]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Test query forwarding to DoT-enabled upstream servers
authorAram Sargsyan <aram@isc.org>
Thu, 8 Dec 2022 10:29:15 +0000 (10:29 +0000)
committerAram Sargsyan <aram@isc.org>
Fri, 20 Jan 2023 14:45:30 +0000 (14:45 +0000)
Change the 'forward' system test to enable DoT on ns2 server,
and test that forwarding from ns4 to the DoT-enabled ns2 works.

In order to test different scenarios, create a test CA (based on
similar CAs for 'doth' and 'nsupdate' system tests), and test
both insecure (no certificate validation) and secure (also with
mutual TLS) TLS configurations, as well as a configuration with an
expired certificate.

24 files changed:
.reuse/dep5
bin/tests/system/forward/.gitignore [new file with mode: 0644]
bin/tests/system/forward/CA/CA.cfg [new file with mode: 0644]
bin/tests/system/forward/CA/CA.pem [new file with mode: 0644]
bin/tests/system/forward/CA/README [new file with mode: 0644]
bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key [new file with mode: 0644]
bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem [new file with mode: 0644]
bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key [new file with mode: 0644]
bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem [new file with mode: 0644]
bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key [new file with mode: 0644]
bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem [new file with mode: 0644]
bin/tests/system/forward/CA/index.txt [new file with mode: 0644]
bin/tests/system/forward/CA/index.txt.attr [new file with mode: 0644]
bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem [new file with mode: 0644]
bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem [new file with mode: 0644]
bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem [new file with mode: 0644]
bin/tests/system/forward/CA/private/CA.key [new file with mode: 0644]
bin/tests/system/forward/CA/serial [new file with mode: 0644]
bin/tests/system/forward/clean.sh
bin/tests/system/forward/dhparam3072.pem [new file with mode: 0644]
bin/tests/system/forward/ns1/named.conf.in
bin/tests/system/forward/ns2/named.conf.in
bin/tests/system/forward/ns4/named.conf.in
bin/tests/system/forward/tests.sh

index 5672b01ce01702d54bfe7db6ed50eee722673f4b..7a929e4f65323ff00bc578b23f5fd6541249afde 100644 (file)
@@ -42,6 +42,11 @@ Files: **/*.after*
        bin/tests/system/formerr/nametoolong
        bin/tests/system/formerr/noquestions
        bin/tests/system/formerr/twoquestions
+       bin/tests/system/forward/CA/CA.cfg
+       bin/tests/system/forward/CA/README
+       bin/tests/system/forward/CA/index.txt
+       bin/tests/system/forward/CA/index.txt.attr
+       bin/tests/system/forward/CA/serial
        bin/tests/system/journal/ns1/managed-keys.bind.in
        bin/tests/system/journal/ns1/managed-keys.bind.jnl.in
        bin/tests/system/journal/ns2/managed-keys.bind.in
diff --git a/bin/tests/system/forward/.gitignore b/bin/tests/system/forward/.gitignore
new file mode 100644 (file)
index 0000000..df5fe68
--- /dev/null
@@ -0,0 +1,5 @@
+# temporary files generated by "openssl ca"
+/CA/*.old
+# there is little point in keeping the certificate requests
+# for the issued certificates
+/CA/certs/*.csr
diff --git a/bin/tests/system/forward/CA/CA.cfg b/bin/tests/system/forward/CA/CA.cfg
new file mode 100644 (file)
index 0000000..369e43a
--- /dev/null
@@ -0,0 +1,77 @@
+# See ../../doth/CA/ca.cfg for more information
+
+# certificate authority configuration
+[ca]
+default_ca      = CA_default               # The default ca section
+
+[CA_default]
+dir            = .
+new_certs_dir  = $dir/newcerts         # new certs dir (must be created)
+certificate    = $dir/CA.pem           # The CA cert
+private_key    = $dir/private/CA.key   # CA private key
+
+serial         = $dir/serial           # serial number file for the next certificate
+                                       # Update before issuing it:
+                                       # xxd -l 8 -u -ps /dev/urandom > ./serial
+database = $dir/index.txt                 # (must be created manually: touch ./index.txt)
+
+default_days   = 10950                 # how long to certify for
+
+#default_crl_days = 30                 # the number of days before the
+default_crl_days = 10950               # next CRL is due. That is the
+                                       # days from now to place in the
+                                       # CRL nextUpdate field.  If CRL
+                                       # is expired, certificate
+                                       # verifications will fail even
+                                       # for otherwise valid
+                                       # certificates. Clients might
+                                       # cache the CRL, so the expiry
+                                       # period should normally be
+                                       # relatively short (default:
+                                       # 30) for production CAs.
