa
-OFZqvha/e5BqtpTovN9+RAEwFIyercf0SGFjLyuI9GULEWwfqo4OvdcnE8LdYKjW
-CuRLahGajrt19bjbt15LCGRGd4kyFFYDTFy26GggLXDvqnUw7XTn6AU/4Gw3ORw5
-fxJf5ELF5wYy1erUOaH8LSRk1WoMgil2g6jZJE19vwKCAQEA0ToUrnq/36WR+hE4
-rcqU4uJRdsYPHRlSHSr9T4Qz+TgIGZKf70ka2LcyMyAXtQSwRxjR7RyO0NJBIjnO
-RcQ8rbnpz1cVtKNlqTC6FCjKg09rsPuFkNASdxNYOLHcU8njIRQn0Iq/rSfuitcx
-XEOHv+YwuoUrbR3Q9iRr1s4x88lb9INH5CiFV0XZJjfIVV0YrB2tvlqlPf6ttFBh
-Ub5cnFPuOUAv/csf7KWNOpozvFzW2+2SL9grnilgWxkHVizez8HDv9e1lz7ZOm8N
-1QBBhpcKrXiTdM6LzyLKw7mu5o3KVIfujUUgy9adCrH710f2p9pkrGhWv65Jmmvu
-HNchEwKCAQBOfRJh2G42WgIqmeEuWvl/NfKDEliESXZVP08cOLqirDtjsz2mYam5
-aEl9Cj4ZOcEBP/eeQgG8L2t5fVIe7TFexvPPT1/L3IT03N41kOGJlmAD8/fmoXL2
-KGZdAtph7ebbFKZaQn7eoUM1fTrVwWAjHfhoZdZ9CP/+VRoO/r+M6UqBQ8lM2sU1
-FSi2oAXM0dNvt2//cd90S/HWlVC0A4ITVlwW3ilSsspDTZtuNqodfUIuVN+p1lcV
-V5q0zgq2RaiR4e660DeBa5XHukRUPkN4Z1CccgoTYnhZX54GHcgJ8Iakp25cI1jB
-6CbyJnFqGQ0odH/2gmuOII8b3OX8nYxrAoIBAQDFuMaBg7Xa0535v+6NY0iPgF5O
-fKEQI9pGlLk8oKOZKLMRqQYba2qWE4jXjUyl0g3iQ1IYynFi3+cayDoMCrBXmbZ5
-mGebuBySHYpBv3ajhOf1JV1cl1xivgUxM5LW708kNOuf4/hTZXR3D34kJAhoxS+/
-KMkcE4BT8IZIHQ+wIMhmYLAdSQCVVv8x78jN0sZCC0fjqVuyPdYQ8sIc3OHsJZcW
-lzewFW72lfsiB/RxWZ/XwXONXeW5Quf+XwbGGboTofyzTxzsYSwn1U9Kt8iaY8zr
-z7Z5SQCSf2Js9V9lJcodYswWlxrdtoRKA/WgrvQkZhGGAePTUVoO5Lab29M8
+MIIEpAIBAAKCAQEA24MBcH24pGcT2zWInT7jSaHsauVvXyawf946rFqMfKX3rLNG
+8PxC/1XBFKpa3LqONDHdDMQKT7qD43mQjmWIawNl4HFUzJ6utb7rJ7r5nhv6nK3e
+WqUjqKKUqNqZpiNa7CdQFaYXgPnkerqFlSCyvLmLT5nDkAKAlPxOomWAy2dABIlN
+epM/3Bn1sfZQbpHfi0PmUUJyw4hCP+IUZq2axHSaA4JcyICVSPnPDn8Gy6uXkTGN
+n2J8apv9QSYaowwXOEPLn2IHzsKG7iXVaEoIhcu8Mh9BsTJOC0UesiVy7Nco2ooS
+xEW485UrbxVZeMonaROgYtGpilvB00MYJO4kUQIDAQABAoIBAF5L671gNIZjRVNg
+rtwl3MuPxJizEOHGJAH5/Ch4CWuufDPzG6GALGO1eekfuUKi3V2sofHO8UMIs4lv
+elrBYRXfcs80wCHadODcL/Z0SrDSAhl2U1OLJ0NU/BmBNon5HCDgTnXOUMB2GOFj
+6OiEEGQkLKU4P5tIh+X4cOswQWCeoVjW0JVgni20hi3LJNTxSNYeU5VFvPKtoBLl
+8nFqF3ky+bqYfS6H6qM/mO+XL0NQ2wjMteyUeDXcVGfsf7Ir21SUw3zGaeBJl55B
+6BrUgfxVOKuxkw2bwxmu8HX+CxlMMMzaRt+5URFbfOaMgXzjpikrxdeFAAGeu0m4
+bidUR5UCgYEA8lRGqYfowoOCrV8Ksn8nM0Z9PlnmKM5d9mQ875sm/SYLO43h+s0D
+R4VWmLzaGyi0m0036lxIthDfbbGWSjmNrgQ0YIS7ilmBPMUKKYzXgDoiI76aJBTz
