Merge pull request libgit2#6877 from yerseg/ability_to_add_custom_x509_certs

ethomson · web-flow · commit 751c68f1b6ad · 2024-10-02T13:09:31.000+01:00
ssl: ability to add raw X509 certs to the cert store
diff --git a/include/git2/common.h b/include/git2/common.h
@@ -199,6 +199,7 @@ typedef enum {
 	GIT_OPT_GET_TEMPLATE_PATH,
 	GIT_OPT_SET_TEMPLATE_PATH,
 	GIT_OPT_SET_SSL_CERT_LOCATIONS,
+	GIT_OPT_ADD_SSL_X509_CERT,
 	GIT_OPT_SET_USER_AGENT,
 	GIT_OPT_ENABLE_STRICT_OBJECT_CREATION,
 	GIT_OPT_ENABLE_STRICT_SYMBOLIC_REF_CREATION,
@@ -335,8 +336,21 @@ typedef enum {
  *		> - `path` is the location of a directory holding several
  *		>   certificates, one per file.
  *		>
+ *		> Calling `GIT_OPT_ADD_SSL_X509_CERT` may override the
+ *		> data in `path`.
+ *		>
  * 		> Either parameter may be `NULL`, but not both.
  *
+ *  * opts(GIT_OPT_ADD_SSL_X509_CERT, const X509 *cert)
+ *
+ *		> Add a raw X509 certificate into the SSL certs store.
+ *		> This certificate is only used by libgit2 invocations
+ *		> during the application lifetime and is not persisted
+ *		> to disk. This certificate cannot be removed from the
+ *		> application once is has been added.
+ *		>
+ *		> - `cert` is the raw X509 cert will be added to cert store.
+ *
  *	* opts(GIT_OPT_SET_USER_AGENT, const char *user_agent)
  *
  *		> Set the value of the comment section of the User-Agent header.
diff --git a/src/libgit2/settings.c b/src/libgit2/settings.c
@@ -222,6 +222,18 @@ int git_libgit2_opts(int key, ...)
 #endif
 		break;
 
+	case GIT_OPT_ADD_SSL_X509_CERT:
+#ifdef GIT_OPENSSL
+		{
+			X509 *cert = va_arg(ap, X509 *);
+			error = git_openssl__add_x509_cert(cert);
+		}
+#else
+		git_error_set(GIT_ERROR_SSL, "TLS backend doesn't support adding of the raw certs");
+		error = -1;
+#endif
+		break;
+
 	case GIT_OPT_SET_USER_AGENT:
 		{
 			const char *new_agent = va_arg(ap, const char *);
diff --git a/src/libgit2/streams/openssl.c b/src/libgit2/streams/openssl.c
@@ -722,6 +722,30 @@ int git_openssl__set_cert_location(const char *file, const char *path)
 	return 0;
 }
 
+int git_openssl__add_x509_cert(X509 *cert)
+{
+	X509_STORE *cert_store;
+
+	if (openssl_ensure_initialized() < 0)
+		return -1;
+
+	if (!(cert_store = SSL_CTX_get_cert_store(git__ssl_ctx)))
+		return -1;
+
+	if (cert && X509_STORE_add_cert(cert_store, cert) == 0) {
+		git_error_set(GIT_ERROR_SSL, "OpenSSL error: failed to add raw X509 certificate");
+		return -1;
+	}
+
+	return 0;
+}
+
+int git_openssl__reset_context(void)
+{
+	shutdown_ssl();
+	return openssl_init();
+}
+
 #else
 
 #include "stream.h"
diff --git a/src/libgit2/streams/openssl.h b/src/libgit2/streams/openssl.h
@@ -24,6 +24,8 @@ extern int git_openssl_stream_global_init(void);
 
 #ifdef GIT_OPENSSL
 extern int git_openssl__set_cert_location(const char *file, const char *path);
+extern int git_openssl__add_x509_cert(X509 *cert);
+extern int git_openssl__reset_context(void);
 extern int git_openssl_stream_new(git_stream **out, const char *host, const char *port);
 extern int git_openssl_stream_wrap(git_stream **out, git_stream *in, const char *host);
 #endif
diff --git a/src/libgit2/streams/openssl_dynamic.c b/src/libgit2/streams/openssl_dynamic.c
@@ -80,6 +80,7 @@ int (*X509_NAME_get_index_by_NID)(X509_NAME *name, int nid, int lastpos);
 void (*X509_free)(X509 *a);
 void *(*X509_get_ext_d2i)(const X509 *x, int nid, int *crit, int *idx);
 X509_NAME *(*X509_get_subject_name)(const X509 *x);
+int (*X509_STORE_add_cert)(X509_STORE *ctx, X509 *x);
 
 int (*i2d_X509)(X509 *a, unsigned char **ppout);
 
