Generate certificates out of band

In order to fully test TLS client authentication, CA infrastructure is
needed. This is generated by https://github.com/iSECPartners/tlspretense

Ultimately, these certificates will be generated in-band via
TLSPretense, once there is a solution to
iSECPartners/tlspretense#3.

spec/spec_helper.rb

@@ -4,11 +4,19 @@
 require 'zlib'
 require 'json'
 require 'rack'
+require 'openssl'
 require 'webrick'
 require 'webrick/https'
 
 PORT = 55441
 
+# TLS Test Related Variables
+$certdir         = File.join(File.dirname(__FILE__), 'tlspretense', 'certs')
+$keystore        = File.join($certdir, 'keystore.p12')
+$keystore_pass   = 'foobar'
+$truststore      = File.join($certdir, 'truststore.jks')
+$truststore_pass = 'foobar'
+
 def local_server(path = "/", port = PORT)
   URI.join("http://localhost:#{port}", path).to_s
 end
@@ -88,11 +96,16 @@ def stop_servers
 end
 
 def start_ssl_server(port)
-  cert_name = [
-    %w[CN localhost],
-  ]
+  pkey   = OpenSSL::PKey::RSA.new(File.read(File.join($certdir, 'serverkey.pem')))
+  cert   = OpenSSL::X509::Certificate.new(File.read(File.join($certdir, 'servercert.pem')))
+  cacert = OpenSSL::X509::Certificate.new(File.read(File.join($certdir, 'testcacert.pem')))
+
   @servers[port] = Thread.new {
-    server = WEBrick::HTTPServer.new(:Port => port, :SSLEnable => true, :SSLCertName => cert_name, :Logger => WEBrick::Log.new("/dev/null"))
+    server = WEBrick::HTTPServer.new(
+      :Port => port, :Logger => WEBrick::Log.new("/dev/null"),
+      :SSLEnable => true, :SSLPrivateKey => pkey, :SSLCertificate => cert
+    )
+
     server.mount_proc "/" do |req, res|
       res.body = "hello!"
     end
@@ -113,4 +126,5 @@ def start_ssl_server(port)
   }
 
   c.after(:suite)  { stop_servers }
-end
+end
+

spec/tlspretense/Makefile

@@ -0,0 +1,26 @@
+.PHONY: all clean keystore truststore
+
+KEYSTORE   := certs/keystore.p12
+TRUSTSTORE := certs/truststore.jks
+
+CA_CERT     := certs/testcacert.pem
+CLIENT_KEY  := certs/clientkey.pem
+CLIENT_CERT := certs/clientcert.pem
+
+all: certs keystore truststore
+
+clean:
+	tlspretense cleancerts
+
+certs:
+	tlspretense certs
+
+keystore: $(KEYSTORE)
+
+truststore: $(TRUSTSTORE)
+
+$(KEYSTORE): certs
+	openssl pkcs12 -export -out $(KEYSTORE) -in $(CLIENT_CERT) -inkey $(CLIENT_KEY) -passout pass:foobar
+
+$(TRUSTSTORE): certs
+	keytool -importcert -noprompt -keystore $(TRUSTSTORE) -file $(CA_CERT) -storepass foobar

spec/tlspretense/README.mkd

@@ -0,0 +1,32 @@
+# TLS Testing Configuration
+
+This directory houses the configuration for
+[tlspretense](https://github.com/iSECPartners/tlspretense).  These certificates
+should __NEVER__ be used outside of the test suite for _ANY_ reason at all.
+Upon resolution of [this issue](https://github.com/iSECPartners/tlspretense/issues/3),
+the certificates will not be distributed in the repository, but will be generated
+during the test runs, and cleaned up afterwards (to mimic the previous behavior).
+
+## Usage
+
+To purge and recreate the certificates, run:
+
+    make clean all
+
+Which has the following shell dependencies:
+
+  * make
+  * tlspretense
+  * openssl
+  * keytool (distributed with JDK)
+
+## Details
+
+Under the hood, what is happening is the following:
+
+  * tlspretense generates a self-signed CA certificate and signs several server and client certificates, all of which are valid for 5 years
+  * openssl creates a PKCS12 keystore containing the client certificate
+  * keytool creates a JKS truststore containing the CA
+
+This presents a wide range of formats to satisfy both, WEBrick (OpenSSL-based) and the underlying Java libraries.
+