+UMpWutb+VYimPPorLKcxNb3BjR3QHx7vCRS2gV5izV0djtMkKc53OXsCgYEA5+Uz
+A7cmO8gHyxlW6SA3+wMH6VKP5ABTkDmKfRF3NCv4UHNn4TtlNuS1D3ZMNXWgCtz6
+qJ/bRTAqseBIX15pzR/MvyNmHRUN3A2Ba6vB2pJux+ZyQjxn3Z+gisjX+eN3LvTU
+YpcJNi0HSuV57n4AAk5YPO5iMEFw95vfBn3MMaMCgYEAnFwyqAsQ7gmLVTDBJ0GS
+Wqx9/bBmKShXSreM9hIHi0pz7v5ytLB6EDkCElWw6dtPBfJCRQ88v3WNpSr0TXpr
+Z8BAx5J9rBxqnnqJPxwopQ1dn/DJZsS55wRYCADXZPtiQHAvUYWj5AhHjjWRZ7M/
+C3348OqlF9ugSdsFN5CIL2cCgYEAqt5lop03XOFdbLe1JH4LAbgQAkpFoDjlWeYs
+N0/BR/4GMDF5H6sGP1ZyW3xNVy7eyGJfiBSSGv8M1phue2c0CmMeGNDakx9KYRTK
+gi3C32z6l+0jz852sgTG5Lxs98I1tbHNNQAZV4QCVZuVJrhNBWX4+pykWO4/cRO3
+WC8lYIUCgYBmmN4z0MR2YWoRvN3lYey3bRGAvsSU6ouiFo40UZdZaRXc1sA3oc+5
+6Di3f8eOIhM5IekOBoaTBf90V8seB6Nw+/jzAViG1HDI7k0ZOoApDuFS6NYk1/bU
+dk98FvYdyAjjgNsxXCyx7vIgYU3OgVNgvFsFubX/Uk66fcfCpPBMLg==
 -----END RSA PRIVATE KEY-----`
 
 	// sample elliptical curve data generated
 	// openssl ecparam -name prime256v1 -genkey -out ec_key.pem
-	// openssl req -new -x509 -key ec_key.pem -out ec_crt.pem -days 3650
+	// openssl req -new -x509 -key ec_key.pem -out ec_crt.pem -days 3650 \
+	//     -subj "/C=US/ST=CA/O=Acme" \
+	//     -reqexts SAN -extensions SAN -config <(ca t /etc/ssl/openssl.cnf \
+	//     <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))
 	EC_CERTIFICATE = `-----BEGIN CERTIFICATE-----
-MIIBbjCCARQCCQCPA0hmRaqduTAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVBhbG8gQWx0bzEPMA0GA1UECgwGVk1XYXJl
-MB4XDTE5MTAxNTAzMzkzM1oXDTI5MTAxMjAzMzkzM1owPzELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlQYWxvIEFsdG8xDzANBgNVBAoMBlZNV2Fy
-ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFUOHv4hnLcopcYdjojx2j/FmFX6
-MOLVVNsNpZ4SpmcGKN2zGp0SyAQgNhY0gGojC0g+VVYrh8X3GQAXYdvIjfMwCgYI
-KoZIzj0EAwIDSAAwRQIhAJudFacSiwcRtyQ2aNYAPbDJnnwbUTXRCVRlgLysgP5G
-AiALPSbO8d0wa24Z0AU2oXocuNkDaH8qEyp2yhL5LKI3Dw==
------END CERTIFICATE-----
-`
+MIIBfzCCASWgAwIBAgIUZ8EBxJShrhAiO9bG6aRVcJdlEJowCgYIKoZIzj0EAwIw
+KTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQKDARBY21lMB4XDTE5