+
+default_md     = sha256                # digest to use
+
+policy         = policy_default        # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+
+# We need the following in order to copy Subject Alt Name(s) from a
+# request to the certificate.
+copy_extensions = copy                 # copy extensions from request
+
+[policy_default]
+countryName            = optional
+stateOrProvinceName    = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+# default certificate requests settings
+[req]
+# Options for the `req` tool (`man req`).
+default_bits        = 3072 # for RSA only
+distinguished_name  = req_default
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-256 instead.
+default_md          = sha256
+# do not encrypt the private key file
+encrypt_key         = no
+
+[req_default]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name (full name)
+localityName                    = Locality Name (e.g., city)
+0.organizationName              = Organization Name (e.g., company)
+organizationalUnitName          = Organizational Unit Name (e.g. department)
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+emailAddress                    = Email Address
+# defaults
+countryName_default                     = UA
+stateOrProvinceName_default             = Kharkiv Oblast
+localityName_default                    = Kharkiv
+0.organizationName_default              = ISC
+organizationalUnitName_default          = Software Engeneering (BIND 9)
diff --git a/bin/tests/system/forward/CA/CA.pem b/bin/tests/system/forward/CA/CA.pem
new file mode 100644 (file)
index 0000000..1f725db
--- /dev/null
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
+A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0
+aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1
+NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh
+cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l
+dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j
+b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo
+Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI
+B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF
+ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5
+3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee
+wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia
+eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX
+z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ
+ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD
+VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y
+SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB
+AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc
+TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig
+TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod
+CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz
+qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO
+70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS
+wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE
+rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2
+8Q==
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/README b/bin/tests/system/forward/CA/README
new file mode 100644 (file)
index 0000000..13069ca
--- /dev/null
@@ -0,0 +1,2 @@
+Please take a look at the contents of the CA.cfg file for further
+instructions and configurations options.