spec/tlspretense/certs/authservercert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID4TCCAsmgAwIBAgIEMub1JzANBgkqhkiG9w0BAQsFADBVMRMwEQYDVQQKDApU
+ZXN0IFN1aXRlMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHjAcBgNV
+BAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDExMjkwNDI5NThaFw0xOTEx
+MjgwNDI5NThaMEsxEzARBgNVBAoMClRlc3QgU3VpdGUxFDASBgNVBAsMC0F1dGgg
+U2VydmVyMR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjdJfUXMT89Ty8+HE+0RKKDlUnkSToDL6g
+seDH+JLhXmlwRStOR5QteHH+7ZZ2S7PnEo1ID1bE2B673oJEbDdCVgjgNJXR/RP2
+DQIX8nIE8Ssv7YZwyzCReD1GUSy/W1tTOl7ZS6FxRvPn3c8Dc4OH88kPkuZExnWc
+2ttloeUK7IDrswqoA4kSUv8R12WM9rpdBSWaAS6zytZYmZMT0wZVder7JJ+iF2q9
+Z1jM0qYnwR5TF7bVrk7ks196RuwfiaXKvKUcFqibJXxdA+NziP0l2UEtvjptclR2
+aUdJXe9ARnTMxy8Fj94YF5UApOb/+YQptyUPQzSSnwqsMCpOKDlXAgMBAAGjgcIw
+gb8wQwYDVR0RBDwwOocQAAAAAAAAAAAAAAAAAAAAAYcEfwAAAYIJbG9jYWxob3N0
+ghVsb2NhbGhvc3QubG9jYWxkb21haW4wCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTLmORsPBCK8xEyiN3aDc5B
+2S61xTAdBgNVHQ4EFgQUauBLIR6GNuJcg7uFMcX70VEugCMwDAYDVR0TAQH/BAIw
+ADANBgkqhkiG9w0BAQsFAAOCAQEAkvuNE1qtApYaZYlgP1/3PdKFrmPXRijG1Pt5
+aThcvVLHAwL4T57w2P5DGN+eYeKFjzqpzuuXD4kQmdItgIHZ85sQG5qpQBmWrJC6
+kxJfns7msmc7gCpYokva2gNQJNoGLIdnFJ4cC+fgDVY4u6zlNRsluT1nkw3qdFRo
+XDbeeXoLyDbnoqrohfYpb48rkDiLSy388y1UecEWvBt9HPST5cg2Bonn7EfIwwmq
+IeCMuLLJcqXhGluYidyd0lFIA1BmrGhQjNnf3jb2WL4PmjbkinVFgatxuLHX29TP
+nGKM2QLxJb0z8XGmlsyHuV5vaV4pmt5FwAksj1JQgrpLenMAHA==
+-----END CERTIFICATE-----