@@ -209,6 +210,7 @@ int git_openssl_stream_dynamic_init(void)
 	X509_free = (void (*)(X509 *))openssl_sym(&err, "X509_free", true);
 	X509_get_ext_d2i = (void *(*)(const X509 *x, int nid, int *crit, int *idx))openssl_sym(&err, "X509_get_ext_d2i", true);
 	X509_get_subject_name = (X509_NAME *(*)(const X509 *))openssl_sym(&err, "X509_get_subject_name", true);
+	X509_STORE_add_cert = (int (*)(X509_STORE *ctx, X509 *x))openssl_sym(&err, "X509_STORE_add_cert", true);
 
 	i2d_X509 = (int (*)(X509 *a, unsigned char **ppout))openssl_sym(&err, "i2d_X509", true);
 
diff --git a/src/libgit2/streams/openssl_dynamic.h b/src/libgit2/streams/openssl_dynamic.h
@@ -326,6 +326,7 @@ extern int (*X509_NAME_get_index_by_NID)(X509_NAME *name, int nid, int lastpos);
 extern void (*X509_free)(X509 *a);
 extern void *(*X509_get_ext_d2i)(const X509 *x, int nid, int *crit, int *idx);
 extern X509_NAME *(*X509_get_subject_name)(const X509 *x);
+extern int (*X509_STORE_add_cert)(X509_STORE *ctx, X509 *x);
 
 extern int (*i2d_X509)(X509 *a, unsigned char **ppout);
 
diff --git a/tests/libgit2/online/customcert.c b/tests/libgit2/online/customcert.c
@@ -1,3 +1,4 @@
+#include "clar.h"
 #include "clar_libgit2.h"
 
 #include "path.h"
@@ -6,45 +7,52 @@
 #include "remote.h"
 #include "futils.h"
 #include "refs.h"
+#include "str.h"
+#include "streams/openssl.h"
+
+#ifdef GIT_OPENSSL
+# include <openssl/ssl.h>
+# include <openssl/err.h>
+# include <openssl/x509v3.h>
+#endif
 
 /*
- * Certificate one is in the `certs` folder; certificate two is in the
- * `self-signed.pem` file.
+ * Certificates for https://test.libgit2.org/ are in the `certs` folder.
  */
+#define CUSTOM_CERT_DIR "certs"
+
 #define CUSTOM_CERT_ONE_URL "https://test.libgit2.org:1443/anonymous/test.git"
-#define CUSTOM_CERT_ONE_PATH "certs"
+#define CUSTOM_CERT_ONE_PATH "one"
 
 #define CUSTOM_CERT_TWO_URL "https://test.libgit2.org:2443/anonymous/test.git"
-#define CUSTOM_CERT_TWO_FILE "self-signed.pem"
+#define CUSTOM_CERT_TWO_FILE "two.pem"
+
+#define CUSTOM_CERT_THREE_URL "https://test.libgit2.org:3443/anonymous/test.git"
+#define CUSTOM_CERT_THREE_FILE "three.pem.raw"
 
 #if (GIT_OPENSSL || GIT_MBEDTLS)
 static git_repository *g_repo;
-static int initialized = false;
 #endif
 
 void test_online_customcert__initialize(void)
 {
 #if (GIT_OPENSSL || GIT_MBEDTLS)
-	g_repo = NULL;
+	git_str path = GIT_STR_INIT, file = GIT_STR_INIT;
+	char cwd[GIT_PATH_MAX];
 
-	if (!initialized) {
-		git_str path = GIT_STR_INIT, file = GIT_STR_INIT;
-		char cwd[GIT_PATH_MAX];
+	g_repo = NULL;
 
-		cl_fixture_sandbox(CUSTOM_CERT_ONE_PATH);
-		cl_fixture_sandbox(CUSTOM_CERT_TWO_FILE);
+	cl_fixture_sandbox(CUSTOM_CERT_DIR);
 