diff --git a/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key b/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.key
new file mode 100644 (file)
index 0000000..03e7e99
--- /dev/null
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCT6jpDg/+SgAa+
+TqBTXQudybG4/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBI
+Tl93dCb6qt0/e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPR
+U387aTVWbYGK6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aov
+XQO2W0iHtCdLmbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKH
+R2fA28a5+LAxpssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY
+5vL98VoA6Hcm3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8Dtv
+xV8UICb6m+CvUcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bp
+uFs38WHVhCdQ01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAQKCAYBG
+jKj2i+5p10OgIItqx43jWBC6/l1GZZofVTU0PqQ8VDuyugE1j88aAbnIYV9Ry+Un
+mf5GSWaB368QDcWOCaoP1FBL16hOGZWytKWYDtx0dNVfbxqe2tpIiJE5M07LijzY
+C+1rkgxRXPCBHnSohyFIFFn9wouWla36Reg5MBhjVgHcWdvYzlR2FnH9ZpwQ3AjX
+XTLTwQf6L+RCy/gZ0ccx5rT5Y5m//LAFnIsiqeEAbReeIZPvdKRIoHgWQgBgF2nJ
+KAXFrf62gLSIXmnvvxiWL/xAUktg4kv+PFvEFjMjlxz3hOQuOwJQMt7zZkO0Pw2G
+Ow08OznR3dXCOO7csmfTktWdB71vgtf+Y/RzCWbyHPBy4tfWDbiqQCFJSsn7CsC8
+r4YscQ55Xmw2AVsUd356Z6ONiM5LZmd+OIpamrVh4Bfgkk1ElPetnelEZO2ZPsBT
+cud487ZOY0lD+lpNCAMqS2VeKRi+X/sefZHe3ZMJopRuyPLkqt3qh/sZlms3uWsC
+gcEAvWeiyE75Y7DzTBY3sWCxOzj0g8oqFle4G0dxw/CxyF0ASlGNZtjyj/l2dJ1b
+wRSk4HmJqgRrkW+cXYVMfoz8zoUfO/vXUe7+1ioxbQMxl7fH5O4R6ps7RxEaX9GE
+Rhxx8B1Y1S8tauCFz0STOtvi6CXlCkRALMsEg7MbJJ2PjIrPSSpuWGZBYlJbh53u
+spgElwq6qT0xqS8EFpGjSMsnPfXoOnKpWZpyJfKwkm9gwrvVjiVmw1TRcvcODoov
+wSZrAoHBAMfsFIauVfoWGHgL80+/8NsYo0Ap3nycFWXH6XaIuhBfQdr8aLTDmj7Y
+nlonP5PtsQBfpdlbm/xTTBiZ2hzTcRX7Ayu7eSmZFFP7yE4Amo+bdh9y9KWbIWjA
+K5XwwJ7kTWrgiai5nu0JRH+FuMOOEpUHikfOIci7V8LGbkFQ7G1pmXyQwpFT1ClR
+ORHnv2A/YklP2jpa7KdPNZgYBQic5JnaNZdFzF0pi1v69UyAP4JBzaWHOz1kMH/B
+JxknYpJnOwKBwQCeSyLsrbQX8SclC9x3zgvRJwSTsD4EdkNT6R3XWC38+lznv8ih
+j+cJFMA/LdQlRg+V232GLjOIVPMl5eXMTiBqqS81foCx5T/t1U2Bgg3McrgJSD6J
+CDs+ZbjZI82cmuFOf/hiEw+uJv8t/m3d3y+APUtyjR/lT7byKpogu93g45Hh4Chg
+kPVMKvB8Iy3+7LXJVhoynwYGE1kjU4xXphGh4wa28mU+kamctXuEprkDhuAv8Go2
+DYkOwBNra2oFzwkCgcA+TpRjGShQhdxgZZESFMby8a3HTIU7nsWIcBKRz7D1c0qp
+/ip/08pZtdc8T6kf6F9Wt3iP0l49+JPpwuFYRImlCRMG6SmszjmopvrZXJTPFuts
+h745cqyp4eJzm5Hcs1hxa8NbY2Zlh5Lij4Fy6O9fpPbyxAqBbem/GWq5Togw3U1p
+phANjOu9aMP5kZlyXK68HHft4fKJfkU8vperBIK2dGxpVeaITm9RXlhe3EVuyiVW
+ZlwPGQ+IcWFHFKBC8osCgcEAiTMZ0gMkuPHnDRcLeBqU6iGpme/+LES9RmBgL4AT
+mZHOfsvwkNOdyHb20/ns/OQqBgJpbkQCCrTPJyhv1gqaYtwKlSaI334Lmfg2CP/7
+ZFxwo/MfqYDwYZQj35/cN1SkNNvuuKVIX61CNPTr0Wxrs5ZFUwG00RtZzhzYWaku
+R0f3FTLR0KbQOKt8nhEgqo8NRzQGrMU9mj+61kMXTdt6N5ipxzPuAUv+D62QbO0T
+ndTltEnt0w6vtzmImIWupyBm
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem b/bin/tests/system/forward/CA/certs/srv02.crt01.example.nil.pem
new file mode 100644 (file)
index 0000000..27e8b3c
--- /dev/null
@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cc:c1:18:08:26:32:e1:8b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Dec  8 11:52:43 2022 GMT
+            Not After : Nov 30 11:52:43 2052 GMT
+        Subject: CN=srv02.crt01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:93:ea:3a:43:83:ff:92:80:06:be:4e:a0:53:5d:
+                    0b:9d:c9:b1:b8:fe:d5:cc:dc:af:94:7a:ab:ba:13:
+                    0f:c0:b6:99:71:78:90:b1:7f:41:07:85:59:26:90:
+                    14:88:7b:fc:0c:64:70:37:f3:2a:39:80:80:48:4e:
