ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Test query forwarding to DoT-enabled upstream servers

Browse Source 
Change the 'forward' system test to enable DoT on ns2 server,
and test that forwarding from ns4 to the DoT-enabled ns2 works.

In order to test different scenarios, create a test CA (based on
similar CAs for 'doth' and 'nsupdate' system tests), and test
both insecure (no certificate validation) and secure (also with
mutual TLS) TLS configurations, as well as a configuration with an
expired certificate.
This commit is contained in:
Aram Sargsyan
2022-12-08 10:29:15 +00:00
parent 6ea05ac3fe
commit 154cdbd861
24 changed files with 1047 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.reuse/dep5
View File

@@ -42,6 +42,11 @@ Files: **/*.after*
bin/tests/system/formerr/nametoolong
bin/tests/system/formerr/noquestions
bin/tests/system/formerr/twoquestions
bin/tests/system/forward/CA/CA.cfg
bin/tests/system/forward/CA/README
bin/tests/system/forward/CA/index.txt
bin/tests/system/forward/CA/index.txt.attr
bin/tests/system/forward/CA/serial
bin/tests/system/journal/ns1/managed-keys.bind.in
bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
bin/tests/system/journal/ns2/managed-keys.bind.in

5
bin/tests/system/forward/.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
# temporary files generated by "openssl ca"
/CA/*.old
# there is little point in keeping the certificate requests
# for the issued certificates
/CA/certs/*.csr

77
bin/tests/system/forward/CA/CA.cfg Normal file
View File

@@ -0,0 +1,77 @@
# See ../../doth/CA/ca.cfg for more information
# certificate authority configuration
[ca]
default_ca = CA_default # The default ca section
[CA_default]
dir = .
new_certs_dir = $dir/newcerts # new certs dir (must be created)
certificate = $dir/CA.pem # The CA cert
private_key = $dir/private/CA.key # CA private key
serial = $dir/serial # serial number file for the next certificate
# Update before issuing it:
# xxd -l 8 -u -ps /dev/urandom > ./serial
database = $dir/index.txt # (must be created manually: touch ./index.txt)
default_days = 10950 # how long to certify for
#default_crl_days = 30 # the number of days before the
default_crl_days = 10950 # next CRL is due. That is the
# days from now to place in the
# CRL nextUpdate field. If CRL
# is expired, certificate
# verifications will fail even
# for otherwise valid
# certificates. Clients might
# cache the CRL, so the expiry
# period should normally be
# relatively short (default:
# 30) for production CAs.
default_md = sha256 # digest to use
policy = policy_default # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
# We need the following in order to copy Subject Alt Name(s) from a
# request to the certificate.
copy_extensions = copy # copy extensions from request
[policy_default]
countryName = optional
stateOrProvinceName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# default certificate requests settings
[req]
# Options for the `req` tool (`man req`).
default_bits = 3072 # for RSA only
distinguished_name = req_default
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-256 instead.
default_md = sha256
# do not encrypt the private key file
encrypt_key = no
[req_default]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (e.g., city)
0.organizationName = Organization Name (e.g., company)
organizationalUnitName = Organizational Unit Name (e.g. department)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
# defaults
countryName_default = UA
stateOrProvinceName_default = Kharkiv Oblast
localityName_default = Kharkiv
0.organizationName_default = ISC
organizationalUnitName_default = Software Engeneering (BIND 9)

29
bin/tests/system/forward/CA/CA.pem Normal file
View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0
aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1
NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh
cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l
dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j
b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo
Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI
B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF
ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5
3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee
wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia
eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX
z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ
ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD
VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y
SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB
AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc
TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig
TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod
CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz
qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO
70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS
wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE
rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2
8Q==
-----END CERTIFICATE-----

2
bin/tests/system/forward/CA/README Normal file
View File

@@ -0,0 +1,2 @@
Please take a look at the contents of the CA.cfg file for further
instructions and configurations options.

40
bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCT6jpDg/+SgAa+
TqBTXQudybG4/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBI
Tl93dCb6qt0/e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPR
U387aTVWbYGK6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aov
XQO2W0iHtCdLmbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKH
R2fA28a5+LAxpssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY
5vL98VoA6Hcm3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8Dtv
xV8UICb6m+CvUcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bp
uFs38WHVhCdQ01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAQKCAYBG
jKj2i+5p10OgIItqx43jWBC6/l1GZZofVTU0PqQ8VDuyugE1j88aAbnIYV9Ry+Un
mf5GSWaB368QDcWOCaoP1FBL16hOGZWytKWYDtx0dNVfbxqe2tpIiJE5M07LijzY
C+1rkgxRXPCBHnSohyFIFFn9wouWla36Reg5MBhjVgHcWdvYzlR2FnH9ZpwQ3AjX
XTLTwQf6L+RCy/gZ0ccx5rT5Y5m//LAFnIsiqeEAbReeIZPvdKRIoHgWQgBgF2nJ
KAXFrf62gLSIXmnvvxiWL/xAUktg4kv+PFvEFjMjlxz3hOQuOwJQMt7zZkO0Pw2G
Ow08OznR3dXCOO7csmfTktWdB71vgtf+Y/RzCWbyHPBy4tfWDbiqQCFJSsn7CsC8
r4YscQ55Xmw2AVsUd356Z6ONiM5LZmd+OIpamrVh4Bfgkk1ElPetnelEZO2ZPsBT
cud487ZOY0lD+lpNCAMqS2VeKRi+X/sefZHe3ZMJopRuyPLkqt3qh/sZlms3uWsC
gcEAvWeiyE75Y7DzTBY3sWCxOzj0g8oqFle4G0dxw/CxyF0ASlGNZtjyj/l2dJ1b
wRSk4HmJqgRrkW+cXYVMfoz8zoUfO/vXUe7+1ioxbQMxl7fH5O4R6ps7RxEaX9GE
Rhxx8B1Y1S8tauCFz0STOtvi6CXlCkRALMsEg7MbJJ2PjIrPSSpuWGZBYlJbh53u
spgElwq6qT0xqS8EFpGjSMsnPfXoOnKpWZpyJfKwkm9gwrvVjiVmw1TRcvcODoov
wSZrAoHBAMfsFIauVfoWGHgL80+/8NsYo0Ap3nycFWXH6XaIuhBfQdr8aLTDmj7Y
nlonP5PtsQBfpdlbm/xTTBiZ2hzTcRX7Ayu7eSmZFFP7yE4Amo+bdh9y9KWbIWjA
K5XwwJ7kTWrgiai5nu0JRH+FuMOOEpUHikfOIci7V8LGbkFQ7G1pmXyQwpFT1ClR
ORHnv2A/YklP2jpa7KdPNZgYBQic5JnaNZdFzF0pi1v69UyAP4JBzaWHOz1kMH/B
JxknYpJnOwKBwQCeSyLsrbQX8SclC9x3zgvRJwSTsD4EdkNT6R3XWC38+lznv8ih
j+cJFMA/LdQlRg+V232GLjOIVPMl5eXMTiBqqS81foCx5T/t1U2Bgg3McrgJSD6J
CDs+ZbjZI82cmuFOf/hiEw+uJv8t/m3d3y+APUtyjR/lT7byKpogu93g45Hh4Chg
kPVMKvB8Iy3+7LXJVhoynwYGE1kjU4xXphGh4wa28mU+kamctXuEprkDhuAv8Go2
DYkOwBNra2oFzwkCgcA+TpRjGShQhdxgZZESFMby8a3HTIU7nsWIcBKRz7D1c0qp
/ip/08pZtdc8T6kf6F9Wt3iP0l49+JPpwuFYRImlCRMG6SmszjmopvrZXJTPFuts
h745cqyp4eJzm5Hcs1hxa8NbY2Zlh5Lij4Fy6O9fpPbyxAqBbem/GWq5Togw3U1p
phANjOu9aMP5kZlyXK68HHft4fKJfkU8vperBIK2dGxpVeaITm9RXlhe3EVuyiVW
ZlwPGQ+IcWFHFKBC8osCgcEAiTMZ0gMkuPHnDRcLeBqU6iGpme/+LES9RmBgL4AT
mZHOfsvwkNOdyHb20/ns/OQqBgJpbkQCCrTPJyhv1gqaYtwKlSaI334Lmfg2CP/7
ZFxwo/MfqYDwYZQj35/cN1SkNNvuuKVIX61CNPTr0Wxrs5ZFUwG00RtZzhzYWaku
R0f3FTLR0KbQOKt8nhEgqo8NRzQGrMU9mj+61kMXTdt6N5ipxzPuAUv+D62QbO0T
ndTltEnt0w6vtzmImIWupyBm
-----END PRIVATE KEY-----

100
bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem Normal file
View File