spec/tlspretense/certs/authserverkey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA43SX1FzE/PU8vPhxPtESig5VJ5Ek6Ay+oLHgx/iS4V5pcEUr
+TkeULXhx/u2Wdkuz5xKNSA9WxNgeu96CRGw3QlYI4DSV0f0T9g0CF/JyBPErL+2G
+cMswkXg9RlEsv1tbUzpe2UuhcUbz593PA3ODh/PJD5LmRMZ1nNrbZaHlCuyA67MK
+qAOJElL/EddljPa6XQUlmgEus8rWWJmTE9MGVXXq+ySfohdqvWdYzNKmJ8EeUxe2
+1a5O5LNfekbsH4mlyrylHBaomyV8XQPjc4j9JdlBLb46bXJUdmlHSV3vQEZ0zMcv
+BY/eGBeVAKTm//mEKbclD0M0kp8KrDAqTig5VwIDAQABAoIBAQDDSh72IXSsr66n
+nTQ2N/IQAMBSSYeDiTW+6RrS9vS9dX9X+rt06XYrGEfgFoPiK5taIY6WOT1Jozm4
+GhKExtknJpFWVy/vbLhPwNl0UCBfZ+Wpr+mHPJ4FuFP75MRjw/+EVRCMxyflB4Nx
+J/uOvgZHmyOdMIZutGrU8v/+oeLy3YBG9UJFmSPthuMY9sdSvydu7J7RgfjMbV8a
+1Dtb3/TTGc7WeDsNP8Klx16gSS9UBsdqfOvHC17zgvO03zOH6y3c03vcInMCpbf7
+SWwmzSYYl8EDPluzd+IY1vuBhw+x6PAoLM869b2qm8LcnGzQO3/jjwKHyo+XgTnD
+jnyV99jRAoGBAPgvZTb5BzlKfao9hMPI0UVY7bGJhkRTcWqhxlSAmk/h+d6lWgnl
+R+VDFYKqXgBhlescPhdUKuXenNGeL4bIfecbiQ6O+QIEDnSdtFGclegMAkvVIisU
+MSqr2LzxPBdQWU3coAaFYrMBfz11Nxfg2vg5fXz0yOYat1O4oVR6b6OPAoGBAOqe
+GNGZuTr2mD3Lql5/k9e0enZe1E3eg0UWXV02IHACgbQeG9oBmwiOxRpGbz6SEjK4
+wKdfTezryGxd11OxEdL3Y1ZZcLrYLpSezDeIvIdpAMHSfIlE2NfumfcucR5rWnuM
+8fHNXVmZ/UkpaDTkffkxDErdh/++A9DvXLLEFQm5AoGAVjTAR3QAmlnRhIyRzR+3
+8QqOpZhLVvhU8OD4bumssAqiLD/rInzNmEjQ8+4RcLh0xpGsz5WgwO+uMPFtOLfz
+Y48g8DmhLJ4UF1WgCKkHOO7S7Vw+3g/JdDT0t8xjPwXdvznfK+Sw/9SJSeOpG1Yz
+OP1fJUQxdBvbie0bvKg6lukCgYEA0O9oFMi8LylJnMaR+0PL6m2cHWwHzyzYZB8t
+mAPK0VU6Iqgpj3SclvtlxidxjBxTPn5Pev4hjFrRisfrKWnoAKM1AMH35Tz+BnaA
+UPhhRImbFgCXzTrVjT68OGdQb5GU67AyCm8jsdazvIK2fVv6X39xff5YzcRu65Mu
+TzjVr2kCgYEA6YRrVJjz7Qk7etjhT4WCMMYRr7EFpYV05AOcNlVzM3y/kSVylTCL
+ZrCKD1HT6sW0238Hk4uJ1t4mlLFBj5Cb4oqi3sGdAYFhj1xWx1i+AatgKfh3aUAn
+N0wdtDlY72ZbdSgZwBdDs2eKz8ZKC1WS8vRufhTJscNAhgdHwoHFPK0=
+-----END RSA PRIVATE KEY-----

spec/tlspretense/certs/clientcert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIEKpUVljANBgkqhkiG9w0BAQsFADBVMRMwEQYDVQQKDApU
+ZXN0IFN1aXRlMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHjAcBgNV
+BAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDExMjkwNDI5NTlaFw0xOTEx
+MjgwNDI5NTlaMEYxEzARBgNVBAoMClRlc3QgU3VpdGUxDzANBgNVBAsMBkNsaWVu
+dDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAssbyEvXwf5KbGys/5bYDKPlfDGUIz8M2L2rd2j/F
+9bhQxf/7r3cd6bgwVBwaKucPCbJWg90C8kb/Cu2iecvHjfcZQIwqcIE77p+Y62W0
+RDG49Jj2f15VlBzKdd7rLHeWd4P85qwS0YRvrJLnqSyHYjxasb/SnsxHStdfocwl
+DuR/FzoZlhCNHS4ft8f/Q4GzzFzq0Sa1yeX/LbfL1JuJnrqURdNUN192eQfMFVVA
+dmSDsXCgoOlBx72FadNqidD+tfM/ehGLnHffrPLDgXdGcJ6CNl0pvQaxbonyOqrM
+abi9AUARKc/b/ZMqLAG+tkDiEylHXuOoNVrxv7LWLSC8pwIDAQABo4HCMIG/MEMG
+A1UdEQQ8MDqHEAAAAAAAAAAAAAAAAAAAAAGHBH8AAAGCCWxvY2FsaG9zdIIVbG9j
+YWxob3N0LmxvY2FsZG9tYWluMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUy5jkbDwQivMRMojd2g3OQdkutcUw
+HQYDVR0OBBYEFAf4s6NuY9wysRkaxqvWAz4oCrs8MAwGA1UdEwEB/wQCMAAwDQYJ
+KoZIhvcNAQELBQADggEBAKJ46bgdoBePSyEKIrX6n7Lp+XJEYBhpAgHou1+mG5AR
+URvv8/kcYcruh4x5Dgrr+5WyraTm5Kq8hzu+1bVbrUwSgY3xJ0POuTpi2sMkVl87
+ditlIkn2sS3SYPG+VLSJAeMSLsVj9JZuxyNRQt0ZkHgxQEwAsnvUVo0gWEj0HoDg
+Y8G+WlkGoic0/FjZKgsr7OEfiq3MQgwaPKiPQQS2If95dOt4cgzwyQcSTirCx+Nv
+eIY85MEYp18KglwkloawzMVumKaCgM3sHgWUaZyGv+9gqAiecbUpBvpBnDMiDELi
+CXLSDtyAzST2WMSTdhYCITVcL8+8BaxQqxfWyzKkwgE=
+-----END CERTIFICATE-----