+                    5f:77:74:26:fa:aa:dd:3f:7b:8e:63:b5:a6:ce:bc:
+                    bc:5a:aa:1d:2c:b0:9a:54:8c:03:46:8b:e6:19:52:
+                    51:48:16:2d:88:ac:df:73:bb:5d:86:f5:80:ff:12:
+                    93:d1:53:7f:3b:69:35:56:6d:81:8a:ea:4b:bd:75:
+                    d5:bf:a2:b8:f9:98:17:c7:47:e7:5a:0a:47:a0:00:
+                    3d:5c:77:42:95:ef:60:ea:e2:2c:ab:97:a9:f3:1d:
+                    c7:a7:f9:aa:2f:5d:03:b6:5b:48:87:b4:27:4b:99:
+                    b3:e3:99:f8:cd:bb:51:88:f4:1e:34:d5:3e:e3:12:
+                    3c:2d:c0:b7:2a:9d:0b:73:7f:3a:ad:27:97:17:58:
+                    51:70:08:87:75:42:d2:87:47:67:c0:db:c6:b9:f8:
+                    b0:31:a6:cb:15:24:7b:54:06:fd:92:e6:24:71:3f:
+                    55:02:02:71:f2:47:7f:e5:fe:be:d4:5f:1e:b5:58:
+                    f7:09:fa:60:e3:36:25:bd:f4:91:58:e6:f2:fd:f1:
+                    5a:00:e8:77:26:dc:2d:20:10:fc:c7:a2:16:0a:e1:
+                    59:e4:e5:a0:72:d4:23:88:a7:56:71:1d:69:f5:1e:
+                    e4:c1:ec:87:7a:ef:19:dd:df:fa:25:f0:3b:6f:c5:
+                    5f:14:20:26:fa:9b:e0:af:51:c4:18:3f:3c:49:7d:
+                    26:25:c2:d9:5c:67:5d:f8:af:73:20:58:ae:65:5e:
+                    71:03:77:78:7d:45:37:0a:a3:b7:32:eb:fe:ff:5f:
+                    c6:e9:b8:5b:37:f1:61:d5:84:27:50:d3:55:72:2c:
+                    8a:75:16:9a:95:b5:f9:2d:eb:d0:22:49:57:6b:65:
+                    87:aa:71:a8:6d:39:96:fe:e7:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv02.crt01.example.nil, IP Address:10.53.0.2
+            X509v3 Subject Key Identifier: 
+                70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59
+            X509v3 Authority Key Identifier: 
+                7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        77:6c:f4:07:36:0b:ef:6e:86:2d:41:73:e0:ba:f7:4c:f1:bd:
+        8f:77:89:1a:8c:63:2e:39:93:a2:43:ee:70:85:f1:5d:01:60:
+        ab:e6:50:a1:5e:72:e3:89:13:77:e0:a5:f7:fa:27:31:93:1f:
+        3a:a7:35:5f:7d:59:3c:d2:26:9c:12:fa:51:2b:d3:31:0c:5a:
+        e7:a8:be:6a:2e:b2:82:6c:42:f2:86:74:9c:0a:c8:58:a8:68:
+        35:73:6e:1b:0c:9e:3b:08:3f:b9:ef:68:61:e9:d3:40:1d:aa:
+        dd:42:e3:1d:b0:1b:6e:b8:58:60:a1:68:4a:ff:09:b7:58:5b:
+        72:e8:36:a3:6d:10:78:c7:7f:52:f6:dc:39:5c:05:7d:7a:ae:
+        8d:3f:89:8f:10:a6:4d:8b:55:6a:9b:cb:2c:1d:00:59:9b:0c:
+        c3:55:e0:a3:25:69:b4:29:30:2f:20:bf:07:f4:21:88:b7:d0:
+        62:ad:d7:ca:e1:91:45:9f:a2:5f:7d:07:f4:98:b0:5e:d4:3a:
+        92:86:e9:a1:fb:c0:9b:81:46:da:56:ed:92:47:c0:1a:aa:55:
+        37:0e:3c:92:2c:44:7a:80:55:1f:15:7a:7c:c4:7e:ad:d5:b0:
+        a5:7e:33:63:09:23:6b:78:42:de:37:aa:04:a7:52:ed:06:fe:
+        d4:56:36:12:85:b6:ec:ff:03:ea:4b:e2:7a:42:49:73:b6:ab:
+        e4:7d:4a:2b:94:65:1f:b1:17:a3:be:17:0b:4e:53:3d:8a:d3:
+        d7:04:0f:f1:1a:63:b2:a6:eb:00:31:64:b4:80:e9:ae:bb:69:
+        12:04:a5:7d:2c:bd:91:62:2c:b9:5a:6e:af:e0:ee:27:f0:88:
+        15:8b:b7:ce:07:5e:bc:6b:e9:3e:3f:23:c7:f9:c9:48:20:69:
+        6a:8e:f2:17:9b:58:ff:72:36:21:ed:d3:83:16:60:ec:de:6f:
+        c4:50:47:b7:61:ce:75:c1:d6:60:28:de:bd:69:7c:e6:db:0e:
+        b9:fa:7b:84:24:35
+-----BEGIN CERTIFICATE-----
+MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGLMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
+aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
+AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTUyNDNaGA8yMDUyMTEz