@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:c1:18:08:26:32:e1:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Dec 8 11:52:43 2022 GMT
Not After : Nov 30 11:52:43 2052 GMT
Subject: CN=srv02.crt01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:93:ea:3a:43:83:ff:92:80:06:be:4e:a0:53:5d:
0b:9d:c9:b1:b8:fe:d5:cc:dc:af:94:7a:ab:ba:13:
0f:c0:b6:99:71:78:90:b1:7f:41:07:85:59:26:90:
14:88:7b:fc:0c:64:70:37:f3:2a:39:80:80:48:4e:
5f:77:74:26:fa:aa:dd:3f:7b:8e:63:b5:a6:ce:bc:
bc:5a:aa:1d:2c:b0:9a:54:8c:03:46:8b:e6:19:52:
51:48:16:2d:88:ac:df:73:bb:5d:86:f5:80:ff:12:
93:d1:53:7f:3b:69:35:56:6d:81:8a:ea:4b:bd:75:
d5:bf:a2:b8:f9:98:17:c7:47:e7:5a:0a:47:a0:00:
3d:5c:77:42:95:ef:60:ea:e2:2c:ab:97:a9:f3:1d:
c7:a7:f9:aa:2f:5d:03:b6:5b:48:87:b4:27:4b:99:
b3:e3:99:f8:cd:bb:51:88:f4:1e:34:d5:3e:e3:12:
3c:2d:c0:b7:2a:9d:0b:73:7f:3a:ad:27:97:17:58:
51:70:08:87:75:42:d2:87:47:67:c0:db:c6:b9:f8:
b0:31:a6:cb:15:24:7b:54:06:fd:92:e6:24:71:3f:
55:02:02:71:f2:47:7f:e5:fe:be:d4:5f:1e:b5:58:
f7:09:fa:60:e3:36:25:bd:f4:91:58:e6:f2:fd:f1:
5a:00:e8:77:26:dc:2d:20:10:fc:c7:a2:16:0a:e1:
59:e4:e5:a0:72:d4:23:88:a7:56:71:1d:69:f5:1e:
e4:c1:ec:87:7a:ef:19:dd:df:fa:25:f0:3b:6f:c5:
5f:14:20:26:fa:9b:e0:af:51:c4:18:3f:3c:49:7d:
26:25:c2:d9:5c:67:5d:f8:af:73:20:58:ae:65:5e:
71:03:77:78:7d:45:37:0a:a3:b7:32:eb:fe:ff:5f:
c6:e9:b8:5b:37:f1:61:d5:84:27:50:d3:55:72:2c:
8a:75:16:9a:95:b5:f9:2d:eb:d0:22:49:57:6b:65:
87:aa:71:a8:6d:39:96:fe:e7:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv02.crt01.example.nil, IP Address:10.53.0.2
X509v3 Subject Key Identifier:
70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59
X509v3 Authority Key Identifier:
7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
77:6c:f4:07:36:0b:ef:6e:86:2d:41:73:e0:ba:f7:4c:f1:bd:
8f:77:89:1a:8c:63:2e:39:93:a2:43:ee:70:85:f1:5d:01:60:
ab:e6:50:a1:5e:72:e3:89:13:77:e0:a5:f7:fa:27:31:93:1f:
3a:a7:35:5f:7d:59:3c:d2:26:9c:12:fa:51:2b:d3:31:0c:5a:
e7:a8:be:6a:2e:b2:82:6c:42:f2:86:74:9c:0a:c8:58:a8:68:
35:73:6e:1b:0c:9e:3b:08:3f:b9:ef:68:61:e9:d3:40:1d:aa:
dd:42:e3:1d:b0:1b:6e:b8:58:60:a1:68:4a:ff:09:b7:58:5b:
72:e8:36:a3:6d:10:78:c7:7f:52:f6:dc:39:5c:05:7d:7a:ae:
8d:3f:89:8f:10:a6:4d:8b:55:6a:9b:cb:2c:1d:00:59:9b:0c:
c3:55:e0:a3:25:69:b4:29:30:2f:20:bf:07:f4:21:88:b7:d0:
62:ad:d7:ca:e1:91:45:9f:a2:5f:7d:07:f4:98:b0:5e:d4:3a:
92:86:e9:a1:fb:c0:9b:81:46:da:56:ed:92:47:c0:1a:aa:55:
37:0e:3c:92:2c:44:7a:80:55:1f:15:7a:7c:c4:7e:ad:d5:b0:
a5:7e:33:63:09:23:6b:78:42:de:37:aa:04:a7:52:ed:06:fe:
d4:56:36:12:85:b6:ec:ff:03:ea:4b:e2:7a:42:49:73:b6:ab:
e4:7d:4a:2b:94:65:1f:b1:17:a3:be:17:0b:4e:53:3d:8a:d3:
d7:04:0f:f1:1a:63:b2:a6:eb:00:31:64:b4:80:e9:ae:bb:69:
12:04:a5:7d:2c:bd:91:62:2c:b9:5a:6e:af:e0:ee:27:f0:88:
15:8b:b7:ce:07:5e:bc:6b:e9:3e:3f:23:c7:f9:c9:48:20:69:
6a:8e:f2:17:9b:58:ff:72:36:21:ed:d3:83:16:60:ec:de:6f:
c4:50:47:b7:61:ce:75:c1:d6:60:28:de:bd:69:7c:e6:db:0e:
b9:fa:7b:84:24:35
-----BEGIN CERTIFICATE-----
MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGLMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTUyNDNaGA8yMDUyMTEz
MDExNTI0M1owIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWwwggGi
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT6jpDg/+SgAa+TqBTXQudybG4
/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBITl93dCb6qt0/
e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPRU387aTVWbYGK
6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aovXQO2W0iHtCdL
mbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKHR2fA28a5+LAx
pssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY5vL98VoA6Hcm
3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8DtvxV8UICb6m+Cv
UcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bpuFs38WHVhCdQ
01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAaNsMGowKAYDVR0RBCEw
H4IXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAIwHQYDVR0OBBYEFHCQlIFK
sr8T1ikakNkzpMV0Kc9ZMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
MA0GCSqGSIb3DQEBCwUAA4IBgQB3bPQHNgvvboYtQXPguvdM8b2Pd4kajGMuOZOi
Q+5whfFdAWCr5lChXnLjiRN34KX3+icxkx86pzVffVk80iacEvpRK9MxDFrnqL5q
LrKCbELyhnScCshYqGg1c24bDJ47CD+572hh6dNAHardQuMdsBtuuFhgoWhK/wm3
WFty6DajbRB4x39S9tw5XAV9eq6NP4mPEKZNi1Vqm8ssHQBZmwzDVeCjJWm0KTAv
IL8H9CGIt9BirdfK4ZFFn6JffQf0mLBe1DqShumh+8CbgUbaVu2SR8AaqlU3DjyS
LER6gFUfFXp8xH6t1bClfjNjCSNreELeN6oEp1LtBv7UVjYShbbs/wPqS+J6Qklz
tqvkfUorlGUfsRejvhcLTlM9itPXBA/xGmOypusAMWS0gOmuu2kSBKV9LL2RYiy5
Wm6v4O4n8IgVi7fOB168a+k+PyPH+clIIGlqjvIXm1j/cjYh7dODFmDs3m/EUEe3
Yc51wdZgKN69aXzm2w65+nuEJDU=
-----END CERTIFICATE-----