spec/tlspretense/certs/clientkey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAssbyEvXwf5KbGys/5bYDKPlfDGUIz8M2L2rd2j/F9bhQxf/7
+r3cd6bgwVBwaKucPCbJWg90C8kb/Cu2iecvHjfcZQIwqcIE77p+Y62W0RDG49Jj2
+f15VlBzKdd7rLHeWd4P85qwS0YRvrJLnqSyHYjxasb/SnsxHStdfocwlDuR/FzoZ
+lhCNHS4ft8f/Q4GzzFzq0Sa1yeX/LbfL1JuJnrqURdNUN192eQfMFVVAdmSDsXCg
+oOlBx72FadNqidD+tfM/ehGLnHffrPLDgXdGcJ6CNl0pvQaxbonyOqrMabi9AUAR
+Kc/b/ZMqLAG+tkDiEylHXuOoNVrxv7LWLSC8pwIDAQABAoIBAQCTl40YPDR9jbJB
+ntYUtcwsEpv2pp68r2PXh7l6SfYLY0xD+o51kLiAUJCNj9nGm5Udoz6rhFW/YP+D
+rSXauXKY8GvHjzAmS3sICHh9tiw5tHcGcBXolx+9tHstDolG37+4EZ5DbcHneRec
++HcKgnmOj1cssbmXYfxlfCM2d0wM2xQSm8tT1LeE76R8Zq1YP29oTOdv15xBrOGo
+AsNjDXRe4c7t2WeX6cmIm5ZS9sDW21BYoTxXzD9bsEZvK/rmEVpT/QBdwSf2O50o
+FRtVWsb/uMorzWkQ1KpErv8TQFYypFz13EFkoB6h06nHOeEOTYgtJr5T+/ATNBbR
+j+qJo21pAoGBANiFac1FSAsB8WRJ4/evB5Ee33mVhAEY4E4UTSTBoA8Rv3pib6sK
+qcJ8sAyl3ygI1NBrtH6ZHAGN/tIwQ+mTnPc/scWCVHkjTIzhes0az2l3i3ELKMcz
+ojnnxYjuB9ZNyS/TRyQ3P6r4gCutqx3g0wC1R7kaB8b7kkFS53u/AVelAoGBANNf
+v/cS6wrGG0mheltJORVIsUl8BuGsQvuLvPS1y581huZt++fQYts9zssuY1hi1Fgx
++5GedLkX04Su7KmoUO/ebbSH+iOGIYSQBTE53wRewGXpn2rvHMT3RcXVOr4JJhzd
+royeX12RSYqK+5GEUEqwBWA/H35Dzy5ERRwIYDFbAoGBAM8ORi9WoZ5lLUKKpsal
+SscsjujmYmXqNBZ2s48C2t2OS13t5HvcppqmQnTV6qGOUHU/ikvGf1G9SIIYRdmI
+oAKRlp8aE04Ew5+1wImDqfVhrKdd1JEqf2iAjBZ2CmiV2l8x3EZ1zxzgpzEd0xWv
+ehijQwNwMR/IVATEEznzXoVBAoGBAMLVuoPLK15V92cqcjdcykJFLC25Jjq0Z1Wo
+m7bRL+0EEOGsNYubONQwJ8J/ctFQ37yf7exvK9ZFERJ3juxfmqNP2r2SrU47X//q
+JO8YEercT+pgqzKNT257IxRVFP2AP2JSMIern+oGdsw+id67IKuHjp0F8kiXxow2
+H6HUUp6LAoGAPClBGWSWM0a9UAxG2CK2nPszE8pc6Zxd17ll4osu7IB4Y982LdJM
+A7SjZ97WMvXujaYwgXBfMCs+yMIrFjV99fmLmyh6FvVJwXyMcs56Z5bOAwbKZV+x
+Y/vjHfz0BOpvbwlplfPotE8n+BdVaVbrMfJ73LjH0sbdIzr0Nso09Jw=
+-----END RSA PRIVATE KEY-----