+MTIwNTAxNTg0NFoXDTI5MTIwMjAxNTg0NFowKTELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMQ0wCwYDVQQKDARBY21lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+zCdqvU5dSKxzDAVakEi97epIazdkUKRT2XZtUk41Hp2H4xy8EzR1Re3r9AdJRsJn
+sGrHGbIg2r7OUNYgeN4ot6MrMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5jb22CD3d3
+dy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAYFlD2n/uWWxTqi8WcWvb1
+CUDxSzF2/jLe1PIFkwNk7wIhAP9kMCO1ys050JNvlVZg3xvPvCHKCkWcSachE5fC
+5hc6
+-----END CERTIFICATE-----`
+
 	EC_PRIVATE_KEY = `-----BEGIN EC PARAMETERS-----
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIOlYOKzXGQTYlKDkuM62/U84DjxEOa8T3XGYlVmycFJroAoGCCqGSM49
-AwEHoUQDQgAEVQ4e/iGctyilxh2OiPHaP8WYVfow4tVU2w2lnhKmZwYo3bManRLI
-BCA2FjSAaiMLSD5VViuHxfcZABdh28iN8w==
------END EC PRIVATE KEY-----
+MHcCAQEEIAM3LdZrzZk8Hn4VqBDNTgOuh9E772M4sgEYvZMNOy4moAoGCCqGSM49
+AwEHoUQDQgAEzCdqvU5dSKxzDAVakEi97epIazdkUKRT2XZtUk41Hp2H4xy8EzR1
+Re3r9AdJRsJnsGrHGbIg2r7OUNYgeN4otw==
+-----END EC PRIVATE KEY-----`
+
+	// issue #1965
+	// certificate with no CN field.
+	// openssl req -new -newkey rsa:2048 -days 365 -nodes -subj="/DC=com/DC=domain/DC=my" -x509 -keyout server.key -out server.crt -sha256
+	MISSING_CN_CERT = `-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUcNI/oD/y3dZ2Rmyvz9Xb4BsC0nswDQYJKoZIhvcNAQEL
+BQAwQTETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBmRvbWFp
+bjESMBAGCgmSJomT8ixkARkWAm15MB4XDTE5MTIwMzA0MDYyM1oXDTIwMTIwMjA0
+MDYyM1owQTETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBmRv
+bWFpbjESMBAGCgmSJomT8ixkARkWAm15MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAxblHSlzhyDY88rhILpn+rCALqK1ELcbL5T3FygLEdUlE/da3VpSz
+wBaZc9UIhFpwnkvUy8eKYbLy9jIk3C0aJasrX828MkF4lInSJf0BREbddxmwDovl
+KZoo7xz2rY6LPTopZ1GdszzsPxvBFvc1gWl0UEXkxDAZjtnDuVB+hBv6RR7BpSdN
+Fxds3OVles1mgasW79gMCb22gFa9vJKkxVJz5IIstrShjCfNvPvULf3aeMJjy8fM
+x8kHBiRSs6HC4dFR3cR1uuZCdnkeR76X3gAn9A18VBMvA25JehhfLYnVJi80UgGV
+PAxKgjU8dw8auvbmopzkguyFTfW6sYfDBQIDAQABo1MwUTAdBgNVHQ4EFgQUITS5
+7JyH/S2wUrZnUjQXAp1nTPQwHwYDVR0jBBgwFoAUITS57JyH/S2wUrZnUjQXAp1n
+TPQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAn5nxNyI6+3MD