40
bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDOADZuuD/b/pD3
3uHtQ0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z
8JsoSRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp2
7snlkGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B
3Eb1hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeB
oE/2LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1
/Dq0iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0Xo
uR3xBUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNE
L/RsMfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAQKCAYAM
G58XauT1/URwDT2iQG5NlsWXlsWFHb/zoMLQITbRtslUE7j36YGqiz1kUl0y2gqV
TMVSO+a3voMJB39XItS6i9xAl2lGqLvg23lRftnsA3Il7NTs7K2ZQOIkQr5rvG/R
Wus+surNL0m/K9HaGF6CPZp7a1ipXQijSUxaHRClmBhHn43VvjdYry28vMtBykyh
ZT5IEj1UrnKI0XWqQJy22SxlUqgu9+LQVUpQpu+8YXtjWMYyDJQ+ldijYZIhtR6V
WfLEE2SRWpViHwtZEs5p0E9X8rGQYYdWC1zAh+B0TtPCC3I+MAyjQOVglwUpPQnG
GqRJfJnb4PENdy9DYxEmg/AlrTCuRLcGuGVnaz55KCUN9GbL8ei2EKuTQMdR6Ysd
fKPe2L1FyjG7OmTq+1kWicDdbn++ng51C5fwTmyjOnN5//vy19rgNL11TP9UaDaQ
5/Ox7UaxQZXdskvXelzBAe4gGgwdVO3/WEAJNFyUn+O9iWSdEvdv9AeEGe5G0KEC
gcEA51ZSfPG0y4ckyyMB/BHo1sxkKFwMlLOtKHH+zXQ5mCMaFpHDnSpQ8WxE/0mZ
2qX53YpqZU11SV81CPsUox+Fn4bNyLFpDiJ412/yl/xDRHOaRqdWxz3Wg4ynLbpU
xiwFUcjoff63RelQWZka+XSz/eNzSJJe6UXSuNJ0yCCrKTBMlMEtqocFeOYzBMzj
SWbvvKiM8NYqa3pm9VAaQnQPEiwaVa4XDQZZ4EVGdO4U89M6xlrdA8OXm3Jni9CA
eAOtAoHBAOP2aGVcLDch/tP4Be15g1z1ipFQuvlKF481Fxdjy5zXNGj1n6poUgt2
+lVt6jhkunR6Sxs4sEoa0QtcSDCfZWygP05pz41dKF8+j7aYwsDMo1v4brUNKa1y
jFwdhd4xb/YG84pNln5diLzXKbAJgDu684H9tEvl0Is3TYp9Ex2YVhDbauxourHt
shYRi3zcea5S3IE1Qx+dyimliCrsp+ufnh4MrUjn9msAt19ZmzWO1TPucPtx5gUz
zwaQl0P1CwKBwQDRSFW9tQjjq7JMl7Ie8bDcSfI+VPAIwvffBCoIgqHsEa1zR5FZ
KMQrdNCCx3oJxWfj1WnllYqKwzf+lO8Zl9XR+SlH67/nyqXZ+OvWNaBBV/f0/URT
YY0kW2WOx+gTlBWH5KL4ASyacbWAKTOvA7Yl9NQBjnGQxdsZ20NNHcjarVhKpu0C
Pb5knpT/PcBNUnOGEFHZO1cK/qQQP9RR1B8iSIXWh3VREjLS4rkX5Z9M6gZdFiym
UBdiyMAGS609Zc0CgcAI55csXm1bufg6T3Xr0NNQzkabZovnMP26mlhMkZlihwWF
FBMolOqfiAY/UAvWKBkgc6Z7abt5KZMA3pnzTEap95iBd6Cj5P+uuMLkXxM8dMHs
1cd9SwZVwCO7dWvFQikdcygQPveh+AVfWwhF2BkqPCNG8KIaVN/QkFh3EGuuvESg
Y/HJSk4ApUhPlF/egL5AEPyMD4iPs5oyBkVLZ/MnQRTsF5KtRmJZy61eDCID9ZBe
dvHy4IAbs+piV0ORZAECgcBsqhBAB1CdUOjj4EVPeEKngGZweQkJPRLKblCLGK8l
QtcSUfrqoxP8b9Ary/I0gbMhWtkUP/kZOZi/GNelswnzdSlxRKdzQvns5vw+jLfl
aw5v2ps600+e11KQ1IMVSdRdwESEBs0IQAJV3lfmpNcdxIwf8EjLjGL+uq4KGylW
z8vfM0/i2GK33hxNrQRXSrTHsiqiKGK78h7S+twll5W8T1ZYFkI1oROZOmMlA/hU
d8ykPRRZ7XjXCmIgCS9TsF8=
-----END PRIVATE KEY-----

100
bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem Normal file
View File

@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:c1:18:08:26:32:e1:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Dec 7 11:55:54 2022 GMT
Not After : Dec 8 11:55:54 2022 GMT
Subject: CN=srv02.crt02-expired.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:ce:00:36:6e:b8:3f:db:fe:90:f7:de:e1:ed:43:
4b:19:97:78:d8:ae:32:3c:4b:d5:8e:cd:1f:29:78:
e2:af:d3:02:95:34:2c:5e:cd:54:8a:07:70:6b:61:
a9:af:22:a7:6e:cf:86:b6:71:d7:4d:b4:af:f3:f0:
9b:28:49:18:8c:66:88:67:63:47:e9:cd:a8:e9:5c:
63:c0:be:08:b2:77:81:05:83:c7:3a:53:1b:c6:7a:
82:99:fa:54:6f:4f:30:80:50:96:92:16:6e:10:16:
ca:76:ee:c9:e5:90:63:98:98:e7:58:61:09:15:e9:
45:67:89:f1:df:21:69:b6:ad:b7:24:68:92:07:b6:
6f:93:f8:fb:bd:b5:90:c9:57:5a:e5:46:6c:d0:73:
33:3c:10:6e:01:dc:46:f5:84:95:5d:2b:03:e3:3a:
0d:66:59:f8:92:37:78:49:74:32:32:96:fa:bd:05:
27:43:f8:f9:90:7c:e4:2b:36:54:c0:f2:77:fd:4f:
ed:87:00:08:23:4d:57:81:a0:4f:f6:2e:9c:a0:22:
3d:f6:27:b2:39:ed:44:8e:5c:92:4c:4b:b9:74:bb:
0a:c4:97:e3:85:66:29:fc:75:3b:b5:3d:e1:22:57:
33:11:2e:9a:a9:41:84:82:ea:44:b5:fc:3a:b4:88:
31:11:46:98:c2:ec:db:43:55:72:a7:9f:a1:65:c0:
bf:11:a7:44:27:a3:8b:06:4f:08:2a:2d:4c:c9:aa:
d5:3d:03:24:66:e6:03:9b:9c:98:1a:5f:45:e8:b9:
1d:f1:05:40:d8:3e:ed:40:05:1e:fa:8a:58:c5:a2:
f2:2a:a1:cb:25:7e:61:8c:0e:3c:cc:5b:43:3a:7c:
8b:a7:64:b8:c5:2b:6b:16:59:06:ad:ec:19:b5:1d:
73:44:2f:f4:6c:31:f1:6e:f4:55:f6:44:37:ee:db:
20:fe:54:92:43:28:f8:44:cb:9f:9f:b6:2c:aa:61:
1f:2f:1a:15:15:cc:61:f3:b9:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2
X509v3 Subject Key Identifier:
A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E
X509v3 Authority Key Identifier:
7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
34:7b:38:92:d9:c1:ba:ed:c7:b3:61:63:e6:d2:11:4e:0c:83:
8f:97:3a:11:97:51:3e:8d:9b:49:bb:f5:2c:92:d1:c2:e4:3b:
ad:db:69:cc:1f:cf:58:3d:4f:51:97:d1:09:19:2f:22:b5:3d:
e1:0d:e5:65:40:2a:54:19:55:22:11:85:18:1a:08:31:97:d8:
fe:cf:4c:9b:ec:8b:8f:9c:cd:cf:5b:a1:56:e4:1d:e0:79:4b:
ee:6b:1c:0b:60:a8:d8:fd:5c:a8:9d:dc:74:4f:ce:b8:f8:19:
a4:00:db:93:7b:ae:34:55:c6:fb:35:1b:9e:bc:d0:5f:da:8d:
77:0e:1f:45:89:d4:dd:f1:a9:4e:48:64:d2:4e:b6:4b:57:a0:
87:cf:a8:30:35:6e:09:91:56:59:9b:01:af:8a:f7:11:8c:d8:
2e:56:89:eb:a5:a0:6c:d2:56:0c:da:13:4d:36:92:28:50:b1:
e5:cd:64:60:ac:93:f4:98:d7:eb:df:7b:42:89:da:c0:6d:6e:
75:ae:45:28:9b:e8:de:00:dc:eb:df:ba:4f:63:2a:61:e5:42:
f3:e0:8f:aa:bd:f7:f6:9b:67:1b:ed:1e:a6:ae:4c:81:a2:62:
ff:a8:8f:94:da:a8:9d:27:fa:a4:46:44:2e:13:f2:05:2b:c4:
a6:57:d3:95:1c:ca:f8:e3:d2:0f:28:70:8a:1b:37:4f:b7:c1:
b3:fd:4b:85:ca:9d:8a:bb:62:85:47:66:c7:31:b8:db:c4:5d:
66:9d:6e:7b:94:07:fa:09:ae:5b:5b:23:31:ba:c8:40:82:4b:
6a:48:d2:83:0c:5f:b9:62:64:06:16:05:dd:e8:a8:02:eb:d7:
7a:9b:d9:49:d6:87:0e:16:ca:d6:4e:46:46:e5:37:e4:0d:68:
b7:d2:d6:78:c4:ee:c1:3b:38:8e:83:df:1f:39:63:1c:65:7a:
e0:26:1f:96:8a:57:9d:6b:27:62:6e:40:86:83:29:fd:1f:a1:
69:2a:92:cf:ab:db
-----BEGIN CERTIFICATE-----
MIIEnjCCAwagAwIBAgIJAMzBGAgmMuGMMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yMjEyMDcxMTU1NTRaFw0yMjEyMDgx
MTU1NTRaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAyLWV4cGlyZWQuZXhhbXBsZS5u
aWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDOADZuuD/b/pD33uHt
Q0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z8Jso
SRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp27snl
kGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B3Eb1
hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeBoE/2
LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1/Dq0
iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0XouR3x
BUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNEL/Rs
MfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAaN0MHIwMAYD
VR0RBCkwJ4Ifc3J2MDIuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5pbIcECjUAAjAd
BgNVHQ4EFgQUp4pt6hC0a7gTFmu6oCbDmuemcX4wHwYDVR0jBBgwFoAUfInoXOvl
H3JIBMWP+5IInPVgJjkwDQYJKoZIhvcNAQELBQADggGBADR7OJLZwbrtx7NhY+bS
EU4Mg4+XOhGXUT6Nm0m79SyS0cLkO63bacwfz1g9T1GX0QkZLyK1PeEN5WVAKlQZ
VSIRhRgaCDGX2P7PTJvsi4+czc9boVbkHeB5S+5rHAtgqNj9XKid3HRPzrj4GaQA
25N7rjRVxvs1G5680F/ajXcOH0WJ1N3xqU5IZNJOtktXoIfPqDA1bgmRVlmbAa+K
9xGM2C5WieuloGzSVgzaE002kihQseXNZGCsk/SY1+vfe0KJ2sBtbnWuRSib6N4A
3Ovfuk9jKmHlQvPgj6q99/abZxvtHqauTIGiYv+oj5TaqJ0n+qRGRC4T8gUrxKZX
05Ucyvjj0g8ocIobN0+3wbP9S4XKnYq7YoVHZscxuNvEXWadbnuUB/oJrltbIzG6
yECCS2pI0oMMX7liZAYWBd3oqALr13qb2UnWhw4WytZORkblN+QNaLfS1njE7sE7
OI6D3x85YxxleuAmH5aKV51rJ2JuQIaDKf0foWkqks+r2w==
-----END CERTIFICATE-----