spec/tlspretense/certs/servercert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIECeneiTANBgkqhkiG9w0BAQsFADBVMRMwEQYDVQQKDApU
+ZXN0IFN1aXRlMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHjAcBgNV
+BAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDExMjkwNDI5NThaFw0xOTEx
+MjgwNDI5NThaMEYxEzARBgNVBAoMClRlc3QgU3VpdGUxDzANBgNVBAsMBlNlcnZl
+cjEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAmEI7hO5c7JN3VAz/FyjOnpjJA32wgb1qy8puvEm4
+znwCa15BIGuuVfrkatiwMOPSnX+EbtGZh2QxU21pPHUnQF7j6SjMHlt3gBjoDZGe
+aJaGfEUJQojTWyakEhN7MH4RcMuY8Bo0YsbBd8fpqZOtuhXOYC1D3/ukgKiQ8c7Q
+kUQyIAn8rZpdyIfuuXxZEvpbv2OMrofrl3udTyiSzJeqKRpujjPWiZpBfXdZarrM
+XENPh15fnYMaFiqYCF8DVuLMiFvFBbyjZj1tKjFdn513Nc6mP2OxexFc4++z8Hpy
+jXB3owOs2N6HDmbRXp1mDIKX/8jZJt9t0R5pxjKG4JcZUwIDAQABo4HCMIG/MEMG
+A1UdEQQ8MDqHEAAAAAAAAAAAAAAAAAAAAAGHBH8AAAGCCWxvY2FsaG9zdIIVbG9j
+YWxob3N0LmxvY2FsZG9tYWluMAsGA1UdDwQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUy5jkbDwQivMRMojd2g3OQdkutcUw
+HQYDVR0OBBYEFHfGm7Yr3EPkBVvmWfcuqRMjMHOuMAwGA1UdEwEB/wQCMAAwDQYJ
+KoZIhvcNAQELBQADggEBAClCbFMyj3GGrlRz8rs8FP+796mMirj9ARkEzAhcfPM6
+njoGk0+FnYHrdL+rLnHM6ClYKAIYBMTdTtr5iw4ylwJa/vVPGNXezTtfzeYzCu5w
++zlJWD9X5JLs5WCvp6MBIdA4GVlqLewRmKqlKMBWPmyYGN3l6QiKhHAyutL5MUKm
+cQM2hGj+yOqTI6M/Vviuf+KkunS5WLna2GdHQEon6q7ygfmJSem5S/uMvGB6WfEs
+XLkcDR8E3d30CzoOr7vx4agV+7APO7X1RIEULAlJKMMaQYWKwe/zNAlymRTIZo2s
+SwMB6hp1U2NunlafaUwjUTPPMFH2zBqAQpibgqGaFEk=
+-----END CERTIFICATE-----