-		cl_must_pass(p_getcwd(cwd, GIT_PATH_MAX));
-		cl_git_pass(git_str_joinpath(&path, cwd, CUSTOM_CERT_ONE_PATH));
-		cl_git_pass(git_str_joinpath(&file, cwd, CUSTOM_CERT_TWO_FILE));
+	cl_must_pass(p_getcwd(cwd, GIT_PATH_MAX));
+	cl_git_pass(git_str_join_n(&path, '/', 3, cwd, CUSTOM_CERT_DIR, CUSTOM_CERT_ONE_PATH));
+	cl_git_pass(git_str_join_n(&file, '/', 3, cwd, CUSTOM_CERT_DIR, CUSTOM_CERT_TWO_FILE));
 
-		cl_git_pass(git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS,
-		                             file.ptr, path.ptr));
-		initialized = true;
+	cl_git_pass(git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS,
+	                             file.ptr, path.ptr));
 
-		git_str_dispose(&file);
-		git_str_dispose(&path);
-	}
+	git_str_dispose(&file);
+	git_str_dispose(&path);
 #endif
 }
 
@@ -57,8 +65,11 @@ void test_online_customcert__cleanup(void)
 	}
 
 	cl_fixture_cleanup("./cloned");
-	cl_fixture_cleanup(CUSTOM_CERT_ONE_PATH);
-	cl_fixture_cleanup(CUSTOM_CERT_TWO_FILE);
+	cl_fixture_cleanup(CUSTOM_CERT_DIR);
+#endif
+
+#ifdef GIT_OPENSSL
+	git_openssl__reset_context();
 #endif
 }
 