40
bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key Normal file
View File

@@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCN5ooQbwaPsuX0
3hRN1DwaIQP+MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8w
qJmxwxrIlqWKDHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ2
4xiLYHdsaNOeYoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr
/wKTzAiTnh4MozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rM
gNNkVm8Jr/Zzi8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRw
ej8L22Q+I6WZRxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcx
K0vcOwkArZoSyunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2
JXZOqxHJpdfKMgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAQKCAYAZ
f+E1nM4ACrT6MOJTLh1y0JYIGvKZl9Sn5Q5Ujw/l7B+7DFeVZofwt7+B9QjZcrUS
ol0K3zaoFBgI5XNhF197xl6PFTkMv7/us5sAcaj1tXwwSlazuRyCzoxo7iWU8+XB
WMH2ATq8ckEZL+wcN8SeLaRBpRAC334EuCe+yGWQdiEQ5+OidhAGNzaujUbpqmsL
o5CFg50Q4A2B+7x51MOBy3s46CaQbm2zNyC7Ac5DB74JMF3XO50HZ3TeRjPaOQ84
f8fWoFTqfwS3h7SIswsWpZRa2Lz9Q3FTQjtZ54ZVdnIqQblXnFh5yTw5ERmVWgXZ
EGmUPqMHyhOPRM2kTIvs4GFs+wAJiy2keMgWd39ZT4Z0qXlOrYpTKpRxoG49QS/v
zzddU3FgcjrrA3PZqMse9/elBWaFGxa/3Y8FI5wMaSL1Y7z+sTozF5qb+HGwd71M
09/N2vU3M4dqgSfEjsCPxeG+/6z693nyzrqYh0D0LeEl+ZsyHsTfkAUrFG330fEC
gcEAuhy8LM6sdoMTLYPkAxTs4mUfZtZS3EFQsPyjbcJXbOeugNUphEMr6mik/yYf
fkOKz7VZ6CR8ugX4mLGHB57YIX5QjoPN0Obu1BeCxspAq36XDYrRcJM5eEsWdkfB
43YN4xzMT0uH+660hMnrvxU1kCAVjF+e4AUwFUY/2879LtQZZbdOupwLEmYAaYUI
RyWLmdDPf8W1R38K7QRLG6VCjwdo0reEYIOqj/01fErzKwRdRYbjMJUtUZ8Iy20o
O8vnAoHBAMMvqc9oaxFicVsHMZU3mc91jcOVJqvNCINP7y3fNwcvwcdwXecNFoTn
ygTWgkBDRzueZcxJwtcZOtiq2o4L+zlEZinFyROmJqKVcy+g/hvepj9mbT+5CwYx
/J6AKWwFAIylFbWmqVMeBsZp4K/9qQN+s4V2MWsMNrqoVFCjlBxef4grIbyJSOzU
DZVqz97vA5IqWnAQU53BPUoVns3u2jHkgNDMdMPIdhx++l7++FinNluWheV5KYOF
T1OJe6gpKQKBwQCWubbcQvUBdd4OOoZqyIOgRm1MB79LicojzDc/KOlM1cVJqVja
ONxUFzOpP+K5i1HcLe8GRqaMsVFHuF63GTnIxlfPU4dX6+737aKIBDyjpv4Ghaph
FZqxhX5HhI3N/Un56NS+U1lpx2+DK1S1iCO8+X76FGbC3vC2ChKlndkGF9gJvI8S
KlX9LIag7pBprkqE48tom2HY6Vab5aI+XXSuCT4niWC4GWoE+vhaFQkiiYJQUJGm
QupU9AtXVKwE4XkCgcEAtef35Fq2Xi9W4bUkmqKE8HnoMv0QW1DsvCSFDkVXrZTu
jgbFHQ5vjFHRTwzzuxx4iLGowemEcp8K3t7sbTHxYn/Cju/L5EoW+7M49IygBi1M
1w2Ih7jW82EmxDlBYXCQAIPiZbb7W4FCYyxNwPcwyxcMDDgI+nEZmIBEhBrPcFkJ
lkhMWr+/fShruHMhY+1xcImUW5h7tSxhCGh55gbSx2jkPLQvpj9vBEO650nM/iJo
YJc6FpEDBZX6Rip9Wk1xAoHAUcms1tuGcDRTtzCRdKOl0PiZTr8qzwJPzZlDxrsA
KqcONMhhiFMXneu4xj/M09EVMiElcf1xxs0CtD/1aod3kK5IMq4D+ck2rd/1QKed
FH5jOesE7PRZtW4Du8PCsi2D5V8dR/yBLy/525unqTTCCEZWZ1hrZqStR3nNFcNQ
aC6hhkMTr2GqFJsfNowFQ9gto4kn2XsIpvMW14Gqm0rW+K0i3HDjXk7R7RTDSO5J
B2yNl2lHM+2aSG8A3vug23aE
-----END PRIVATE KEY-----

100
bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem Normal file
View File