spec/tlspretense/certs/serverkey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAmEI7hO5c7JN3VAz/FyjOnpjJA32wgb1qy8puvEm4znwCa15B
+IGuuVfrkatiwMOPSnX+EbtGZh2QxU21pPHUnQF7j6SjMHlt3gBjoDZGeaJaGfEUJ
+QojTWyakEhN7MH4RcMuY8Bo0YsbBd8fpqZOtuhXOYC1D3/ukgKiQ8c7QkUQyIAn8
+rZpdyIfuuXxZEvpbv2OMrofrl3udTyiSzJeqKRpujjPWiZpBfXdZarrMXENPh15f
+nYMaFiqYCF8DVuLMiFvFBbyjZj1tKjFdn513Nc6mP2OxexFc4++z8HpyjXB3owOs
+2N6HDmbRXp1mDIKX/8jZJt9t0R5pxjKG4JcZUwIDAQABAoIBAF1ZHgyd5zLUJnDN
+lwen6SWrHnKZeMHSU8ulzMZ7nGZb+U/CdcNewX/NVoV7XGpdAx+0sokO0EYF04gG
+qGJ8oRgCFVE5xgtGoLlUi9Dl2mzc/I7r9IVqRcq4ohbDAt/0KtUwvg9WwY9ds/ew
+BT4GYJiaDfFBTz/flDedIWBfH9gvOUWe/+AhL+VNqOryf3yT3Y+pwEMgZ1GkLqqQ
+wUWga7dPaThLKeM1qCkEs1TAw3YBn+hQLjh1Z6H+ldNIFQ78BL6MPZz4h2J9u5+0
+eMW+nxwnqg+LWqxtfaBFQX6hADFYhE1zO4cuii+k8md5cK6eoQUmyUMfeCmiBrCM
+x/AjNwECgYEAxfqUaDZWW8itX0oSUDl9kpvESVYtXoBC4GmCqc/NBURS5ji67RI9
+R0FRtlHC8gYZB9QY22i2mV9BdaoPNIOTS/dQU8f9tzE+ym1nOnKtoWHR6YEkUesx
+JYJSaDujQecM5bzZ+4Qi849DBytQw8lClG23DBmcNq8vcxs6eisCb2ECgYEAxOF8
+/JQ1z/S07ghoAXb3IIgDXq9uy9+dqGOtObWzxnWkveFiXnrOfjtZ+1GE/TvbfiZp
+5LCITbJcM5wtjbDffvhbG8F3Ou/5KxmoULqqIKKhSCci11GjwIg00fa6zpFIV1I/
+wbpn7LTx4GU54CqIn7hzn6z/9tN5x66XWvGAiTMCgYEAgOBb13L3yIvcAFnRjhO+
+oL9xiWPl6MyJvFgyzKQPDEyrwl5PoJ/s8AOfU5Xp128MwEHbZIjHxRNzI0tu1nqI
+Wj1GNyPLD4OpIlERj8SzLojlAqIkqIb32Tj6uAuKfQ4RIURMiiQ8NFyf/3y8+JZ9
+Fu5M6D2LqTVlKAMjj/+LeEECgYEAk0SP92btsbY7uGm1UpMoW78htivH1txX0+Nr
+aeWOqf7J0fbLXBzEZQwETMc3kSy7DGuzfgrGikfGTBygvoH1S8Z+cA6RHxbt7N1u
+V6SpKWw88/nCSAmbUaMQz5WdOnLWB+tQIZtLrXXUD6PoXNO0CrUwV9pSRND/IOxp
+7u8C1J0CgYEAtLX8aVXT3jxBUDRFw/22NcmsYUfSv9Tkd+QBnDEdcCIoIv3l9myE
+c8w+g0LTLUgV4Xfa70Wbg3MKBuwC0q1pFC8I4jURLyHfEs8RRGDTchbq9Is2vTD9
+7lrZBVp3bJjswJZR+vJYPVCC3v92rT/5HMdRcMhNPoaXSmIsFS71jvI=
+-----END RSA PRIVATE KEY-----