@@ -77,3 +88,34 @@ void test_online_customcert__path(void)
 	cl_assert(git_fs_path_exists("./cloned/master.txt"));
 #endif
 }
+
+void test_online_customcert__raw_x509(void)
+{
+#ifdef GIT_OPENSSL
+	X509* x509_cert = NULL;
+	char cwd[GIT_PATH_MAX];
+	git_str raw_file = GIT_STR_INIT,
+		raw_file_data = GIT_STR_INIT,
+		raw_cert = GIT_STR_INIT;
+	const unsigned char *raw_cert_bytes = NULL;
+
+	cl_must_pass(p_getcwd(cwd, GIT_PATH_MAX));
+
+	cl_git_pass(git_str_join_n(&raw_file, '/', 3, cwd, CUSTOM_CERT_DIR, CUSTOM_CERT_THREE_FILE));
+
+	cl_git_pass(git_futils_readbuffer(&raw_file_data, git_str_cstr(&raw_file)));
+	cl_git_pass(git_str_decode_base64(&raw_cert, git_str_cstr(&raw_file_data), git_str_len(&raw_file_data)));
+
+	raw_cert_bytes = (const unsigned char *)git_str_cstr(&raw_cert);
+	x509_cert = d2i_X509(NULL, &raw_cert_bytes, git_str_len(&raw_cert));
+	cl_git_pass(git_libgit2_opts(GIT_OPT_ADD_SSL_X509_CERT, x509_cert));
+	X509_free(x509_cert);
+
+	cl_git_pass(git_clone(&g_repo, CUSTOM_CERT_THREE_URL, "./cloned", NULL));
+	cl_assert(git_fs_path_exists("./cloned/master.txt"));
+
+	git_str_dispose(&raw_cert);
+	git_str_dispose(&raw_file_data);
+	git_str_dispose(&raw_file);
+#endif
+}
diff --git a/tests/resources/certs/README b/tests/resources/certs/README
@@ -0,0 +1,5 @@
+These are self-signed certificates for https://test.libgit2.org/.
+
+* one/ - contains certificates for https://test.libgit2.org:1443/
+* two.pem - contains a certificate for https://test.libgit2.org:2443/
+* three.pem - contains a certificate for https://test.libgit2.org:3443/
diff --git a/tests/resources/certs/one/61f2ddb6.0 b/tests/resources/certs/one/61f2ddb6.0
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFWzCCA0MCFESY816VkhBPUOsdp7djKW5q4ZVzMA0GCSqGSIb3DQEBCwUAMGox
+CzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlD
+YW1icmlkZ2UxFDASBgNVBAoMC2xpYmdpdDIub3JnMRkwFwYDVQQDDBB0ZXN0Lmxp
+YmdpdDIub3JnMB4XDTIxMDgyNTE4NTExMVoXDTMxMDgyMzE4NTExMVowajELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJy
+aWRnZTEUMBIGA1UECgwLbGliZ2l0Mi5vcmcxGTAXBgNVBAMMEHRlc3QubGliZ2l0
+Mi5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgvaRUaM3IJh9N
+G6Yc7tHioUsIGU0MkzSvy/X6O/vONnuuioiJQyPIvfRSvZR2iQj8THTypDGhWn3r
+6h2wk5eOUGwJH2N9FrrlEBdpsMc7SKdiJXwTI30mkK3/qru8NzE71dgCkYp1xhKw
+edTkAFK+PkvyVLFL7K35cx8Bxfamyssdb+qGWa7g4P27CWUdvQgmurrzzPIMZiLD
+/cI1Kwer/N7nTY/6CSs9dcHTlanyZdf+mQ50+//vI4F6+OduGHJkxRF48jLUz1rz
+P3WGRMRbHjCmvWpX/9DLgqGk7XTy0hNgNUCit6kawwcv5y7SP/ii86MkynAHn5i8