@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:c1:18:08:26:32:e1:8d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Dec 8 11:58:45 2022 GMT
Not After : Nov 30 11:58:45 2052 GMT
Subject: CN=srv04.crt01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:e6:8a:10:6f:06:8f:b2:e5:f4:de:14:4d:d4:
3c:1a:21:03:fe:32:02:d6:6d:0a:25:35:3d:50:00:
71:d6:7b:75:d1:e0:04:36:20:da:39:db:9d:df:19:
fe:5b:c3:e2:d0:72:c4:0d:be:57:d8:c2:3f:30:a8:
99:b1:c3:1a:c8:96:a5:8a:0c:7a:e6:e9:2b:3e:c9:
f9:f5:46:b2:cc:14:4c:e6:d1:65:25:19:fb:2c:2b:
e4:6d:00:ba:7c:7f:f6:07:24:17:30:42:cb:04:e9:
94:36:e3:18:8b:60:77:6c:68:d3:9e:62:81:82:64:
24:2c:e9:ba:b8:d0:40:2f:e6:fd:e9:fa:aa:14:83:
6f:26:16:c1:b7:b3:6d:fd:4a:3f:8f:a1:a9:e6:7b:
bd:c1:60:a1:6b:ff:02:93:cc:08:93:9e:1e:0c:a3:
31:29:20:74:e5:37:46:d8:41:10:c7:11:f4:d8:e7:
43:7c:4d:bc:fb:fd:39:3a:79:8e:c2:0b:fe:21:df:
16:c2:fc:10:b3:9b:da:cc:80:d3:64:56:6f:09:af:
f6:73:8b:cb:64:e4:fe:c5:4c:85:4e:c3:ed:a4:0a:
0a:53:f6:be:8d:5e:7a:42:4f:cd:b0:21:a4:8e:e4:
45:fe:28:f6:4d:29:58:db:4a:b4:70:7a:3f:0b:db:
64:3e:23:a5:99:47:11:7b:2c:66:83:a9:79:27:09:
45:72:ac:4a:fa:35:6f:1f:64:d4:ab:cf:09:90:92:
71:4a:d1:02:80:b1:ab:b0:19:ec:01:c6:a7:31:2b:
4b:dc:3b:09:00:ad:9a:12:ca:e9:cd:54:bd:96:23:
a3:14:2e:40:58:33:58:2f:70:05:c9:c6:28:f1:3e:
d4:94:13:db:09:b3:63:78:6f:57:72:e8:1f:28:6f:
7c:b6:25:76:4e:ab:11:c9:a5:d7:ca:32:00:5f:5e:
14:ae:53:65:13:37:2b:d2:98:3c:d4:47:74:40:cf:
ff:1b:ad:59:35:c1:d1:d3:a6:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv04.crt01.example.nil, IP Address:10.53.0.4
X509v3 Subject Key Identifier:
CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2
X509v3 Authority Key Identifier:
7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6f:24:c5:ba:8e:62:5d:58:50:a5:25:a1:fc:41:fc:18:cb:7c:
11:02:0a:ad:7f:13:2a:20:07:92:5a:82:c0:92:9d:35:40:b0:
c9:85:5a:23:26:fb:55:b7:99:7a:18:a7:ae:b4:6e:a2:29:f8:
25:70:fa:3e:bf:b0:ec:91:d7:46:55:55:ab:fd:22:a6:c1:b4:
50:92:27:ea:d8:a1:71:ec:14:84:69:0a:c9:de:3f:c1:63:94:
17:5e:78:e7:85:34:80:bf:c3:58:f1:4d:fb:0c:b4:2e:2b:9c:
66:15:1f:e3:d6:3a:c1:95:b1:f5:f2:9c:dc:99:cb:d5:39:35:
6a:bf:bc:f4:81:9d:7c:4c:c1:76:f8:4d:26:ab:f4:f0:50:b2:
f9:41:65:6c:df:9d:16:57:e3:dc:7d:85:0a:14:5f:20:ea:08:
5e:ab:3c:75:ae:f6:7e:55:62:3b:4c:4a:c7:48:4f:24:f2:78:
e6:99:52:76:87:6e:b3:08:7c:d6:4e:41:72:8f:ed:f1:5a:1a:
20:e7:c2:cd:a0:6f:04:6c:f1:71:87:21:00:49:29:c1:fb:bd:
08:a7:51:34:bb:e0:f1:f7:59:3d:b8:9e:c6:48:06:fe:e6:ea:
30:8b:65:8f:d2:31:c5:d6:4e:a8:22:7e:fc:85:05:3d:e4:7c:
38:54:07:46:cc:94:8e:a5:d3:4c:09:71:6e:60:63:e4:6a:8e:
aa:c2:81:df:31:37:2a:96:b3:53:36:a2:76:44:59:18:33:81:
6c:24:84:a3:61:68:63:a2:02:bd:fd:b2:9c:db:0f:cc:a6:44:
54:c6:2d:13:fb:96:80:63:e7:e9:2e:36:3c:00:34:3e:62:5d:
fe:59:95:cb:b2:d0:cc:9a:69:ce:00:cc:59:c3:f7:79:3a:4f:
95:e9:64:c9:ad:28:96:e2:80:dd:59:45:29:6c:ed:0d:6e:4e:
50:69:6e:ef:50:32:4e:5c:af:63:39:57:90:08:0f:b9:4e:ba:
b2:24:ae:bb:78:39
-----BEGIN CERTIFICATE-----
MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGNMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTU4NDVaGA8yMDUyMTEz
MDExNTg0NVowIjEgMB4GA1UEAwwXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWwwggGi
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCN5ooQbwaPsuX03hRN1DwaIQP+
MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8wqJmxwxrIlqWK
DHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ24xiLYHdsaNOe
YoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr/wKTzAiTnh4M
ozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rMgNNkVm8Jr/Zz
i8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRwej8L22Q+I6WZ
RxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcxK0vcOwkArZoS
yunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2JXZOqxHJpdfK
MgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAaNsMGowKAYDVR0RBCEw
H4IXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAQwHQYDVR0OBBYEFMqDBvs+
V1Dd/b8AWmDibZhxzSzyMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
MA0GCSqGSIb3DQEBCwUAA4IBgQBvJMW6jmJdWFClJaH8QfwYy3wRAgqtfxMqIAeS
WoLAkp01QLDJhVojJvtVt5l6GKeutG6iKfglcPo+v7DskddGVVWr/SKmwbRQkifq
2KFx7BSEaQrJ3j/BY5QXXnjnhTSAv8NY8U37DLQuK5xmFR/j1jrBlbH18pzcmcvV
OTVqv7z0gZ18TMF2+E0mq/TwULL5QWVs350WV+PcfYUKFF8g6gheqzx1rvZ+VWI7
TErHSE8k8njmmVJ2h26zCHzWTkFyj+3xWhog58LNoG8EbPFxhyEASSnB+70Ip1E0
u+Dx91k9uJ7GSAb+5uowi2WP0jHF1k6oIn78hQU95Hw4VAdGzJSOpdNMCXFuYGPk
ao6qwoHfMTcqlrNTNqJ2RFkYM4FsJISjYWhjogK9/bKc2w/MpkRUxi0T+5aAY+fp
LjY8ADQ+Yl3+WZXLstDMmmnOAMxZw/d5Ok+V6WTJrSiW4oDdWUUpbO0Nbk5QaW7v
UDJOXK9jOVeQCA+5TrqyJK67eDk=
-----END CERTIFICATE-----

3
bin/tests/system/forward/CA/index.txt Normal file
View File

@@ -0,0 +1,3 @@
V 20521130115243Z CCC118082632E18B unknown /CN=srv02.crt01.example.nil
V 221208115554Z CCC118082632E18C unknown /CN=srv02.crt02-expired.example.nil
V 20521130115845Z CCC118082632E18D unknown /CN=srv04.crt01.example.nil

1
bin/tests/system/forward/CA/index.txt.attr Normal file
View File

@@ -0,0 +1 @@
unique_subject = yes

100
bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem Normal file
View File

