From 3a478b5a673e930e397c62d8f44f24dc71b277b2 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 2 May 2023 22:29:08 -0400 Subject: [PATCH] Use hostname verification for SecurityAdmin (#2541) * Use hostname verification for SecurityAdmin Signed-off-by: Craig Perkins --- .../security/tools/SecurityAdmin.java | 1 + .../security/SecurityAdminTests.java | 65 +++++++++++++++++ .../securityadmin/certificate_generation.md | 23 ++++++ src/test/resources/securityadmin/kirk.crt.pem | 69 ++++++++++++++++++ src/test/resources/securityadmin/kirk.key.pem | 28 ++++++++ src/test/resources/securityadmin/node.crt.pem | 71 +++++++++++++++++++ src/test/resources/securityadmin/node.key.pem | 28 ++++++++ src/test/resources/securityadmin/root-ca.pem | 24 +++++++ 8 files changed, 309 insertions(+) create mode 100644 src/test/resources/securityadmin/certificate_generation.md create mode 100644 src/test/resources/securityadmin/kirk.crt.pem create mode 100644 src/test/resources/securityadmin/kirk.key.pem create mode 100644 src/test/resources/securityadmin/node.crt.pem create mode 100644 src/test/resources/securityadmin/node.key.pem create mode 100644 src/test/resources/securityadmin/root-ca.pem diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java index 161ad72528..649b2c2b03 100644 --- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java +++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java @@ -1410,6 +1410,7 @@ private static RestHighLevelClient getRestHighLevelClient(SSLContext sslContext, .setSslContext(sslContext) .setTlsVersions(supportedProtocols) .setCiphers(supportedCipherSuites) + .setHostnameVerifier(hnv) // See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219 .setTlsDetailsFactory(new Factory() { @Override diff --git a/src/test/java/org/opensearch/security/SecurityAdminTests.java b/src/test/java/org/opensearch/security/SecurityAdminTests.java index e7953c508a..bd032fc332 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminTests.java @@ -19,6 +19,7 @@ import java.io.ByteArrayOutputStream; import java.io.File; +import java.io.IOException; import java.io.PrintStream; import java.util.ArrayList; import java.util.List; @@ -37,6 +38,10 @@ import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; import org.opensearch.security.tools.SecurityAdmin; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.matchesPattern; +import static org.junit.Assert.assertThrows; + public class SecurityAdminTests extends SingleClusterTest { @Test @@ -71,6 +76,66 @@ public void testSecurityAdmin() throws Exception { Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode()); } + @Test + public void testSecurityAdminHostnameVerificationEnforced() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem")) + .