+d+zhXjdrSSy8i0IbRJafnxmtrsmjGeIzraJSRqMlv7KKWEBz+alm6vlePnRUbWB7
+0po5uSsRPya6kJJCzMjIfKq1dgXq33m9jCG2wU+L4fEHVlEkFGXYTspMlIBNUjTc
+c45+e1EpamF8aHm32PP8gTF8fGZzQjOXmNW5g7t0joWMGZ+Ao2jYc1pG3SOARi36
+azrmB5/XJqbbfVZEzIue01fO/5R8RgabOP1qWUjH2KLb8zTDok+CW0ULNseU+MKf
+PHXG2OjxcR0vTqop2V6JlKTXXx3/TOD16/+mSrrPzNDejLrkvAH9oN38YpMBM8eg
+vfivHNRm0jjdGbv2OOPEBLEf1cNimQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBZ
+znFta24sWoqdgKXKAK5RHAh/HyOvTInwcXi9RU4XjYlbqNVs0ODR74VRZINoyAL2
+bo+x/iUuAp9+b8fjr79fpVof3nSMU7UtMcT1nvzVmaUYSkKQ0f/9vK4yg0kao1bV
+WwhIc0slKgOJjEicPVs3kd+duv5vakQeUajLPGM8SiS1F/nF67rIuZLdJn2Qp+im
+w5Q3Pjgqw5VrJxyk3AaUcntKHpWy1POLyNV79tXra6BxbtQVlRS0+h1MHELARDFx
+1ZtgyAe5YbWM7WrIiFKD4mmKZu4GMnJDXVpfUub5g0U/e7L/gg6Z1UyYZuln6axw
+RojuAHo1uAWFUsjhWLYV/7P/l/dC+7gFjvSsUqb1+U7jXObzfKjXo/FwYcy4VsVv
+xNbglbhdVjAo/YBTJuf3L0UZjSbxvQIYS+v8u1ECeWE6SH6cHRzryeo5wO4h8NJR
+n30xsvocHFbs4LWy5BVfMUo6wGUy0Y+1gSwSqVMv3JPuLwxUsv0HPdeC00Ab9cHq
+kYXPNZXg3a6orTDa4hJLdAm2V/fn/2KKJYlNj7iCL664QgoCHl7LFyLMiwFVCu5h
+4JjGL3Q+8MondaLZlq5YDmvtj979AyM/7qL4XAE2oofQ4J5dqnKKpMkWdAM/fI/9
+N5DK/4zMXJWgIED0yo2SSZHQmuqZplacOhmfjjZigQ==
+-----END CERTIFICATE-----
diff --git a/tests/resources/certs/one/db4f60b0.0 b/tests/resources/certs/one/db4f60b0.0
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFWzCCA0MCFESY816VkhBPUOsdp7djKW5q4ZVzMA0GCSqGSIb3DQEBCwUAMGox
+CzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlD
+YW1icmlkZ2UxFDASBgNVBAoMC2xpYmdpdDIub3JnMRkwFwYDVQQDDBB0ZXN0Lmxp
+YmdpdDIub3JnMB4XDTIxMDgyNTE4NTExMVoXDTMxMDgyMzE4NTExMVowajELMAkG
+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJy
+aWRnZTEUMBIGA1UECgwLbGliZ2l0Mi5vcmcxGTAXBgNVBAMMEHRlc3QubGliZ2l0
+Mi5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgvaRUaM3IJh9N
+G6Yc7tHioUsIGU0MkzSvy/X6O/vONnuuioiJQyPIvfRSvZR2iQj8THTypDGhWn3r
+6h2wk5eOUGwJH2N9FrrlEBdpsMc7SKdiJXwTI30mkK3/qru8NzE71dgCkYp1xhKw
+edTkAFK+PkvyVLFL7K35cx8Bxfamyssdb+qGWa7g4P27CWUdvQgmurrzzPIMZiLD
+/cI1Kwer/N7nTY/6CSs9dcHTlanyZdf+mQ50+//vI4F6+OduGHJkxRF48jLUz1rz
+P3WGRMRbHjCmvWpX/9DLgqGk7XTy0hNgNUCit6kawwcv5y7SP/ii86MkynAHn5i8
+d+zhXjdrSSy8i0IbRJafnxmtrsmjGeIzraJSRqMlv7KKWEBz+alm6vlePnRUbWB7
+0po5uSsRPya6kJJCzMjIfKq1dgXq33m9jCG2wU+L4fEHVlEkFGXYTspMlIBNUjTc
+c45+e1EpamF8aHm32PP8gTF8fGZzQjOXmNW5g7t0joWMGZ+Ao2jYc1pG3SOARi36
+azrmB5/XJqbbfVZEzIue01fO/5R8RgabOP1qWUjH2KLb8zTDok+CW0ULNseU+MKf
+PHXG2OjxcR0vTqop2V6JlKTXXx3/TOD16/+mSrrPzNDejLrkvAH9oN38YpMBM8eg
+vfivHNRm0jjdGbv2OOPEBLEf1cNimQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBZ
+znFta24sWoqdgKXKAK5RHAh/HyOvTInwcXi9RU4XjYlbqNVs0ODR74VRZINoyAL2
+bo+x/iUuAp9+b8fjr79fpVof3nSMU7UtMcT1nvzVmaUYSkKQ0f/9vK4yg0kao1bV
+WwhIc0slKgOJjEicPVs3kd+duv5vakQeUajLPGM8SiS1F/nF67rIuZLdJn2Qp+im
+w5Q3Pjgqw5VrJxyk3AaUcntKHpWy1POLyNV79tXra6BxbtQVlRS0+h1MHELARDFx
+1ZtgyAe5YbWM7WrIiFKD4mmKZu4GMnJDXVpfUub5g0U/e7L/gg6Z1UyYZuln6axw
+RojuAHo1uAWFUsjhWLYV/7P/l/dC+7gFjvSsUqb1+U7jXObzfKjXo/FwYcy4VsVv
+xNbglbhdVjAo/YBTJuf3L0UZjSbxvQIYS+v8u1ECeWE6SH6cHRzryeo5wO4h8NJR
+n30xsvocHFbs4LWy5BVfMUo6wGUy0Y+1gSwSqVMv3JPuLwxUsv0HPdeC00Ab9cHq
+kYXPNZXg3a6orTDa4hJLdAm2V/fn/2KKJYlNj7iCL664QgoCHl7LFyLMiwFVCu5h
+4JjGL3Q+8MondaLZlq5YDmvtj979AyM/7qL4XAE2oofQ4J5dqnKKpMkWdAM/fI/9
+N5DK/4zMXJWgIED0yo2SSZHQmuqZplacOhmfjjZigQ==
+-----END CERTIFICATE-----
diff --git a/tests/resources/certs/three.pem b/tests/resources/certs/three.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFtTCCA52gAwIBAgIUIGLmUoxDx3fh8dGDdrw81kDLWJgwDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNV
+BAcMCUNhbWJyaWRnZTEUMBIGA1UECgwLbGliZ2l0Mi5vcmcxGTAXBgNVBAMMEHRl
+c3QubGliZ2l0Mi5vcmcwHhcNMjQxMDAxMDkwODEzWhcNMzQwOTI5MDkwODEzWjBq
+MQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJ
+Q2FtYnJpZGdlMRQwEgYDVQQKDAtsaWJnaXQyLm9yZzEZMBcGA1UEAwwQdGVzdC5s
+aWJnaXQyLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7tLetm
+ORd4uklvSeFn9eJfHCrhmNkWHd1VVuMhjcKkjk+N7GNdq1UMsSZU0xnJMICjJcnq
+plZ9WnO6VkRibyIf/Xp5dh3sQh9jvuTNhvWAOYv9tjxX1sxA0WeHAZj/5qUMtvH3
+mr0gqNbtIrmEFAeWgcYSJbXhnWit7YEnGReHc17F50hbbLOgl5HLQAzIAEkj4nKX
+hR8KKgyQk3dNfoc9orSjUxDp8fq9Z2prcEOYFmkItvC8rtqLB9EBJ1moGjB1BWEd
+3Eg28TUXubRGwrTbpMWP5UWQWuS2Adnd/oQE7NVe5xhxzad8qlReEodF+ptSux5G
+Nw+qy5l5GbMdNfgmXXp34vUldl8dH1BAtC0QH/fmAg5Ea7Ys0bnM9c0MRHJlX7QC
+3fk/pVCSw7ozuceTyJyqhHMRUAcKeGJETJoBz/nmWm2oG5VjZ54k6ktvjjKNGpuL
+44dR+xpZljESmHOm7c10AKBiuMjSG5i1o7wzWEDDfCPKo/5Uf5mMcTn78yrO83zt
+yhIIYfm1kDTbAMMDo1MYHnsqXROxc0ShyLM5fLf7hWh+p8p0MrLUWbAtdETOOx9Y
+qOla6qOGwmKmZaDR82GBCNcLkkqiuWC9oWb2YCtw7UB6cT7BSR7z8mLzfKrzryuJ
+2IRawZ9JuuHmBMhvLmDWXoLy6zbxTc8eIaffAgMBAAGjUzBRMB0GA1UdDgQWBBTE
+X4I8cLBkgHHuPS6wu1Z2CFVwNjAfBgNVHSMEGDAWgBTEX4I8cLBkgHHuPS6wu1Z2
+CFVwNjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBzgWp1dk0Y
+ezID9uD4QRdKarPsRwH4EiXi4sk0udjrOljiPWrUTTvg4Zo/PszaJGmFUtoKGrSD
+RqaCHMeSOT3NGuxqvfdSvxT6I7b6mDTRiJGncQ/h6Efj/9M04lHvfPsv33055ZF/
+FZBNznG+FYJM0iOMsgsRq95sM28/Z0eG65YJ/4o4Y9eC+zKUqC+ksVvrEDiinFPP
+XPzrqJ5aW6TgUgQ583Q1u/Ijj3Z+LxlV3fe2OVgFKCL82XOsZPRCQq71vnNXA3KN
+RpmXw4fNgZYmYDzUuEaeP+0jL38sTIZaHOEOPlghjny9c+UgqAWUEiN9M1HC59Dc