@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:c1:18:08:26:32:e1:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Dec 8 11:52:43 2022 GMT
Not After : Nov 30 11:52:43 2052 GMT
Subject: CN=srv02.crt01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:93:ea:3a:43:83:ff:92:80:06:be:4e:a0:53:5d:
0b:9d:c9:b1:b8:fe:d5:cc:dc:af:94:7a:ab:ba:13:
0f:c0:b6:99:71:78:90:b1:7f:41:07:85:59:26:90:
14:88:7b:fc:0c:64:70:37:f3:2a:39:80:80:48:4e:
5f:77:74:26:fa:aa:dd:3f:7b:8e:63:b5:a6:ce:bc:
bc:5a:aa:1d:2c:b0:9a:54:8c:03:46:8b:e6:19:52:
51:48:16:2d:88:ac:df:73:bb:5d:86:f5:80:ff:12:
93:d1:53:7f:3b:69:35:56:6d:81:8a:ea:4b:bd:75:
d5:bf:a2:b8:f9:98:17:c7:47:e7:5a:0a:47:a0:00:
3d:5c:77:42:95:ef:60:ea:e2:2c:ab:97:a9:f3:1d:
c7:a7:f9:aa:2f:5d:03:b6:5b:48:87:b4:27:4b:99:
b3:e3:99:f8:cd:bb:51:88:f4:1e:34:d5:3e:e3:12:
3c:2d:c0:b7:2a:9d:0b:73:7f:3a:ad:27:97:17:58:
51:70:08:87:75:42:d2:87:47:67:c0:db:c6:b9:f8:
b0:31:a6:cb:15:24:7b:54:06:fd:92:e6:24:71:3f:
55:02:02:71:f2:47:7f:e5:fe:be:d4:5f:1e:b5:58:
f7:09:fa:60:e3:36:25:bd:f4:91:58:e6:f2:fd:f1:
5a:00:e8:77:26:dc:2d:20:10:fc:c7:a2:16:0a:e1:
59:e4:e5:a0:72:d4:23:88:a7:56:71:1d:69:f5:1e:
e4:c1:ec:87:7a:ef:19:dd:df:fa:25:f0:3b:6f:c5:
5f:14:20:26:fa:9b:e0:af:51:c4:18:3f:3c:49:7d:
26:25:c2:d9:5c:67:5d:f8:af:73:20:58:ae:65:5e:
71:03:77:78:7d:45:37:0a:a3:b7:32:eb:fe:ff:5f:
c6:e9:b8:5b:37:f1:61:d5:84:27:50:d3:55:72:2c:
8a:75:16:9a:95:b5:f9:2d:eb:d0:22:49:57:6b:65:
87:aa:71:a8:6d:39:96:fe:e7:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv02.crt01.example.nil, IP Address:10.53.0.2
X509v3 Subject Key Identifier:
70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59
X509v3 Authority Key Identifier:
7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
77:6c:f4:07:36:0b:ef:6e:86:2d:41:73:e0:ba:f7:4c:f1:bd:
8f:77:89:1a:8c:63:2e:39:93:a2:43:ee:70:85:f1:5d:01:60:
ab:e6:50:a1:5e:72:e3:89:13:77:e0:a5:f7:fa:27:31:93:1f:
3a:a7:35:5f:7d:59:3c:d2:26:9c:12:fa:51:2b:d3:31:0c:5a:
e7:a8:be:6a:2e:b2:82:6c:42:f2:86:74:9c:0a:c8:58:a8:68:
35:73:6e:1b:0c:9e:3b:08:3f:b9:ef:68:61:e9:d3:40:1d:aa:
dd:42:e3:1d:b0:1b:6e:b8:58:60:a1:68:4a:ff:09:b7:58:5b:
72:e8:36:a3:6d:10:78:c7:7f:52:f6:dc:39:5c:05:7d:7a:ae:
8d:3f:89:8f:10:a6:4d:8b:55:6a:9b:cb:2c:1d:00:59:9b:0c:
c3:55:e0:a3:25:69:b4:29:30:2f:20:bf:07:f4:21:88:b7:d0:
62:ad:d7:ca:e1:91:45:9f:a2:5f:7d:07:f4:98:b0:5e:d4:3a:
92:86:e9:a1:fb:c0:9b:81:46:da:56:ed:92:47:c0:1a:aa:55:
37:0e:3c:92:2c:44:7a:80:55:1f:15:7a:7c:c4:7e:ad:d5:b0:
a5:7e:33:63:09:23:6b:78:42:de:37:aa:04:a7:52:ed:06:fe:
d4:56:36:12:85:b6:ec:ff:03:ea:4b:e2:7a:42:49:73:b6:ab:
e4:7d:4a:2b:94:65:1f:b1:17:a3:be:17:0b:4e:53:3d:8a:d3:
d7:04:0f:f1:1a:63:b2:a6:eb:00:31:64:b4:80:e9:ae:bb:69:
12:04:a5:7d:2c:bd:91:62:2c:b9:5a:6e:af:e0:ee:27:f0:88:
15:8b:b7:ce:07:5e:bc:6b:e9:3e:3f:23:c7:f9:c9:48:20:69:
6a:8e:f2:17:9b:58:ff:72:36:21:ed:d3:83:16:60:ec:de:6f:
c4:50:47:b7:61:ce:75:c1:d6:60:28:de:bd:69:7c:e6:db:0e:
b9:fa:7b:84:24:35
-----BEGIN CERTIFICATE-----
MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGLMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTUyNDNaGA8yMDUyMTEz
MDExNTI0M1owIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWwwggGi
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT6jpDg/+SgAa+TqBTXQudybG4
/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBITl93dCb6qt0/
e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPRU387aTVWbYGK
6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aovXQO2W0iHtCdL
mbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKHR2fA28a5+LAx
pssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY5vL98VoA6Hcm
3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8DtvxV8UICb6m+Cv
UcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bpuFs38WHVhCdQ
01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAaNsMGowKAYDVR0RBCEw
H4IXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAIwHQYDVR0OBBYEFHCQlIFK
sr8T1ikakNkzpMV0Kc9ZMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
MA0GCSqGSIb3DQEBCwUAA4IBgQB3bPQHNgvvboYtQXPguvdM8b2Pd4kajGMuOZOi
Q+5whfFdAWCr5lChXnLjiRN34KX3+icxkx86pzVffVk80iacEvpRK9MxDFrnqL5q
LrKCbELyhnScCshYqGg1c24bDJ47CD+572hh6dNAHardQuMdsBtuuFhgoWhK/wm3
WFty6DajbRB4x39S9tw5XAV9eq6NP4mPEKZNi1Vqm8ssHQBZmwzDVeCjJWm0KTAv
IL8H9CGIt9BirdfK4ZFFn6JffQf0mLBe1DqShumh+8CbgUbaVu2SR8AaqlU3DjyS
LER6gFUfFXp8xH6t1bClfjNjCSNreELeN6oEp1LtBv7UVjYShbbs/wPqS+J6Qklz
tqvkfUorlGUfsRejvhcLTlM9itPXBA/xGmOypusAMWS0gOmuu2kSBKV9LL2RYiy5
Wm6v4O4n8IgVi7fOB168a+k+PyPH+clIIGlqjvIXm1j/cjYh7dODFmDs3m/EUEe3
Yc51wdZgKN69aXzm2w65+nuEJDU=
-----END CERTIFICATE-----

100
bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem Normal file
View File