+X5hzg5G0gTZafL8qN5bJGlFRWeyU2CvWsXbHCYtzADkwGCcCyoA1nmb460kwZ4vk
+fOz9FYqZoh4IIegs5bB559Ze26Kjl5AgAFARXxV6s0cPDQ2O1XFkNIQiLFHHPfRR
+RJtQgNaLppCe8TFNPjUDqNfoWPQvnlEYMYsvKto7pNw+HGreXhGF5CUCGIqT747P
+zYmBGZEE2q1L45nErZFK4d74XzGu/4Kc73zEFS6GT71Zu6Ec6wUCKdciyNtFHFmh
+4l3l5YC+1zK6ZeOBxdoMKpldD9EV4GQqW8aE2Adpd5RcUUQJnqWM+/ysod/AnHL/
+fm35MjBa+w==
+-----END CERTIFICATE-----
+`
+	MISSING_CN_KEY = `-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFuUdKXOHINjzy
+uEgumf6sIAuorUQtxsvlPcXKAsR1SUT91rdWlLPAFplz1QiEWnCeS9TLx4phsvL2
+MiTcLRolqytfzbwyQXiUidIl/QFERt13GbAOi+UpmijvHPatjos9OilnUZ2zPOw/
+G8EW9zWBaXRQReTEMBmO2cO5UH6EG/pFHsGlJ00XF2zc5WV6zWaBqxbv2AwJvbaA
+Vr28kqTFUnPkgiy2tKGMJ828+9Qt/dp4wmPLx8zHyQcGJFKzocLh0VHdxHW65kJ2
+eR5HvpfeACf0DXxUEy8Dbkl6GF8tidUmLzRSAZU8DEqCNTx3Dxq69uainOSC7IVN
+9bqxh8MFAgMBAAECggEAZVvBjAFpTPVg8Rw/BIS05Q/YajPIS58pTu8HwbMBew6A
+a4/ylFPOgZ4UNCj1IMQsDznYcE5uRf8yRbsW4jfMu5qvtYEGBM1DPwIX1JmKWLHr
+Pe7RLePRKi545Xr3iakU/+Ic73YLXaLRiNh1d4xqxViF49CwoVH3CB/iEdGNybKX
+CyWxNUS9Tguzg26zIqvtjjqzP3ULt/P+fi/NTIKswv4Btp6hI8QDA2RL6RFJYIL2
+jVpRFUSOhl5N7fg8ZKIAaQFetenzM/yF29qa6nlIhXFsep6bRaLqw9Hni2YB6yCh
+7z4I/ygSTirPW1yk+NPiLjc6mTZVf7EvdFeApOOSUQKBgQDq71Hb0hciDyFkdq3R
+nxskJeiSk8b141tarlrUTvoPRYwOaeKcDN2Lzj7Y9Pqxllb8CSjoOR0B/pfwvfxI
+J2HGoNf7PK3rn166QiFPPFxwa5bMpCcbEoljToB4nCRDsYRlUrd/hAHAb1ptLqK2
+OHc2pbOo0mmYORstIFccrKJDYwKBgQDXc9FA78KjZ7iS2GCs3yXOdS2U1TD5hZMr
+MDXMA0CMbxTYmLRLD0x41hXzH/2UsfQNCYQZCOqWhW3FJHqAaBz0w2n+dOMkWeSq
+EI5ghDQyu/HM2V7xk3tYYXhZ/FxOzcd2l/DUzKZsPJuxsXsNaUn9+ZOE44xHRjNf
+wYvNv17QdwKBgQCujZO/hLAlYSKJV1g8OD/dMsFDLsMT7JHypTrdJbTLZfvytZ9m
+HHT7LAkr/5DII5CLgG7BY7X2xmezuiTYo1IVV2pBw8rhFy81qm6/RXTVHksTzx8z
+ESm8/BWeBz02go2BDt1BxB3dEZ8ZIh5Iz1lb4+/BjlxgeoWDmNTAfE+vSwKBgFGq
+I7HSb1tSsEJw48wC1Si5f6p/WI3r1Im1P17yCKByZltnHkepJ9pRg4ZhJNQc052x
+crGukIS3VJE6L3jGfdtEysNZeNNJg4P2vJDW65YjaRa1eehld4Zbg6vQHQj9tNI9
+61otrBMwse8bj8HYm+Q5mnHvcjd943EzQpOdKwonAoGBAKGymiC7RgrdaxbKf7oE
+dsipT/w+MFInBLLiJcqLAfh0647vhjCFNGG4MZ6YGVwiIdvjZ1dH2Ujsdo8e0+Wi
+8cnx8JvuAJdr5HzMI6fvnMDzjzAskMgYUNhOUhM2g223JuoyyLY2/DL7dOYkFeSn
+b5qYn0JNERfPYdLwXNV1HCM9
+-----END PRIVATE KEY-----
 `
 )