+7ViTzRYlWUSbLOzh2vmT7nv7l9eRRNVp5gfWVhI6yu6lZ4tsH1BvMoJ3tgJ+c9pf
+WMZEIKuErZl0u58Zs09ozzXaXXnMjx6pnTrqwMqaHJe5SFHh3XvvycGjCXRy4vjh
+xs+BpmGqB44DRtYBbW6n4UDc481QVEoWd9DOQ7Y2OQJ1pHFTLLqkWSXw3KmO0cAX
+51H9Ab46WfmYhrtmGNrYWUB7fGSsJ1C/4fiuo8Hx5sq+NP11H80q8TOBcPGRyeTj
+K8L5y6T907tfZMlfloiBcbBFSbOf4+KCyVOYaM0O/LrroH+zZaNJiEP1By7Qsn/2
+Ekw0zxtlImc0SQ3NqnkfAsp6nfYMJPylZA==
+-----END CERTIFICATE-----
diff --git a/tests/resources/certs/three.pem.raw b/tests/resources/certs/three.pem.raw
@@ -0,0 +1 @@
+MIIFtTCCA52gAwIBAgIUIGLmUoxDx3fh8dGDdrw81kDLWJgwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEUMBIGA1UECgwLbGliZ2l0Mi5vcmcxGTAXBgNVBAMMEHRlc3QubGliZ2l0Mi5vcmcwHhcNMjQxMDAxMDkwODEzWhcNMzQwOTI5MDkwODEzWjBqMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMRQwEgYDVQQKDAtsaWJnaXQyLm9yZzEZMBcGA1UEAwwQdGVzdC5saWJnaXQyLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7tLetmORd4uklvSeFn9eJfHCrhmNkWHd1VVuMhjcKkjk+N7GNdq1UMsSZU0xnJMICjJcnqplZ9WnO6VkRibyIf/Xp5dh3sQh9jvuTNhvWAOYv9tjxX1sxA0WeHAZj/5qUMtvH3mr0gqNbtIrmEFAeWgcYSJbXhnWit7YEnGReHc17F50hbbLOgl5HLQAzIAEkj4nKXhR8KKgyQk3dNfoc9orSjUxDp8fq9Z2prcEOYFmkItvC8rtqLB9EBJ1moGjB1BWEd3Eg28TUXubRGwrTbpMWP5UWQWuS2Adnd/oQE7NVe5xhxzad8qlReEodF+ptSux5GNw+qy5l5GbMdNfgmXXp34vUldl8dH1BAtC0QH/fmAg5Ea7Ys0bnM9c0MRHJlX7QC3fk/pVCSw7ozuceTyJyqhHMRUAcKeGJETJoBz/nmWm2oG5VjZ54k6ktvjjKNGpuL44dR+xpZljESmHOm7c10AKBiuMjSG5i1o7wzWEDDfCPKo/5Uf5mMcTn78yrO83ztyhIIYfm1kDTbAMMDo1MYHnsqXROxc0ShyLM5fLf7hWh+p8p0MrLUWbAtdETOOx9YqOla6qOGwmKmZaDR82GBCNcLkkqiuWC9oWb2YCtw7UB6cT7BSR7z8mLzfKrzryuJ2IRawZ9JuuHmBMhvLmDWXoLy6zbxTc8eIaffAgMBAAGjUzBRMB0GA1UdDgQWBBTEX4I8cLBkgHHuPS6wu1Z2CFVwNjAfBgNVHSMEGDAWgBTEX4I8cLBkgHHuPS6wu1Z2CFVwNjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBzgWp1dk0YezID9uD4QRdKarPsRwH4EiXi4sk0udjrOljiPWrUTTvg4Zo/PszaJGmFUtoKGrSDRqaCHMeSOT3NGuxqvfdSvxT6I7b6mDTRiJGncQ/h6Efj/9M04lHvfPsv33055ZF/FZBNznG+FYJM0iOMsgsRq95sM28/Z0eG65YJ/4o4Y9eC+zKUqC+ksVvrEDiinFPPXPzrqJ5aW6TgUgQ583Q1u/Ijj3Z+LxlV3fe2OVgFKCL82XOsZPRCQq71vnNXA3KNRpmXw4fNgZYmYDzUuEaeP+0jL38sTIZaHOEOPlghjny9c+UgqAWUEiN9M1HC59Dc7ViTzRYlWUSbLOzh2vmT7nv7l9eRRNVp5gfWVhI6yu6lZ4tsH1BvMoJ3tgJ+c9pfWMZEIKuErZl0u58Zs09ozzXaXXnMjx6pnTrqwMqaHJe5SFHh3XvvycGjCXRy4vjhxs+BpmGqB44DRtYBbW6n4UDc481QVEoWd9DOQ7Y2OQJ1pHFTLLqkWSXw3KmO0cAX51H9Ab46WfmYhrtmGNrYWUB7fGSsJ1C/4fiuo8Hx5sq+NP11H80q8TOBcPGRyeTjK8L5y6T907tfZMlfloiBcbBFSbOf4+KCyVOYaM0O/LrroH+zZaNJiEP1By7Qsn/2Ekw0zxtlImc0SQ3NqnkfAsp6nfYMJPylZA==
