From ee6c9299fcf08fb079ac2af9681ebbd5a54a9c7a Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Oct 2024 14:59:12 -0400 Subject: [PATCH] Loosen certificate checks (#1413) The checks we had were a bit too constrained, and don't follow the golang standard library code. So, replace our replacement functions with the originals. This level of checking (e.g. mistyping a path) is not really necessary when people are using our (e.g. cert-manager) manifests. Signed-off-by: Todd Short --- internal/httputil/certutil.go | 196 +--------------------- internal/httputil/certutil_test.go | 15 +- testdata/certs/bad/Amazon_Root_CA_1.pem | 20 --- testdata/certs/bad/Amazon_Root_CA_2.pem | 3 - testdata/certs/bad/Amazon_Root_CA_3.pem | 12 -- testdata/certs/expired/expired.pem | 31 ---- testdata/certs/ugly/Amazon_Root_CA.pem | 37 ---- testdata/certs/ugly2/Amazon_Root_CA_1.pem | 20 --- testdata/certs/ugly3/not_a_cert.pem | 1 - 9 files changed, 5 insertions(+), 330 deletions(-) delete mode 100644 testdata/certs/bad/Amazon_Root_CA_1.pem delete mode 100644 testdata/certs/bad/Amazon_Root_CA_2.pem delete mode 100644 testdata/certs/bad/Amazon_Root_CA_3.pem delete mode 100644 testdata/certs/expired/expired.pem delete mode 100644 testdata/certs/ugly/Amazon_Root_CA.pem delete mode 100644 testdata/certs/ugly2/Amazon_Root_CA_1.pem delete mode 100644 testdata/certs/ugly3/not_a_cert.pem diff --git a/internal/httputil/certutil.go b/internal/httputil/certutil.go index 767fd57a6..a6cd9f98e 100644 --- a/internal/httputil/certutil.go +++ b/internal/httputil/certutil.go @@ -1,10 +1,7 @@ package httputil import ( - "bytes" "crypto/x509" - "encoding/base64" - "encoding/pem" "fmt" "os" "path/filepath" @@ -13,192 +10,6 @@ import ( "github.com/go-logr/logr" ) -var pemStart = []byte("\n-----BEGIN ") -var pemEnd = []byte("\n-----END ") -var pemEndOfLine = []byte("-----") -var colon = []byte(":") - -// getLine results the first \r\n or \n delineated line from the given byte -// array. The line does not include trailing whitespace or the trailing new -// line bytes. The remainder of the byte array (also not including the new line -// bytes) is also returned and this will always be smaller than the original -// argument. -func getLine(data []byte) ([]byte, []byte) { - i := bytes.IndexByte(data, '\n') - var j int - if i < 0 { - i = len(data) - j = i - } else { - j = i + 1 - if i > 0 && data[i-1] == '\r' { - i-- - } - } - return bytes.TrimRight(data[0:i], " \t"), data[j:] -} - -// removeSpacesAndTabs returns a copy of its input with all spaces and tabs -// removed, if there were any. Otherwise, the input is returned unchanged. -// -// The base64 decoder already skips newline characters, so we don't need to -// filter them out here. -func removeSpacesAndTabs(data []byte) []byte { - if !bytes.ContainsAny(data, " \t") { - // Fast path; most base64 data within PEM contains newlines, but - // no spaces nor tabs. Skip the extra alloc and work. - return data - } - result := make([]byte, len(data)) - n := 0 - - for _, b := range data { - if b == ' ' || b == '\t' { - continue - } - result[n] = b - n++ - } - - return result[0:n] -} - -// This version of pem.Decode() is a bit less flexible, it will not skip over bad PEM -// It is basically the guts of pem.Decode() inside the outer for loop, with error -// returns rather than continues -func pemDecode(data []byte) (*pem.Block, []byte) { - // pemStart begins with a newline. However, at the very beginning of - // the byte array, we'll accept the start string without it. - rest := data - if bytes.HasPrefix(rest, pemStart[1:]) { - rest = rest[len(pemStart)-1:] - } else if _, after, ok := bytes.Cut(rest, pemStart); ok { - rest = after - } else { - return nil, data - } - - var typeLine []byte - typeLine, rest = getLine(rest) - if !bytes.HasSuffix(typeLine, pemEndOfLine) { - return nil, data - } - typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)] - - p := &pem.Block{ - Headers: make(map[string]string), - Type: string(typeLine), - } - - for { - // This loop terminates because getLine's second result is - // always smaller than its argument. - if len(rest) == 0 { - return nil, data - } - line, next := getLine(rest) - - key, val, ok := bytes.Cut(line, colon) - if !ok { - break - } - - key = bytes.TrimSpace(key) - val = bytes.TrimSpace(val) - p.Headers[string(key)] = string(val) - rest = next - } - - var endIndex, endTrailerIndex int - - // If there were no headers, the END line might occur - // immediately, without a leading newline. - if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) { - endIndex = 0 - endTrailerIndex = len(pemEnd) - 1 - } else { - endIndex = bytes.Index(rest, pemEnd) - endTrailerIndex = endIndex + len(pemEnd) - } - - if endIndex < 0 { - return nil, data - } - - // After the "-----" of the ending line, there should be the same type - // and then a final five dashes. - endTrailer := rest[endTrailerIndex:] - endTrailerLen := len(typeLine) + len(pemEndOfLine) - if len(endTrailer) < endTrailerLen { - return nil, data - } - - restOfEndLine := endTrailer[endTrailerLen:] - endTrailer = endTrailer[:endTrailerLen] - if !bytes.HasPrefix(endTrailer, typeLine) || - !bytes.HasSuffix(endTrailer, pemEndOfLine) { - return nil, data - } - - // The line must end with only whitespace. - if s, _ := getLine(restOfEndLine); len(s) != 0 { - return nil, data - } - - base64Data := removeSpacesAndTabs(rest[:endIndex]) - p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) - n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) - if err != nil { - return nil, data - } - p.Bytes = p.Bytes[:n] - - // the -1 is because we might have only matched pemEnd without the - // leading newline if the PEM block was empty. - _, rest = getLine(rest[endIndex+len(pemEnd)-1:]) - return p, rest -} - -// This version of (*x509.CertPool).AppendCertsFromPEM() will error out if parsing fails -func appendCertsFromPEM(s *x509.CertPool, pemCerts []byte, firstExpiration *time.Time) error { - n := 1 - for len(pemCerts) > 0 { - var block *pem.Block - block, pemCerts = pemDecode(pemCerts) - if block == nil { - return fmt.Errorf("unable to PEM decode cert %d", n) - } - // ignore non-certificates (e.g. keys) - if block.Type != "CERTIFICATE" { - continue - } - if len(block.Headers) != 0 { - // This is a cert, but we're ignoring it, so bump the counter - n++ - continue - } - - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return fmt.Errorf("unable to parse cert %d: %w", n, err) - } - if firstExpiration.IsZero() || firstExpiration.After(cert.NotAfter) { - *firstExpiration = cert.NotAfter - } - now := time.Now() - if now.Before(cert.NotBefore) { - return fmt.Errorf("not yet valid cert %d: %q", n, cert.NotBefore.Format(time.RFC3339)) - } else if now.After(cert.NotAfter) { - return fmt.Errorf("expired cert %d: %q", n, cert.NotAfter.Format(time.RFC3339)) - } - // no return values - panics or always succeeds - s.AddCert(cert) - n++ - } - - return nil -} - func NewCertPool(caDir string, log logr.Logger) (*x509.CertPool, error) { caCertPool, err := x509.SystemCertPool() if err != nil { @@ -231,11 +42,10 @@ func NewCertPool(caDir string, log logr.Logger) (*x509.CertPool, error) { if err != nil { return nil, fmt.Errorf("error reading cert file %q: %w", file, err) } - err = appendCertsFromPEM(caCertPool, data, &firstExpiration) - if err != nil { - return nil, fmt.Errorf("error adding cert file %q: %w", file, err) + // The return indicates if any certs were added + if caCertPool.AppendCertsFromPEM(data) { + count++ } - count++ } // Found no certs! diff --git a/internal/httputil/certutil_test.go b/internal/httputil/certutil_test.go index a8a158ff3..f6489ab99 100644 --- a/internal/httputil/certutil_test.go +++ b/internal/httputil/certutil_test.go @@ -11,13 +11,7 @@ import ( ) // The "good" test consists of 3 Amazon Root CAs, along with a "PRIVATE KEY" in one of the files -// The "bad" test consists of 2 Amazon Root CAs, the second of which is garbage, and the test fails -// The "ugly" test consists of a single file: -// - Amazon_Root_CA_1 -// - garbage PEM -// - Amazon_Root_CA_3 -// The error is _not_ detected because the golang standard library PEM decoder skips right over the garbage -// This demonstrates the danger of putting multiple certificates into a single file +// The "empty" test includes a single file with no PEM contents func TestNewCertPool(t *testing.T) { caDirs := []struct { dir string @@ -25,12 +19,7 @@ func TestNewCertPool(t *testing.T) { }{ {"../../testdata/certs/", `no certificates found in "../../testdata/certs/"`}, {"../../testdata/certs/good", ""}, - {"../../testdata/certs/bad", `error