spec/tlspretense/certs/testcacert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDizCCAnOgAwIBAgIEB9gbfDANBgkqhkiG9w0BAQsFADBVMRMwEQYDVQQKDApU
+ZXN0IFN1aXRlMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHjAcBgNV
+BAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDExMjkwNDI5NThaFw0xOTEx
+MjgwNDI5NThaMFUxEzARBgNVBAoMClRlc3QgU3VpdGUxHjAcBgNVBAsMFUNlcnRp
+ZmljYXRlIEF1dGhvcml0eTEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWlu
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAurk+jHADlvIvwno4YPUH
+y6Wz9ukFNtwnTrbcL9oAIqCnp6BChTEzwv9125TF3Oi+WnQYN1IN3O+2Xp4Dg+un
+C4xYXUKr6ZYjAYTiUKXh1d+G4dpxICQzMRIFlXPyjjInF3ni1SPMqaFc1uAYwwfT
+k40tdyqdmsn3FeKcR8lcnTaE8GijG4WoBjEH3mPWLgTLooRGZghvuVSuZcX+Mzc2
+YqS7rolc+wKI2UxI4XcOVXN/bowVgDw3sPEl2waDQzIDtYzY85UvMkRk4ue8gdvP
+xub5VhM+2irVLm3ZPqf8x0eOxqc9f6Uj97cVO510y9Ag2jFctbJmyGpg3GuRprMn
+SwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
+HQ4EFgQUy5jkbDwQivMRMojd2g3OQdkutcUwHwYDVR0jBBgwFoAUy5jkbDwQivMR
+Mojd2g3OQdkutcUwDQYJKoZIhvcNAQELBQADggEBAJM9fAsR4AGdbDWsADDTXy2Q
+ORM0eSJSuYKFCW+VHcJMY/I4Mr/dbhoHnVAnLD7uuPgx6KDkByhYe8Ge91HlV6xJ
+qf+G9ZNMB3xV8CXqcMp+cMsFuEJyZHjsWtYhkwtJ3Wv1Qgc0Kh7qa7/GfRNLNvLx
+kHiHe2oaWuxLN4gDN1zfsFNHjGzmDKJxX9g+8hclygUkxn2cVrVsHkvEQKz7BPPN
+z1NvMgjGe1oEw15Ti0VgZDllo7Ue1Xq1RXXKfbVtHneOpv45GyhJHLXlnx/eGJWM
+BmoA4w5Qs0qTNxyx78DXJ+HNdgOEymRt2400Ic3YO7+K9ccc/l7EkoctK0O6Ahc=
+-----END CERTIFICATE-----

spec/tlspretense/certs/testcakey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAurk+jHADlvIvwno4YPUHy6Wz9ukFNtwnTrbcL9oAIqCnp6BC
+hTEzwv9125TF3Oi+WnQYN1IN3O+2Xp4Dg+unC4xYXUKr6ZYjAYTiUKXh1d+G4dpx
+ICQzMRIFlXPyjjInF3ni1SPMqaFc1uAYwwfTk40tdyqdmsn3FeKcR8lcnTaE8Gij
+G4WoBjEH3mPWLgTLooRGZghvuVSuZcX+Mzc2YqS7rolc+wKI2UxI4XcOVXN/bowV
+gDw3sPEl2waDQzIDtYzY85UvMkRk4ue8gdvPxub5VhM+2irVLm3ZPqf8x0eOxqc9
+f6Uj97cVO510y9Ag2jFctbJmyGpg3GuRprMnSwIDAQABAoIBAHhEgMksDOPYsnJt
+DotEx/Sfkj7i7/zZ6GeG2GPp4lRrbhFF5BKuEkzzBhKczKTxNEpGpKJdM5iuvaRL
+2q/JxRpnFzNakiguD/YWhT602bVL+DDY5ixxpJdiqD4PJJf6LbutQjFOkbBgws+U
+H97e16QeNr6esEzW8VMjVs3WINURAcnvZTju1o8X3SS/JtYVcT1TBmh9Z+JkxN5H
+Xt63gTsKbEHVWgbmPV5Qh8rz81i3mS8LCMikbQXIW8Jg3FWK4LmLjBlUbQpnNKej
+QnFKFS1NXo/ojPHzb8bek2sfNSc0O28qC8a7+FyDLkAMwqUsDswgnhm0SviEhvxx
+YrikISECgYEA7+8SOWn8tMmpvjKPbWFxSK5JyDoitPb7oQmnYm3VUuqXpjVQA80j
+KIR0orpjwCYWvQ6sqsZgzuVxZShatNK9loNg5UWGrLH0o5ukDdY5TL0JCc/Bp3qR
+Hncx1eNTdUjrWtMng2B3hStgGdrXTBQ9PKkU/6xRn6YtCexFzXSdiQ0CgYEAxzoL
+9/e25hnS+Q52iA+TlqKY1fdIJN35bfy70iVb3201rDCoNefimd6FqrEuPh8wNYmx
+bH+zvJIFsucKnc+HVZ05Cp+FzHj1sFpbOYXWPYR0N8hz6XL016tI9AoSkZhChXzX
+c8Rz84GHgadMriz389ZjNYFlBN3h1uuJQW4VK7cCgYAHZEMYd7ZsT2YmUOJwSTc3
+OP9W5suY7Z706Bo7Aw02X7nKSgwsAc7aebIqLTnTepjqvB//ptrmpNToe+THe1KR
+53w9s/WhLl5OCAZ20qmzPoOfxMG/ihwcZymm4Dj6/QMbKjQmbPtho+NzCHXnhxwX
+2VGnSsS8+V6b1qaT3MrZpQKBgQC9fjGqHnxhqkhnyeDmE2K+0VLrmPOO1W8MtWn0
+PMKA5gA6EmG8PB3lWqjqrPId9k5Fbf1LBL/xaTZwbp9DcQP5Y7zApPB/hsGxho/k
+S691/ckI0emmL0hA5lNSg04cG6WSECdhnobnItm/cWBW/sCstcrRNozeLylC4e9A
+Q7NxSwKBgQDBdlqXnpIU97fbLWWJjt9zzBHsZxJ2KpTL0aMd6RygMi5DRJaEu1MS
+EKFh/5Cufh5xHMixauxRapqO0Uiyhpv4sfqlP0UB4ZBy8B8/6i9rLnnxrO2cK7Fl
++CdAfBr4YZM18p76fSVpsnRkYG569b2kh7niXpupUXgt03PGY5BLZw==
+-----END RSA PRIVATE KEY-----