diff --git a/tests/resources/certs/two.pem b/tests/resources/certs/two.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAjsCFAb11im6DYQyGJ0GNQCIehXtegq6MA0GCSqGSIb3DQEBCwUAMGYx
+CzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlD
+YW1icmlkZ2UxEDAOBgNVBAoMB2xpYmdpdDIxGTAXBgNVBAMMEHRlc3QubGliZ2l0
+Mi5vcmcwHhcNMjEwODMwMDAyMTQyWhcNMzEwODI4MDAyMTQyWjBmMQswCQYDVQQG
+EwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdl
+MRAwDgYDVQQKDAdsaWJnaXQyMRkwFwYDVQQDDBB0ZXN0LmxpYmdpdDIub3JnMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtqe6b1vnMni+z8Z+a2bGtykI
+ITvBged15rn+0qG6Fz+sn9bYG+ceFupztFfoN3cVpUgQDBTzr3CaAx036BlV0z8i
+CrG0Oh/XGL+9TITQLumEe4iGi8NoMSujBAyXPSNgmpzDmCTGrNFfmq3HzUtO8t3x
+i8OT7d9qCVjFimLvZbgnfHGQ38xvt1XyPgYIVqDQczmMEZ5BdYWB0A1VmnWuP2dH
+BgjwPEC3HwMmm1+PL0VoPTdvE5Su092Qdt8QsiA56466DQyll1d/omnOJfrK7z0N
+OnfDmnDpARSTy6vDofEAYUQoc3dyvBUk8IIzv2UDcR7fTVvYqseQReIOTEnXmQID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmUEq+JhwWTbB5ODGOKrMG1fKJ+sf6ZH6M
+c4BgLEcdoi/nOTfPuw+ols72LuhH7NKaEcqxWev0jGF0WKqMcM8AGVbywZJ3mBWo
+sKdh6rAGFNkikW4TzhjtDfFbMR45Didl28Be7ieHQL4CQ0Lse3RMOxp250WpiEYV
+W2hIKMwIqOLKGShVD7lI+eHlv+QSH4yOYKHfRHve8s82Tac5OXinc8CJm9ySOtkO
+MfLgfkHtHdFBnV6OVbf4p/596MfMXdwT/bBxT6WPkDGc1AYhoDlmLFTpRgHIDCSK
+2wgV+qHppl7Kn+p3mFQ9sW/1IaRd+jNZOrgZ8Uu5tJ00OaqR/LVG
+-----END CERTIFICATE-----
diff --git a/tests/resources/self-signed.pem.raw b/tests/resources/self-signed.pem.raw
@@ -0,0 +1 @@
+MIIDUzCCAjsCFAb11im6DYQyGJ0GNQCIehXtegq6MA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxEDAOBgNVBAoMB2xpYmdpdDIxGTAXBgNVBAMMEHRlc3QubGliZ2l0Mi5vcmcwHhcNMjEwODMwMDAyMTQyWhcNMzEwODI4MDAyMTQyWjBmMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMRAwDgYDVQQKDAdsaWJnaXQyMRkwFwYDVQQDDBB0ZXN0LmxpYmdpdDIub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtqe6b1vnMni+z8Z+a2bGtykIITvBged15rn+0qG6Fz+sn9bYG+ceFupztFfoN3cVpUgQDBTzr3CaAx036BlV0z8iCrG0Oh/XGL+9TITQLumEe4iGi8NoMSujBAyXPSNgmpzDmCTGrNFfmq3HzUtO8t3xi8OT7d9qCVjFimLvZbgnfHGQ38xvt1XyPgYIVqDQczmMEZ5BdYWB0A1VmnWuP2dHBgjwPEC3HwMmm1+PL0VoPTdvE5Su092Qdt8QsiA56466DQyll1d/omnOJfrK7z0NOnfDmnDpARSTy6vDofEAYUQoc3dyvBUk8IIzv2UDcR7fTVvYqseQReIOTEnXmQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBmUEq+JhwWTbB5ODGOKrMG1fKJ+sf6ZH6Mc4BgLEcdoi/nOTfPuw+ols72LuhH7NKaEcqxWev0jGF0WKqMcM8AGVbywZJ3mBWosKdh6rAGFNkikW4TzhjtDfFbMR45Didl28Be7ieHQL4CQ0Lse3RMOxp250WpiEYVW2hIKMwIqOLKGShVD7lI+eHlv+QSH4yOYKHfRHve8s82Tac5OXinc8CJm9ySOtkOMfLgfkHtHdFBnV6OVbf4p/596MfMXdwT/bBxT6WPkDGc1AYhoDlmLFTpRgHIDCSK2wgV+qHppl7Kn+p3mFQ9sW/1IaRd+jNZOrgZ8Uu5tJ00OaqR/LVG