adding cert file "../../testdata/certs/bad/Amazon_Root_CA_2.pem": unable to PEM decode cert 1`}, - {"../../testdata/certs/ugly", `error adding cert file "../../testdata/certs/ugly/Amazon_Root_CA.pem": unable to PEM decode cert 2`}, - {"../../testdata/certs/ugly2", `error adding cert file "../../testdata/certs/ugly2/Amazon_Root_CA_1.pem": unable to PEM decode cert 1`}, - {"../../testdata/certs/ugly3", `error adding cert file "../../testdata/certs/ugly3/not_a_cert.pem": unable to PEM decode cert 1`}, - {"../../testdata/certs/empty", `error adding cert file "../../testdata/certs/empty/empty.pem": unable to parse cert 1: x509: malformed certificate`}, - {"../../testdata/certs/expired", `error adding cert file "../../testdata/certs/expired/expired.pem": expired cert 1: "2024-01-02T15:00:00Z"`}, + {"../../testdata/certs/empty", `no certificates found in "../../testdata/certs/empty"`}, } log, _ := logr.FromContext(context.Background()) diff --git a/testdata/certs/bad/Amazon_Root_CA_1.pem b/testdata/certs/bad/Amazon_Root_CA_1.pem deleted file mode 100644 index a6f3e92af..000000000 --- a/testdata/certs/bad/Amazon_Root_CA_1.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF -ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 -b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL -MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv -b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj -ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM -9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw -IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 -VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L -93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm -jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA -A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI -U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs -N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv -o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU -5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy -rqXRfboQnoZsG4q5WTP468SQvvG5 ------END CERTIFICATE----- diff --git a/testdata/certs/bad/Amazon_Root_CA_2.pem b/testdata/certs/bad/Amazon_Root_CA_2.pem deleted file mode 100644 index 40e771524..000000000 --- a/testdata/certs/bad/Amazon_Root_CA_2.pem +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN CERTIFICATE----- -This is badly formatted base64 ------END CERTIFICATE----- diff --git a/testdata/certs/bad/Amazon_Root_CA_3.pem b/testdata/certs/bad/Amazon_Root_CA_3.pem deleted file mode 100644 index a45da7074..000000000 --- a/testdata/certs/bad/Amazon_Root_CA_3.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5 -MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g -Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG -A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg -Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl -ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j -QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr -ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr -BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM -YyRIHN8wfdVoOw== ------END CERTIFICATE----- diff --git a/testdata/certs/expired/expired.pem b/testdata/certs/expired/expired.pem deleted file mode 100644 index e8912ba61..000000000 --- a/testdata/certs/expired/expired.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFXzCCA0egAwIBAgIUN5r8l1RrpH53+9e6pfj6CXoyqP0wDQYJKoZIhvcNAQEL -BQAwPzELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB1JlZCBIYXQxDDAKBgNVBAsMA09M -TTEQMA4GA1UEAwwHZXhwaXJlZDAeFw0yNDAxMDExNTAwMDBaFw0yNDAxMDIxNTAw -MDBaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdSZWQgSGF0MQwwCgYDVQQLDANP -TE0xEDAOBgNVBAMMB2V4cGlyZWQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -AoICAQDFalyjEXz0cMGs3pt360Cz0uD0CDnnAqQFHxXPchfCMZnW/VRGrJQq29rZ -UgU5PnxPgqadrw20BodfR2RS9xIacMP+092GY7Ep96xWokwXcsGPj2e5VMlEYVM1 -0MGqIbEv52ZnoEaZDHl4yprYeTs+b/7NGvdG1+N/YNAjkpk8cCBKUXo4ZhkgAZoW -jbv3DkAdkpQHipUYkQZNRws1ebyfTbKaEPxw7abEh9TJrHD1EI9hbmYOGJWLfe1e -zeBQjFioQA31FcQR3/v+aNEDX390+qi3p0LXe7GMabgcoFYcGXO7XvX0DdUBvdZZ -dyHA7cJvyfWfcbucI7xQ9xvAnu/4Ih4D8mHnJXjZK5ReQn06FPM/ZCgZ5LrHAKcZ -0mrOts/8noY9dMmBreSJmLCP8EqzY7yKJFFHVCeKo+bU6/KOyNhJGGSCHVJ/pZGK -ZpOQcNwVvHciLH+MfpW12xJXPEs8Wv24KufDdBCDliSFnVTYH3kZaq4Ozb7+3A5j -wUQ2aDg8nrq4oNORMSCafvia8MYH3NXbpUq1SAyD5DTKtMcWY3gcVnJgrBai1hPn -TPhrMb2NMDFnMnj7/l8jdu9xHrsgOmOrv7Zj0ytmpT6ITJgWNGXsiq7Dp+HH1c6N -ggG6g0zqoyoaxcPVN7PMrWTvfKUD3LHfIsesPc4+lT+TSlBQYwIDAQABo1MwUTAd -BgNVHQ4EFgQU8mBHR/00anEl8Io/A2c0LQlGF5MwHwYDVR0jBBgwFoAU8mBHR/00 -anEl8Io/A2c0LQlGF5MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC -AgEABZYGEeJY2dgyi4W0LNVgN8mKuZuapIcisQ66foe46WuWGAjVONIHlb0Ciy75 -aaClLC8fiiIh+FUFZ5aIZkfhKH97QvehFO5O7mqCjM7ipvtEm+Vs1IVtXWDONUxo -SfgbjEPBV8+eflgvKQ6jJqiSqs8EnqdbGAfhxVG/3RN1b5xSFtKz6kzHQE+Gy6QT -DGCVhYvDq8j6G2LCePsqE8piOnSaXuRwD4/YEOaYhx4jjgOnaM0m/dM/Cx9wy2xg -LMRBjBwxFf6palgiFUvyqvturIPONQICkM/lZkpmHbeM4FCat/CD5VW+JgpYiEtW -2oFslTEbawUjmEYnzdo9iw9KPLJQqtasFEWzkWWnJrfm7AVGxcgAHVqGZhUMgq0k -MccM2zYZN2fCSZUUueDB7VCxFq5jK2oLzE14ngXdR7ZbxT3qai/zvGg1kl9y1bIF -WVTK0WZnHqZwVnHQVBH0Duv0uyRUzb6yRRziuLN5aBGQpy/Jm7MS0jLidCbqoCXC -dYqGMFlImzU+6CwPyTJo+X+v6L+FATIxZRpBBeEhHqEU6wz51ms68Sjx4bpW33b+ -WFt0JKEmIxB1puJK1qQvKu/MxJyy52GNqiRg7HXkJH9MMYWoAkF2jKMLFoerUPun -7GaV8SIUTFO/5pbnpxZ97a2FuB2RvDKs7GSdspEmC3wbAPU= ------END CERTIFICATE----- diff --git a/testdata/certs/ugly/Amazon_Root_CA.pem b/testdata/certs/ugly/Amazon_Root_CA.pem deleted file mode 100644 index 256719fc7..000000000 --- a/testdata/certs/ugly/Amazon_Root_CA.pem +++ /dev/null @@ -1,37 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF -ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 -b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL -MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv -b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj -ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM -9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw -IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 -VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L -93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm -jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA -A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI -U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs -N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv -o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU -5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy -rqXRfboQnoZsG4q5WTP468SQvvG5 ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF -This is garbage -4PsJYGw= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5 -MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g -Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG -A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg -Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl -ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j -QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr -ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr -BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM -YyRIHN8wfdVoOw== ------END CERTIFICATE----- diff --git a/testdata/certs/ugly2/Amazon_Root_CA_1.pem b/testdata/certs/ugly2/Amazon_Root_CA_1.pem deleted file mode 100644 index 8f0f64972..000000000 --- a/testdata/certs/ugly2/Amazon_Root_CA_1.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE -MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF -ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 -b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL -MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv -b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj -ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM -9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw -IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 -VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L -93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm -jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA -A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI -U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs -N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv -o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU -5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy -rqXRfboQnoZsG4q5WTP468SQvvG5 ------END CERTIFICATE----- diff --git a/testdata/certs/ugly3/not_a_cert.pem b/testdata/certs/ugly3/not_a_cert.pem deleted file mode 100644 index 980a0d5f1..000000000 --- a/testdata/certs/ugly3/not_a_cert.pem +++ /dev/null @@ -1 +0,0 @@ -Hello World!