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem")) + .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem")) + .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")) + .build(); + setup(Settings.EMPTY, null, settings, false); + + final String prefix = getResourceFolder()==null?"securityadmin/":getResourceFolder()+"/securityadmin/"; + + List argsAsList = new ArrayList<>(); + argsAsList.add("-cacert"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"root-ca.pem").toFile().getAbsolutePath()); + argsAsList.add("-cert"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.crt.pem").toFile().getAbsolutePath()); + argsAsList.add("-key"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.key.pem").toFile().getAbsolutePath()); + argsAsList.add("-p"); + argsAsList.add(String.valueOf(clusterInfo.httpPort)); + argsAsList.add("-icl"); + addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); + + final IOException expectedException = assertThrows(IOException.class, () -> SecurityAdmin.execute(argsAsList.toArray(new String[0]))); + final String expectedMessagePattern = "Certificate for <.+> doesn't match any of the subject alternative names: \\[node-.\\.example\\.com\\]"; + assertThat(expectedException.getMessage(), matchesPattern(expectedMessagePattern)); + } + + @Test + public void testSecurityAdminHostnameVerificationNotEnforced() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/root-ca.pem")) + .put("plugins.security.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.crt.pem")) + .put("plugins.security.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("securityadmin/node.key.pem")) + .putList("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")) + .build(); + setup(Settings.EMPTY, null, settings, false); + + final String prefix = getResourceFolder()==null?"securityadmin/":getResourceFolder()+"/securityadmin/"; + + List argsAsList = new ArrayList<>(); + argsAsList.add("-cacert"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"root-ca.pem").toFile().getAbsolutePath()); + argsAsList.add("-cert"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.crt.pem").toFile().getAbsolutePath()); + argsAsList.add("-key"); + argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk.key.pem").toFile().getAbsolutePath()); + argsAsList.add("-p"); + argsAsList.add(String.valueOf(clusterInfo.httpPort)); + argsAsList.add("-icl"); + addDirectoryPath(argsAsList, TEST_RESOURCE_ABSOLUTE_PATH); + argsAsList.add("-nhnv"); + + int