spec/tlspretense/config.yml

@@ -0,0 +1,60 @@
+# TLSPretense Configuration File - https://github.com/iSECPartners/tlspretense/
+---
+hostname: localhost.localdomain
+
+certmaker:
+  outdir: certs
+  defaultsubject: &defaultsubject "C=US, CN=%HOSTNAME%"
+  missing_serial_generation: random
+
+logger:
+  level: INFO
+  file: '-'
+
+# Settings Common to All Certificates
+_base_cert_settings: &base_cert_settings
+  not_before: now
+  not_after: +1825
+  key_type: RSA
+  key_size: 2048
+  signing_alg: SHA256
+
+# CA Certificate Settings
+_ca_settings: &ca_settings
+  <<: *base_cert_settings
+  issuer: self
+  extensions:
+  - "keyUsage = critical, keyCertSign"  # can sign certificates
+  - "basicConstraints = critical,CA:true"
+  - "subjectKeyIdentifier=hash"
+  - "authorityKeyIdentifier=keyid:always"
+
+# Client/Server Certificate Settings
+_cert_settings: &cert_settings
+  <<: *base_cert_settings
+  issuer: testca
+  extensions:
+  - "subjectAltName=IP:::1,IP:127.0.0.1,DNS:localhost,DNS:%HOSTNAME%"
+  - "keyUsage=digitalSignature, keyEncipherment" # can sign data and can encrypt symmetric keys
+  - "extendedKeyUsage=serverAuth, clientAuth" # can be used as both a www server cert and www client cert
+  - "authorityKeyIdentifier=keyid:always"
+  - "subjectKeyIdentifier=hash"
+  - "basicConstraints = critical,CA:FALSE"
+
+# Certificate Generation
+certs:
+  testca:
+    <<: *ca_settings
+    subject: "O=Test Suite, OU=Certificate Authority, CN=%HOSTNAME%"
+
+  server:
+    <<: *cert_settings
+    subject: "O=Test Suite, OU=Server, CN=%HOSTNAME%"
+
+  authserver:
+    <<: *cert_settings
+    subject: "O=Test Suite, OU=Auth Server, CN=%HOSTNAME%"
+
+  client:
+    <<: *cert_settings
+    subject: "O=Test Suite, OU=Client, CN=%HOSTNAME%"