@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:c1:18:08:26:32:e1:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Dec 7 11:55:54 2022 GMT
Not After : Dec 8 11:55:54 2022 GMT
Subject: CN=srv02.crt02-expired.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:ce:00:36:6e:b8:3f:db:fe:90:f7:de:e1:ed:43:
4b:19:97:78:d8:ae:32:3c:4b:d5:8e:cd:1f:29:78:
e2:af:d3:02:95:34:2c:5e:cd:54:8a:07:70:6b:61:
a9:af:22:a7:6e:cf:86:b6:71:d7:4d:b4:af:f3:f0:
9b:28:49:18:8c:66:88:67:63:47:e9:cd:a8:e9:5c:
63:c0:be:08:b2:77:81:05:83:c7:3a:53:1b:c6:7a:
82:99:fa:54:6f:4f:30:80:50:96:92:16:6e:10:16:
ca:76:ee:c9:e5:90:63:98:98:e7:58:61:09:15:e9:
45:67:89:f1:df:21:69:b6:ad:b7:24:68:92:07:b6:
6f:93:f8:fb:bd:b5:90:c9:57:5a:e5:46:6c:d0:73:
33:3c:10:6e:01:dc:46:f5:84:95:5d:2b:03:e3:3a:
0d:66:59:f8:92:37:78:49:74:32:32:96:fa:bd:05:
27:43:f8:f9:90:7c:e4:2b:36:54:c0:f2:77:fd:4f:
ed:87:00:08:23:4d:57:81:a0:4f:f6:2e:9c:a0:22:
3d:f6:27:b2:39:ed:44:8e:5c:92:4c:4b:b9:74:bb:
0a:c4:97:e3:85:66:29:fc:75:3b:b5:3d:e1:22:57:
33:11:2e:9a:a9:41:84:82:ea:44:b5:fc:3a:b4:88:
31:11:46:98:c2:ec:db:43:55:72:a7:9f:a1:65:c0:
bf:11:a7:44:27:a3:8b:06:4f:08:2a:2d:4c:c9:aa:
d5:3d:03:24:66:e6:03:9b:9c:98:1a:5f:45:e8:b9:
1d:f1:05:40:d8:3e:ed:40:05:1e:fa:8a:58:c5:a2:
f2:2a:a1:cb:25:7e:61:8c:0e:3c:cc:5b:43:3a:7c:
8b:a7:64:b8:c5:2b:6b:16:59:06:ad:ec:19:b5:1d:
73:44:2f:f4:6c:31:f1:6e:f4:55:f6:44:37:ee:db:
20:fe:54:92:43:28:f8:44:cb:9f:9f:b6:2c:aa:61:
1f:2f:1a:15:15:cc:61:f3:b9:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2
X509v3 Subject Key Identifier:
A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E
X509v3 Authority Key Identifier:
7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
34:7b:38:92:d9:c1:ba:ed:c7:b3:61:63:e6:d2:11:4e:0c:83:
8f:97:3a:11:97:51:3e:8d:9b:49:bb:f5:2c:92:d1:c2:e4:3b:
ad:db:69:cc:1f:cf:58:3d:4f:51:97:d1:09:19:2f:22:b5:3d:
e1:0d:e5:65:40:2a:54:19:55:22:11:85:18:1a:08:31:97:d8:
fe:cf:4c:9b:ec:8b:8f:9c:cd:cf:5b:a1:56:e4:1d:e0:79:4b:
ee:6b:1c:0b:60:a8:d8:fd:5c:a8:9d:dc:74:4f:ce:b8:f8:19:
a4:00:db:93:7b:ae:34:55:c6:fb:35:1b:9e:bc:d0:5f:da:8d:
77:0e:1f:45:89:d4:dd:f1:a9:4e:48:64:d2:4e:b6:4b:57:a0:
87:cf:a8:30:35:6e:09:91:56:59:9b:01:af:8a:f7:11:8c:d8:
2e:56:89:eb:a5:a0:6c:d2:56:0c:da:13:4d:36:92:28:50:b1:
e5:cd:64:60:ac:93:f4:98:d7:eb:df:7b:42:89:da:c0:6d:6e:
75:ae:45:28:9b:e8:de:00:dc:eb:df:ba:4f:63:2a:61:e5:42:
f3:e0:8f:aa:bd:f7:f6:9b:67:1b:ed:1e:a6:ae:4c:81:a2:62:
ff:a8:8f:94:da:a8:9d:27:fa:a4:46:44:2e:13:f2:05:2b:c4:
a6:57:d3:95:1c:ca:f8:e3:d2:0f:28:70:8a:1b:37:4f:b7:c1:
b3:fd:4b:85:ca:9d:8a:bb:62:85:47:66:c7:31:b8:db:c4:5d:
66:9d:6e:7b:94:07:fa:09:ae:5b:5b:23:31:ba:c8:40:82:4b:
6a:48:d2:83:0c:5f:b9:62:64:06:16:05:dd:e8:a8:02:eb:d7:
7a:9b:d9:49:d6:87:0e:16:ca:d6:4e:46:46:e5:37:e4:0d:68:
b7:d2:d6:78:c4:ee:c1:3b:38:8e:83:df:1f:39:63:1c:65:7a:
e0:26:1f:96:8a:57:9d:6b:27:62:6e:40:86:83:29:fd:1f:a1:
69:2a:92:cf:ab:db
-----BEGIN CERTIFICATE-----
MIIEnjCCAwagAwIBAgIJAMzBGAgmMuGMMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yMjEyMDcxMTU1NTRaFw0yMjEyMDgx
MTU1NTRaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAyLWV4cGlyZWQuZXhhbXBsZS5u
aWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDOADZuuD/b/pD33uHt
Q0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z8Jso
SRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp27snl
kGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B3Eb1
hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeBoE/2
LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1/Dq0
iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0XouR3x
BUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNEL/Rs
MfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAaN0MHIwMAYD
VR0RBCkwJ4Ifc3J2MDIuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5pbIcECjUAAjAd
BgNVHQ4EFgQUp4pt6hC0a7gTFmu6oCbDmuemcX4wHwYDVR0jBBgwFoAUfInoXOvl
H3JIBMWP+5IInPVgJjkwDQYJKoZIhvcNAQELBQADggGBADR7OJLZwbrtx7NhY+bS
EU4Mg4+XOhGXUT6Nm0m79SyS0cLkO63bacwfz1g9T1GX0QkZLyK1PeEN5WVAKlQZ
VSIRhRgaCDGX2P7PTJvsi4+czc9boVbkHeB5S+5rHAtgqNj9XKid3HRPzrj4GaQA
25N7rjRVxvs1G5680F/ajXcOH0WJ1N3xqU5IZNJOtktXoIfPqDA1bgmRVlmbAa+K
9xGM2C5WieuloGzSVgzaE002kihQseXNZGCsk/SY1+vfe0KJ2sBtbnWuRSib6N4A
3Ovfuk9jKmHlQvPgj6q99/abZxvtHqauTIGiYv+oj5TaqJ0n+qRGRC4T8gUrxKZX
05Ucyvjj0g8ocIobN0+3wbP9S4XKnYq7YoVHZscxuNvEXWadbnuUB/oJrltbIzG6
yECCS2pI0oMMX7liZAYWBd3oqALr13qb2UnWhw4WytZORkblN+QNaLfS1njE7sE7
OI6D3x85YxxleuAmH5aKV51rJ2JuQIaDKf0foWkqks+r2w==
-----END CERTIFICATE-----

100
bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem Normal file
View File

@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:c1:18:08:26:32:e1:8d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
Validity
Not Before: Dec 8 11:58:45 2022 GMT
Not After : Nov 30 11:58:45 2052 GMT
Subject: CN=srv04.crt01.example.nil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:e6:8a:10:6f:06:8f:b2:e5:f4:de:14:4d:d4:
3c:1a:21:03:fe:32:02:d6:6d:0a:25:35:3d:50:00:
71:d6:7b:75:d1:e0:04:36:20:da:39:db:9d:df:19:
fe:5b:c3:e2:d0:72:c4:0d:be:57:d8:c2:3f:30:a8:
99:b1:c3:1a:c8:96:a5:8a:0c:7a:e6:e9:2b:3e:c9:
f9:f5:46:b2:cc:14:4c:e6:d1:65:25:19:fb:2c:2b:
e4:6d:00:ba:7c:7f:f6:07:24:17:30:42:cb:04:e9:
94:36:e3:18:8b:60:77:6c:68:d3:9e:62:81:82:64:
24:2c:e9:ba:b8:d0:40:2f:e6:fd:e9:fa:aa:14:83:
6f:26:16:c1:b7:b3:6d:fd:4a:3f:8f:a1:a9:e6:7b:
bd:c1:60:a1:6b:ff:02:93:cc:08:93:9e:1e:0c:a3:
31:29:20:74:e5:37:46:d8:41:10:c7:11:f4:d8:e7:
43:7c:4d:bc:fb:fd:39:3a:79:8e:c2:0b:fe:21:df:
16:c2:fc:10:b3:9b:da:cc:80:d3:64:56:6f:09:af:
f6:73:8b:cb:64:e4:fe:c5:4c:85:4e:c3:ed:a4:0a:
0a:53:f6:be:8d:5e:7a:42:4f:cd:b0:21:a4:8e:e4:
45:fe:28:f6:4d:29:58:db:4a:b4:70:7a:3f:0b:db:
64:3e:23:a5:99:47:11:7b:2c:66:83:a9:79:27:09:
45:72:ac:4a:fa:35:6f:1f:64:d4:ab:cf:09:90:92:
71:4a:d1:02:80:b1:ab:b0:19:ec:01:c6:a7:31:2b:
4b:dc:3b:09:00:ad:9a:12:ca:e9:cd:54:bd:96:23:
a3:14:2e:40:58:33:58:2f:70:05:c9:c6:28:f1:3e:
d4:94:13:db:09:b3:63:78:6f:57:72:e8:1f:28:6f:
7c:b6:25:76:4e:ab:11:c9:a5:d7:ca:32:00:5f:5e:
14:ae:53:65:13:37:2b:d2:98:3c:d4:47:74:40:cf:
ff:1b:ad:59:35:c1:d1:d3:a6:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:srv04.crt01.example.nil, IP Address:10.53.0.4
X509v3 Subject Key Identifier:
CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2
X509v3 Authority Key Identifier:
7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6f:24:c5:ba:8e:62:5d:58:50:a5:25:a1:fc:41:fc:18:cb:7c:
11:02:0a:ad:7f:13:2a:20:07:92:5a:82:c0:92:9d:35:40:b0:
c9:85:5a:23:26:fb:55:b7:99:7a:18:a7:ae:b4:6e:a2:29:f8:
25:70:fa:3e:bf:b0:ec:91:d7:46:55:55:ab:fd:22:a6:c1:b4:
50:92:27:ea:d8:a1:71:ec:14:84:69:0a:c9:de:3f:c1:63:94:
17:5e:78:e7:85:34:80:bf:c3:58:f1:4d:fb:0c:b4:2e:2b:9c:
66:15:1f:e3:d6:3a:c1:95:b1:f5:f2:9c:dc:99:cb:d5:39:35:
6a:bf:bc:f4:81:9d:7c:4c:c1:76:f8:4d:26:ab:f4:f0:50:b2:
f9:41:65:6c:df:9d:16:57:e3:dc:7d:85:0a:14:5f:20:ea:08:
5e:ab:3c:75:ae:f6:7e:55:62:3b:4c:4a:c7:48:4f:24:f2:78:
e6:99:52:76:87:6e:b3:08:7c:d6:4e:41:72:8f:ed:f1:5a:1a:
20:e7:c2:cd:a0:6f:04:6c:f1:71:87:21:00:49:29:c1:fb:bd:
08:a7:51:34:bb:e0:f1:f7:59:3d:b8:9e:c6:48:06:fe:e6:ea:
30:8b:65:8f:d2:31:c5:d6:4e:a8:22:7e:fc:85:05:3d:e4:7c:
38:54:07:46:cc:94:8e:a5:d3:4c:09:71:6e:60:63:e4:6a:8e:
aa:c2:81:df:31:37:2a:96:b3:53:36:a2:76:44:59:18:33:81:
6c:24:84:a3:61:68:63:a2:02:bd:fd:b2:9c:db:0f:cc:a6:44:
54:c6:2d:13:fb:96:80:63:e7:e9:2e:36:3c:00:34:3e:62:5d:
fe:59:95:cb:b2:d0:cc:9a:69:ce:00:cc:59:c3:f7:79:3a:4f:
95:e9:64:c9:ad:28:96:e2:80:dd:59:45:29:6c:ed:0d:6e:4e:
50:69:6e:ef:50:32:4e:5c:af:63:39:57:90:08:0f:b9:4e:ba:
b2:24:ae:bb:78:39
-----BEGIN CERTIFICATE-----
MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGNMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTU4NDVaGA8yMDUyMTEz
MDExNTg0NVowIjEgMB4GA1UEAwwXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWwwggGi
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCN5ooQbwaPsuX03hRN1DwaIQP+
MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8wqJmxwxrIlqWK
DHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ24xiLYHdsaNOe
YoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr/wKTzAiTnh4M
ozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rMgNNkVm8Jr/Zz
i8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRwej8L22Q+I6WZ
RxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcxK0vcOwkArZoS
yunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2JXZOqxHJpdfK
MgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAaNsMGowKAYDVR0RBCEw
H4IXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAQwHQYDVR0OBBYEFMqDBvs+
V1Dd/b8AWmDibZhxzSzyMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
MA0GCSqGSIb3DQEBCwUAA4IBgQBvJMW6jmJdWFClJaH8QfwYy3wRAgqtfxMqIAeS
WoLAkp01QLDJhVojJvtVt5l6GKeutG6iKfglcPo+v7DskddGVVWr/SKmwbRQkifq
2KFx7BSEaQrJ3j/BY5QXXnjnhTSAv8NY8U37DLQuK5xmFR/j1jrBlbH18pzcmcvV
OTVqv7z0gZ18TMF2+E0mq/TwULL5QWVs350WV+PcfYUKFF8g6gheqzx1rvZ+VWI7
TErHSE8k8njmmVJ2h26zCHzWTkFyj+3xWhog58LNoG8EbPFxhyEASSnB+70Ip1E0
u+Dx91k9uJ7GSAb+5uowi2WP0jHF1k6oIn78hQU95Hw4VAdGzJSOpdNMCXFuYGPk
ao6qwoHfMTcqlrNTNqJ2RFkYM4FsJISjYWhjogK9/bKc2w/MpkRUxi0T+5aAY+fp
LjY8ADQ+Yl3+WZXLstDMmmnOAMxZw/d5Ok+V6WTJrSiW4oDdWUUpbO0Nbk5QaW7v
UDJOXK9jOVeQCA+5TrqyJK67eDk=
-----END CERTIFICATE-----