returnCode = SecurityAdmin.execute(argsAsList.toArray(new String[0])); + Assert.assertEquals(0, returnCode); + } + @Test public void testSecurityAdminInvalidCert() throws Exception { final Settings settings = Settings.builder() diff --git a/src/test/resources/securityadmin/certificate_generation.md b/src/test/resources/securityadmin/certificate_generation.md new file mode 100644 index 0000000000..ae60ae5a07 --- /dev/null +++ b/src/test/resources/securityadmin/certificate_generation.md @@ -0,0 +1,23 @@ +# Script to generate certificates for SecurityAdmin Tests + +``` +openssl genrsa -out root-ca-key.pem 2048 +openssl req -x509 -sha256 -new -nodes -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -days 3650 -out root-ca.pem +openssl genrsa -out signing-key.pem 2048 +openssl req -x509 -sha256 -new -nodes -CA root-ca.pem -CAkey root-ca-key.pem -key signing-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA" -days 3650 -out signing.pem + +openssl genrsa -out node-key-temp.pem 2048 +openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node.key.pem +openssl req -new -key node.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node.csr +openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-1.example.com,IP:127.0.0.1") -in node.csr -out node.crt.pem -CA signing.pem -CAkey signing-key.pem + +# CN=kirk,OU=client,O=client,L=Test,C=DE +openssl genrsa -out kirk-key-temp.pem 2048 +openssl pkcs8 -inform PEM -outform PEM -in kirk-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kirk.key.pem +openssl req -new -key kirk.key.pem -subj "/C=DE/L=Test/O=client/OU=client/CN=kirk" -out kirk.csr +openssl x509 -req -days 3650 -in kirk.csr -out kirk.crt.pem -CA signing.pem -CAkey signing-key.pem +``` + +For `kirk.crt.pem` and `node.crt.pem` all certificates in the chain including `root-ca.pem` and `signing.pem` need to be included in the file. + +When bundling the certificates together in the same file the root certificate is placed at the bottom and the lowest level certificate (the node certificate) on the top. diff --git a/src/test/resources/securityadmin/kirk.crt.pem b/src/test/resources/securityadmin/kirk.crt.pem new file mode 100644 index 0000000000..b126e36c56 --- /dev/null +++ b/src/test/resources/securityadmin/kirk.crt.pem @@ -0,0 +1,69 @@ +-----BEGIN CERTIFICATE----- +MIIDajCCAlICFCVxBZmleOHXHqoyn6dQlHVWZ/t8MA0GCSqGSIb3DQEBCwUAMIGV +MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZ +MBcGA1UECgwQRXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20g +SW5jLiBTaWduaW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25p +bmcgQ0EwHhcNMjMwNTAyMTc1NzA2WhcNMzMwNDI5MTc1NzA2WjBNMQswCQYDVQQG +EwJERTENMAsGA1UEBwwEVGVzdDEPMA0GA1UECgwGY2xpZW50MQ8wDQYDVQQLDAZj +bGllbnQxDTALBgNVBAMMBGtpcmswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDFYEoC+qyqLKhNpSAj3qUfhGRNmoHlpDRG2Zq+wAx6e24pODNGtyrtswF7 +7Nf3HgODMrFMCg/gJC6U78VbI4hPO63E+nQr3Q2h7kdn7E4t1VJOUY4YFROyvayD +epDWmIGwer0H+Wd+7t6TrQod/Hj5do3og5IgBaK1AS4OExanmuJ10WrfzctS9dg4 +xY2RT7pmNWVeOA1IdkPRu5T7jr72n66jSuwqbTiS+vQHdqgZsXUC+DtvMtRmRYo0 +QT4nndNYA72FFKH9bmKiLvNyeTMAn45fE+ebiZGFTcK7e5hZ+l6YTWvUlGoS54t+ +2kNxTaHl3NXr9KCwF7lT/HoS42RnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFNe +E2ClU0OxVk5nWmQUnr3MmsFDaBe/0CfGBHLcixqRenaGlwGcrUB4B2mYF3xkGRhF +xrd2lJy3bMxYxl5Zp63atdK5s7JnHSatPFGxwJJ/9BRDeZtx0X42mCspb1ho+0yV +bUVYOiy3G/Nt7erfRb8a6ZlWk3Ri2HZ/OG3jQnQCLPstNZ5DeRlM33ltiHj3EDlz +PyRgp+n89FLKZjImY4zJdjBKdfky2PKKZGJJ+57L+fIu/2TR17Qeaxf4cRa6DWtX +8fwRHkrj9MVLvdASLwFKfdEefw/uTPLigwdrydjy+AFogfpmBvJ9CXqCq81lSROr +Pzbo7NaChtZ6Mxgd3fU= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEBzCCAu+gAwIBAgIUC1KT/DcaMNL7fjY7g361424pyWowDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGVMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20gSW5jLiBTaWdu +aW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25pbmcgQ0EwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxgE4w07GMwoHzxYlXSmNYv3Lx +iPvftzWrFfA15dyHcCrYnoTN+re5uTi8L40Obzr7BzL41mFHED85EfvGYl02MCai +jA2MHE7vh1JxKJ4oLMI0jtXYaBPXDb96qcfCMC+Vce0RH+I815nip1Amf/M/jMov +KlGGYSipa4otfj8ZrinMItFucpY/mEsFgzO+yQ+Go2gzyJlNeJXIuhsfdvkq76X8 ++oNrltHL1f/Y1HP7qV5eZn6uODSesHGK1VCLg7UIRk3aZRmAo5ZwTV5xb3rKhxDJ +mvBtK77TcG9CA3MXOM204G7n85aYN+Xrb+c5xQjzsR6bo1O4I37fn8sSP9/hAgMB +AAGjUzBRMB0GA1UdDgQWBBTotToiEVpUwaXfM1lPhT4Cf+wxpzAfBgNVHSMEGDAW +gBTeMJiA4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQAfiHlJtB+NWDS68BRnpil500PPQzB0edqhO3h/2tnXmxtXKbH/ +0sKgCvPn3tEK8y5WrzC2UDB2F594TlGUWHiMwy1SwMkrP8gUpDS2syisaORyQ7/1 +aOktoD0eBZEWFJtGLCPR7uz/KtbZo6QsAZYhxqdE9Dn2Dw2d0YcIFogCG9ohAIWm +6Hss2CTs2z1YKXJqYb+o0jwFDRF0H7cd5HeFaMQIkz9hLURInUU3JYemONzaxc26 +peelfPOmDySzaQjqn4lQRXXze79fMs3G5hD+f8WvQqtJkSGS1CXnLvZ8PBf12jxZ +0SkzxLWyKOSz6M3tXonaxsLMXF+4dM48+NOm +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEATCCAumgAwIBAgIUUe5xSfjzHNOkaqCRf5AIYXQQM3cwDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTQTojW8vphvADeNvMhFyfV0p7EA77bxQf +XBzbwGXqjeS4X1WeisbOi+HvBvrmg3olzzA2vVH+5gT+5S6Q62BX4oyCyyqoK/3n +gc+8JBLGpACEeLQotLE238L8wzM+L4WblZretvAi85JZ09ur0yZ7C6QE3QeGMRrL +9OjHuCtzSAJO3t8uuf+IwDMM/8k822reski+iVsNxHVsBkTDFbHbVKFuHadqaMRp +G2wFINnSi4L/hMAQtIvJasjiW26kZKLd8WckDYGgZaFc1l46RR7Pj/lULBCdc86X +INuL1M411RjB08tqMTTjqvQhMWlv+qVkoVlyx97iFKWo5gNz2FbRAgMBAAGjUzBR +MB0GA1UdDgQWBBTeMJiA4CPf0XcafDPDTzO+iylLfzAfBgNVHSMEGDAWgBTeMJiA +4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQAz7tZirV9htIc3bNE0IxJ1F1oMfQChH4kgZiw8coLZ6dElzUzBhF3JZEyL +CDxnI0Q94l+Wg6KGUNSAqlYcXbcWYhgml0B6oCGp30GlyhbK16OrapKcHitjYoKB +rNtf5H4Ks0/I9YK9NKCLrFPsp9Qt5qStQuhZcumJbct8irXLPmrVTLKrIqCkBmP5 +7P7v9Vud5/TxWTjLUZo+eS/AkJurOdDZDf+lVmpcbsez6HsSusNu5E7BDwLcPIFQ +MukDp/SRLInq8I8cA5t5U+tiQgsUCdLMIaLQ72EJuCId9XB8oyhP/rOJy+xwNnLW +ZngkAWtN8JWNoaA8FkLYbJOGLikP +-----END CERTIFICATE----- diff --git a/src/test/resources/securityadmin/kirk.key.pem b/src/test/resources/securityadmin/kirk.key.pem new file mode 100644 index 0000000000..ea7127c156 --- /dev/null +++ b/src/test/resources/securityadmin/kirk.key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDFYEoC+qyqLKhN +pSAj3qUfhGRNmoHlpDRG2Zq+wAx6e24pODNGtyrtswF77Nf3HgODMrFMCg/gJC6U +78VbI4hPO63E+nQr3Q2h7kdn7E4t1VJOUY4YFROyvayDepDWmIGwer0H+Wd+7t6T +rQod/Hj5do3og5IgBaK1AS4OExanmuJ10WrfzctS9dg4xY2RT7pmNWVeOA1IdkPR +u5T7jr72n66jSuwqbTiS+vQHdqgZsXUC+DtvMtRmRYo0QT4nndNYA72FFKH9bmKi +LvNyeTMAn45fE+ebiZGFTcK7e5hZ+l6YTWvUlGoS54t+2kNxTaHl3NXr9KCwF7lT +/HoS42RnAgMBAAECggEADtRZOzgSWQbZ7luFuqwzw9ZyotIFCHf55Yjb85ECXwF/ +GWG7mIiSlSFp7yGwaES9BtJ8N7ZZ0wFk7pPFRD+7MhjNyYr3x4PoTk5U1x4OEauB +b5j5EB4lSLyvhYFj+Huk4tmV8k9u0z6nQnkx1Wbuv++EYf/grr89plPcXfpZLWZ3 +0y84mR/ENYXtbtPSwLgMR6OY+q36hqc2a9+si4j/P0jf37jfyE8AlTGWEGdKQaN8 +iLLfyXpKxHn8zweZ3kWzOS2mZhya15S9F5YUS+d3TOt1J/3EcxMu/UJMxWBN/Tea +JvMZUgMTVyg4RN/MOzvjOUDKOUdgGIdPI6G9/nfs4QKBgQDzQPqxJBgy5BUVXOAO +/lT4QvMFnKiPxedDkSHHwPXwx+dqL6Bk/1mco3P6VDX5OfB4xp0NWkjekfyU01Ab +jvULO2MaH3MEiQuDuYs3NDY+lT/YGdlB7Asd8AMr8Clu5DHTjyz6KefS+stOfbrn +smAmpk/TdTM/lQfhZPiU4FVhSwKBgQDPt+dfqw2zm+T5g3KeJ/Ej5UsThiNJseIh +KF5NlPrRfsdIybkcbDtIiHlJ3qVn6Tq8zEvEANdwYd3/7orFilUahc9zlA7z9O2L +tRu8I9zjI3vjArzO0Wkh1NxDoGzQX6giTHDpL7+m/bjc3pj1RXjlP8IRHx7j6w3H ++ciKuTaz1QKBgG1UBBg/f7zHtA4g6vbyKiBWfsFD8qKDsPg2L3eG60KnpgOcmjsq +ZQ04jXSyCnwUJVcy9P0+Wcfm1x3Qh42LR+kfbOAdyGT+bzVp2/8YsVSZYdNvcqzl +OO3gpJxH2WdkmlxaWj2pPe8eFugVLD7cdciJMRF5+GmYQq1z4yGOXfFXAoGAV2yA +fhxhPOntGjL/x57p+ACmc4YuTfMHSItT/XUph4jDWVhFh7fpz6JY4gVKOozIAvQ9 +IzZzdkJKjFAaqf+JyArvgCadkIHShM1p6epyKksh9i6NxsIObIXJWtEnWyAXhLAF +ia9mC2OYLaWmXPyrYFlQVaJyftzMRRFVHUXMxy0CgYBT2+xAwAMxj4HVtwBthQXH +0Akawz9Gvw7/BJOGBRzJMM6H5qqejWbA/FKmvySdK2IrQ6dISjrVMr7VtjMrwumM +JO3T54O4iuFpNck1z+d4BZjvWpsxpPRg4RktwhMtJ2BZYh43aI4pFfxs6YFga+ZK +vMm+70bHS8AskkmaxAFzHw== +-----END PRIVATE KEY----- diff --git a/src/test/resources/securityadmin/node.crt.pem b/src/test/resources/securityadmin/node.crt.pem new file mode 100644 index 0000000000..adb2996edb --- /dev/null +++ b/src/test/resources/securityadmin/node.crt.pem @@ -0,0 +1,71 @@ +-----BEGIN CERTIFICATE----- +MIID4TCCAsmgAwIBAgIUKmE8oZm3QVdGZWbKLY8S4F05UugwDQYJKoZIhvcNAQEL +BQAwgZUxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSQwIgYDVQQLDBtFeGFtcGxl +IENvbSBJbmMuIFNpZ25pbmcgQ0ExJDAiBgNVBAMMG0V4YW1wbGUgQ29tIEluYy4g +U2lnbmluZyBDQTAeFw0yMzA1MDIxODI0MzFaFw0zMzA0MjkxODI0MzFaMFYxCzAJ +BgNVBAYTAkRFMQ0wCwYDVQQHDARUZXN0MQ0wCwYDVQQKDARUZXN0MQwwCgYDVQQL +DANTU0wxGzAZBgNVBAMMEm5vZGUtMS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKfvsczlQQAPg0iivG6O5kazZjS8z3dM6b/hmtw7 +NSlihZeXgPOoyd1BttCNB1fo/TsnikHggWRVHj8v01kNJtKmvgdtTYJIUJEZJdEH +NHFXmxR+3YhmZr1qKdkihB0Z7rv+oYrHe2MOg8jtt3VPZuOIZZXfIJWw93CajXaO +zNv/sNdPdaPI8tTJIzihYNVcMtx5koPS66xB2Rwp06MfvJ568BAXxl2QSRjWFX4v +CFOzKL8nZtr779HemWFABzCllzff7xLcjWbkaoTk7gPrgh6vzW0hE2pLAbNnlre3 +rommG/zzKgmytZ+PTvbEyhiuNjVgcCG2vhGu8myRYgoGZw8CAwEAAaNnMGUwIwYD +VR0RBBwwGoISbm9kZS0xLmV4YW1wbGUuY29thwR/AAABMB0GA1UdDgQWBBQ04XN1 +I1bs3kMQrOhNfL/rxZpeUzAfBgNVHSMEGDAWgBTotToiEVpUwaXfM1lPhT4Cf+wx +pzANBgkqhkiG9w0BAQsFAAOCAQEADAaqiuJBzK8/PYN30Xx6QnKnwj4GlzzSVY/O +AzNgfUL7QH1k6tBNlgyFom2UozIZvFuCdfJg6X5+BFWXSh4LuvODzudWUQM3bjh4 +JZJYOTTOmT6lBi+KAPbwpirj+XUVvqNlAew81b0n63uWh8yeGBa/5G0G28Dyu6Ma +E1jZDmKVLZqGByhM46IUxov7aDFk4elM2nH0JVZpFPbTjjN5bLefqwIW8Y7NjU9s +8Zvv4fFtsoKqPhFhPAMTjlg7bMOqtWIw95w0L1fRz9yCuN0LAjlqCFKDGLmaWqFK +GaQKbw86KKrPfl8y9yqBgfUN69NmE5qhgmobu0so5Yy5V69BwQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEBzCCAu+gAwIBAgIUC1KT/DcaMNL7fjY7g361424pyWowDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGVMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEkMCIGA1UECwwbRXhhbXBsZSBDb20gSW5jLiBTaWdu +aW5nIENBMSQwIgYDVQQDDBtFeGFtcGxlIENvbSBJbmMuIFNpZ25pbmcgQ0EwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxgE4w07GMwoHzxYlXSmNYv3Lx +iPvftzWrFfA15dyHcCrYnoTN+re5uTi8L40Obzr7BzL41mFHED85EfvGYl02MCai +jA2MHE7vh1JxKJ4oLMI0jtXYaBPXDb96qcfCMC+Vce0RH+I815nip1Amf/M/jMov +KlGGYSipa4otfj8ZrinMItFucpY/mEsFgzO+yQ+Go2gzyJlNeJXIuhsfdvkq76X8 ++oNrltHL1f/Y1HP7qV5eZn6uODSesHGK1VCLg7UIRk3aZRmAo5ZwTV5xb3rKhxDJ +mvBtK77TcG9CA3MXOM204G7n85aYN+Xrb+c5xQjzsR6bo1O4I37fn8sSP9/hAgMB +AAGjUzBRMB0GA1UdDgQWBBTotToiEVpUwaXfM1lPhT4Cf+wxpzAfBgNVHSMEGDAW +gBTeMJiA4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQAfiHlJtB+NWDS68BRnpil500PPQzB0edqhO3h/2tnXmxtXKbH/ +0sKgCvPn3tEK8y5WrzC2UDB2F594TlGUWHiMwy1SwMkrP8gUpDS2syisaORyQ7/1 +aOktoD0eBZEWFJtGLCPR7uz/KtbZo6QsAZYhxqdE9Dn2Dw2d0YcIFogCG9ohAIWm +6Hss2CTs2z1YKXJqYb+o0jwFDRF0H7cd5HeFaMQIkz9hLURInUU3JYemONzaxc26 +peelfPOmDySzaQjqn4lQRXXze79fMs3G5hD+f8WvQqtJkSGS1CXnLvZ8PBf12jxZ +0SkzxLWyKOSz6M3tXonaxsLMXF+4dM48+NOm +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEATCCAumgAwIBAgIUUe5xSfjzHNOkaqCRf5AIYXQQM3cwDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTQTojW8vphvADeNvMhFyfV0p7EA77bxQf +XBzbwGXqjeS4X1WeisbOi+HvBvrmg3olzzA2vVH+5gT+5S6Q62BX4oyCyyqoK/3n +gc+8JBLGpACEeLQotLE238L8wzM+L4WblZretvAi85JZ09ur0yZ7C6QE3QeGMRrL +9OjHuCtzSAJO3t8uuf+IwDMM/8k822reski+iVsNxHVsBkTDFbHbVKFuHadqaMRp +G2wFINnSi4L/hMAQtIvJasjiW26kZKLd8WckDYGgZaFc1l46RR7Pj/lULBCdc86X +INuL1M411RjB08tqMTTjqvQhMWlv+qVkoVlyx97iFKWo5gNz2FbRAgMBAAGjUzBR +MB0GA1UdDgQWBBTeMJiA4CPf0XcafDPDTzO+iylLfzAfBgNVHSMEGDAWgBTeMJiA +4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQAz7tZirV9htIc3bNE0IxJ1F1oMfQChH4kgZiw8coLZ6dElzUzBhF3JZEyL +CDxnI0Q94l+Wg6KGUNSAqlYcXbcWYhgml0B6oCGp30GlyhbK16OrapKcHitjYoKB +rNtf5H4Ks0/I9YK9NKCLrFPsp9Qt5qStQuhZcumJbct8irXLPmrVTLKrIqCkBmP5 +7P7v9Vud5/TxWTjLUZo+eS/AkJurOdDZDf+lVmpcbsez6HsSusNu5E7BDwLcPIFQ +MukDp/SRLInq8I8cA5t5U+tiQgsUCdLMIaLQ72EJuCId9XB8oyhP/rOJy+xwNnLW +ZngkAWtN8JWNoaA8FkLYbJOGLikP +-----END CERTIFICATE----- diff --git a/src/test/resources/securityadmin/node.key.pem b/src/test/resources/securityadmin/node.key.pem new file mode 100644 index 0000000000..fd82ed2d2c --- /dev/null +++ b/src/test/resources/securityadmin/node.key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCn77HM5UEAD4NI +orxujuZGs2Y0vM93TOm/4ZrcOzUpYoWXl4DzqMndQbbQjQdX6P07J4pB4IFkVR4/ +L9NZDSbSpr4HbU2CSFCRGSXRBzRxV5sUft2IZma9ainZIoQdGe67/qGKx3tjDoPI +7bd1T2bjiGWV3yCVsPdwmo12jszb/7DXT3WjyPLUySM4oWDVXDLceZKD0uusQdkc +KdOjH7yeevAQF8ZdkEkY1hV+LwhTsyi/J2ba++/R3plhQAcwpZc33+8S3I1m5GqE +5O4D64Ier81tIRNqSwGzZ5a3t66Jphv88yoJsrWfj072xMoYrjY1YHAhtr4RrvJs +kWIKBmcPAgMBAAECggEAMkXkISVkHwOF1qG47RPkRbgA2brIFLu2ohWEiXdEA96V +hXr6RHb77ztz4dzGHQAHhsTgc7YkpgeBJYNIrrjsLVVzP7/t2xmQ3M79biTNAz0p +lKoh4WpeSUfVvUXC7P9NY4PnkicDffTjaKwZJoodj/HOD16bX5R5joEF5j77fsQA +3DkCD9JxNKxRXz0lH5ICExItQEFweDDT749LunEBC2BDHQ6UDO1JGC7Js9D/ri9C +sNB/1OMO0AV/g7V0pMD6GlkO48UVYK9kxBZQAgI9YiRtlkVyD4Uy/CxzptJepkRW +uqx4lD5F98bKpwleqsPNkFCj1ifXd8WAFAD4wkC8mQKBgQC8+JLgFVSmBzzbQSmM +3iaqcm2wkhWIESV/rEtHvgJCtBZYT1NBekWdZmODfyU0Q2E/lPAYH2LgT+jgoMZ/ +JkvkrMAv8Cgh4J3Jklku29R8YyTYdouje62a69p6u02rbZFDQEeVfVVEHApnngpd +YVmOm9eSBTBya+1lpO3H394UwwKBgQDjgRNhLoO8ce1V+Txmad1/rwfst364adXf +UsfxTIP6wJTQXdm1ZVeqswKaGsVAaq6fX83XLT1H47c5newoll3V8KPLjAiAy/VR +MDMKj2Rr4ojOshdiN+5wiPOVAgmrGg8eTH0wdNchtUAbI31fzzC9n8uYl146bax3 +I4NwyOMPxQKBgQCOdhtMQeh57lTrullXsJaXwwJ8rfT7immpsbtjD5Tmsptx4gOT +Bln7CpiVJsJmfzGOXHsQxICnOLcIuUxLyRRIBhAxU6z9tTdfIiyHzgSH7bp2UhB9 +pBzCAXLJOfGY/lYXzBrrUPx6B2W0rgmEUoLQpx5CIBVg/YqQKWF1YIktPwKBgQDF +7nSn5koi15O/atoL2CsnfWaNoo+TbjDu3RyraQCiVo6iQiS5VvRQxPGMlaHri2Vl +r3psrSVVuF6euDDQlxIIohY/bxOuysQh4Kdnlp2t5ydTfUou366JJf2WNHGo9UEW +AUIhuGW7I/AkLFpV0vL6513A4mDOwMB93t3qcDxsaQKBgAyXuK+6SpVkGj0HgGBH +PyAzkoAoTcnv5gBDs/p4MiAigkAl3WqhoouWYUP2nCiQZmA4rbXcNVdClebHBD64 +jmgfXo8E2i+MHhbAWyNSWrHL7punrcdOFETw1JrvFxhPORnDLwpyfSL9DC3JfNmD +RBM+Z8nCKBWcmxtCpMqmdbdR +-----END PRIVATE KEY----- diff --git a/src/test/resources/securityadmin/root-ca.pem b/src/test/resources/securityadmin/root-ca.pem new file mode 100644 index 0000000000..eed8cd0b06 --- /dev/null +++ b/src/test/resources/securityadmin/root-ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEATCCAumgAwIBAgIUUe5xSfjzHNOkaqCRf5AIYXQQM3cwDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA1MDIxNzU3MDVaFw0zMzA0MjkxNzU3MDVaMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTQTojW8vphvADeNvMhFyfV0p7EA77bxQf +XBzbwGXqjeS4X1WeisbOi+HvBvrmg3olzzA2vVH+5gT+5S6Q62BX4oyCyyqoK/3n +gc+8JBLGpACEeLQotLE238L8wzM+L4WblZretvAi85JZ09ur0yZ7C6QE3QeGMRrL +9OjHuCtzSAJO3t8uuf+IwDMM/8k822reski+iVsNxHVsBkTDFbHbVKFuHadqaMRp +G2wFINnSi4L/hMAQtIvJasjiW26kZKLd8WckDYGgZaFc1l46RR7Pj/lULBCdc86X +INuL1M411RjB08tqMTTjqvQhMWlv+qVkoVlyx97iFKWo5gNz2FbRAgMBAAGjUzBR +MB0GA1UdDgQWBBTeMJiA4CPf0XcafDPDTzO+iylLfzAfBgNVHSMEGDAWgBTeMJiA +4CPf0XcafDPDTzO+iylLfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQAz7tZirV9htIc3bNE0IxJ1F1oMfQChH4kgZiw8coLZ6dElzUzBhF3JZEyL +CDxnI0Q94l+Wg6KGUNSAqlYcXbcWYhgml0B6oCGp30GlyhbK16OrapKcHitjYoKB +rNtf5H4Ks0/I9YK9NKCLrFPsp9Qt5qStQuhZcumJbct8irXLPmrVTLKrIqCkBmP5 +7P7v9Vud5/TxWTjLUZo+eS/AkJurOdDZDf+lVmpcbsez6HsSusNu5E7BDwLcPIFQ +MukDp/SRLInq8I8cA5t5U+tiQgsUCdLMIaLQ72EJuCId9XB8oyhP/rOJy+xwNnLW +ZngkAWtN8JWNoaA8FkLYbJOGLikP +-----END CERTIFICATE-----