39
bin/tests/system/forward/CA/private/CA.key Normal file
View File

@@ -0,0 +1,39 @@
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC
aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D
lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm
PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy
VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy
nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH
EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp
Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL
wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc
bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI
r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC
GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9
DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x
E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB
wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8
V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC
SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke
s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx
HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx
r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp
tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk
AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx
LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa
IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn
RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf
ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv
NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao
ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev
dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr
q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj
bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw
HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3
nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9
r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c
j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn
HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd
B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw==
-----END RSA PRIVATE KEY-----

1
bin/tests/system/forward/CA/serial Normal file
View File

@@ -0,0 +1 @@
CCC118082632E18E

1
bin/tests/system/forward/clean.sh
View File

@@ -19,6 +19,7 @@ rm -f ./*/named.conf
rm -f ./*/named.memstats
rm -f ./*/named.run ./*/named.run.prev ./*/ans.run
rm -f ./*/named_dump.db
rm -f ./ans*/query.log
rm -f ./ns*/named.lock
rm -f ./ns*/managed-keys.bind*
rm -f ./ns1/root.db ./ns1/root.db.signed

11
bin/tests/system/forward/dhparam3072.pem Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K
3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab
EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os
O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H
0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR
JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp
eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ
vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX
GKz9+uk5eS6jAgEC
-----END DH PARAMETERS-----

10
bin/tests/system/forward/ns1/named.conf.in
View File

@@ -66,6 +66,16 @@ zone "example6" {
type forward;
};
zone "example8." {
type primary;
file "example.db";
};
zone "example9." {
type primary;
file "example.db";
};
zone "diditwork.net" {
type primary;
file "diditwork.net.db";

43
bin/tests/system/forward/ns2/named.conf.in
View File

@@ -11,6 +11,34 @@
* information regarding copyright ownership.
*/
tls tls-forward-secrecy {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
key-file "../CA/certs/srv02.crt01.example.nil.key";
cert-file "../CA/certs/srv02.crt01.example.nil.pem";
dhparam-file "../dhparam3072.pem";
};
tls tls-forward-secrecy-mutual-tls {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
key-file "../CA/certs/srv02.crt01.example.nil.key";
cert-file "../CA/certs/srv02.crt01.example.nil.pem";
dhparam-file "../dhparam3072.pem";
ca-file "../CA/CA.pem";
};
tls tls-expired {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
key-file "../CA/certs/srv02.crt02-expired.example.nil.key";
cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem";
dhparam-file "../dhparam3072.pem";
};
options {
query-source address 10.53.0.2;
query-source-v6 address fd92:7065:b8e:ffff::2;
@@ -19,8 +47,13 @@ options {
transfer-source 10.53.0.2;
transfer-source-v6 fd92:7065:b8e:ffff::2;
port @PORT@;
tls-port @TLSPORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on tls ephemeral { 10.53.0.2; };
listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; };
listen-on-v6 { fd92:7065:b8e:ffff::2; };
recursion no;
dnssec-validation no;
@@ -56,6 +89,16 @@ zone "example7." {
file "example.db";
};
zone "example8." {
type primary;
file "example.db";
};
zone "example9." {
type primary;
file "example.db";
};
zone "grafted." {
type primary;
file "example.db";

61
bin/tests/system/forward/ns4/named.conf.in
View File

@@ -16,6 +16,7 @@ options {
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
tls-port @TLSPORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
@@ -29,15 +30,57 @@ zone "." {
file "root.db";
};
tls tls-forward-secrecy {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
dhparam-file "../dhparam3072.pem";
ca-file "../CA/CA.pem";
};
tls tls-forward-secrecy-remote-hostname {
protocols { TLSv1.2; };
ca-file "../CA/CA.pem";
remote-hostname "srv02.crt01.example.nil";
};
tls tls-forward-secrecy-bad-remote-hostname {
protocols { TLSv1.2; };
ca-file "../CA/CA.pem";
remote-hostname "srv02-bad.crt01.example.nil";
};
tls tls-forward-secrecy-mutual-tls {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
key-file "../CA/certs/srv04.crt01.example.nil.key";
cert-file "../CA/certs/srv04.crt01.example.nil.pem";
dhparam-file "../dhparam3072.pem";
ca-file "../CA/CA.pem";
};
tls tls-expired {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
dhparam-file "../dhparam3072.pem";
ca-file "../CA/CA.pem";
};
zone "example1." {
type forward;
forward first;
forwarders { 10.53.0.2; };
forwarders { 10.53.0.2 tls ephemeral; };
};
zone "example3." {
type forward;
forwarders { 10.53.0.2; };
forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
};
zone "example4." {
type forward;
forward only;
forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; };
};
zone "example5." {
@@ -46,10 +89,22 @@ zone "example5." {
forwarders { 10.53.0.2; };
};
zone "example8." {
type forward;
forward only;
forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; };
};
zone "example9." {
type forward;
forward only;
forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; };
};
zone "1.0.10.in-addr.arpa" {
type forward;
forward only;
forwarders { 10.53.0.2; };
forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; };
};
zone "grafted" {

47
bin/tests/system/forward/tests.sh
View File

@@ -71,11 +71,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that a forward zone works ($n)"
echo_i "checking that DoT expired certificate does not work ($n)"
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that a forward zone works (DoT insecure) ($n)"
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
@@ -89,11 +102,35 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that a forward zone with no specified policy works ($n)"
echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)"
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that DoT remote-hostname works ($n)"
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that DoT bad remote-hostname does not work ($n)"
ret=0
nextpart ns4/named.run >/dev/null
dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
@@ -120,14 +157,14 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
check_override() (
dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
dig_with_opts 1.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 &&
grep "status: NOERROR" dig.out.$n.f2 > /dev/null &&
dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
dig_with_opts 2.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 &&
grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null
)
n=$((n+1))
echo_i "checking that forward only zone overrides empty zone ($n)"
echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)"
ret=0
# retry loop in case the server restart above causes transient failure
retry_quiet 10 check_override || ret=1