+MDExNTI0M1owIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWwwggGi
+MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT6jpDg/+SgAa+TqBTXQudybG4
+/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBITl93dCb6qt0/
+e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPRU387aTVWbYGK
+6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aovXQO2W0iHtCdL
+mbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKHR2fA28a5+LAx
+pssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY5vL98VoA6Hcm
+3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8DtvxV8UICb6m+Cv
+UcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bpuFs38WHVhCdQ
+01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAaNsMGowKAYDVR0RBCEw
+H4IXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAIwHQYDVR0OBBYEFHCQlIFK
+sr8T1ikakNkzpMV0Kc9ZMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
+MA0GCSqGSIb3DQEBCwUAA4IBgQB3bPQHNgvvboYtQXPguvdM8b2Pd4kajGMuOZOi
+Q+5whfFdAWCr5lChXnLjiRN34KX3+icxkx86pzVffVk80iacEvpRK9MxDFrnqL5q
+LrKCbELyhnScCshYqGg1c24bDJ47CD+572hh6dNAHardQuMdsBtuuFhgoWhK/wm3
+WFty6DajbRB4x39S9tw5XAV9eq6NP4mPEKZNi1Vqm8ssHQBZmwzDVeCjJWm0KTAv
+IL8H9CGIt9BirdfK4ZFFn6JffQf0mLBe1DqShumh+8CbgUbaVu2SR8AaqlU3DjyS
+LER6gFUfFXp8xH6t1bClfjNjCSNreELeN6oEp1LtBv7UVjYShbbs/wPqS+J6Qklz
+tqvkfUorlGUfsRejvhcLTlM9itPXBA/xGmOypusAMWS0gOmuu2kSBKV9LL2RYiy5
+Wm6v4O4n8IgVi7fOB168a+k+PyPH+clIIGlqjvIXm1j/cjYh7dODFmDs3m/EUEe3
+Yc51wdZgKN69aXzm2w65+nuEJDU=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key b/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.key
new file mode 100644 (file)
index 0000000..3711943
--- /dev/null
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDOADZuuD/b/pD3
+3uHtQ0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z
+8JsoSRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp2
+7snlkGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B
+3Eb1hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeB
+oE/2LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1
+/Dq0iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0Xo
+uR3xBUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNE
+L/RsMfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAQKCAYAM
+G58XauT1/URwDT2iQG5NlsWXlsWFHb/zoMLQITbRtslUE7j36YGqiz1kUl0y2gqV
+TMVSO+a3voMJB39XItS6i9xAl2lGqLvg23lRftnsA3Il7NTs7K2ZQOIkQr5rvG/R
+Wus+surNL0m/K9HaGF6CPZp7a1ipXQijSUxaHRClmBhHn43VvjdYry28vMtBykyh
+ZT5IEj1UrnKI0XWqQJy22SxlUqgu9+LQVUpQpu+8YXtjWMYyDJQ+ldijYZIhtR6V
+WfLEE2SRWpViHwtZEs5p0E9X8rGQYYdWC1zAh+B0TtPCC3I+MAyjQOVglwUpPQnG
+GqRJfJnb4PENdy9DYxEmg/AlrTCuRLcGuGVnaz55KCUN9GbL8ei2EKuTQMdR6Ysd
+fKPe2L1FyjG7OmTq+1kWicDdbn++ng51C5fwTmyjOnN5//vy19rgNL11TP9UaDaQ
+5/Ox7UaxQZXdskvXelzBAe4gGgwdVO3/WEAJNFyUn+O9iWSdEvdv9AeEGe5G0KEC
+gcEA51ZSfPG0y4ckyyMB/BHo1sxkKFwMlLOtKHH+zXQ5mCMaFpHDnSpQ8WxE/0mZ
+2qX53YpqZU11SV81CPsUox+Fn4bNyLFpDiJ412/yl/xDRHOaRqdWxz3Wg4ynLbpU
+xiwFUcjoff63RelQWZka+XSz/eNzSJJe6UXSuNJ0yCCrKTBMlMEtqocFeOYzBMzj
+SWbvvKiM8NYqa3pm9VAaQnQPEiwaVa4XDQZZ4EVGdO4U89M6xlrdA8OXm3Jni9CA
+eAOtAoHBAOP2aGVcLDch/tP4Be15g1z1ipFQuvlKF481Fxdjy5zXNGj1n6poUgt2
++lVt6jhkunR6Sxs4sEoa0QtcSDCfZWygP05pz41dKF8+j7aYwsDMo1v4brUNKa1y
+jFwdhd4xb/YG84pNln5diLzXKbAJgDu684H9tEvl0Is3TYp9Ex2YVhDbauxourHt
+shYRi3zcea5S3IE1Qx+dyimliCrsp+ufnh4MrUjn9msAt19ZmzWO1TPucPtx5gUz
+zwaQl0P1CwKBwQDRSFW9tQjjq7JMl7Ie8bDcSfI+VPAIwvffBCoIgqHsEa1zR5FZ
+KMQrdNCCx3oJxWfj1WnllYqKwzf+lO8Zl9XR+SlH67/nyqXZ+OvWNaBBV/f0/URT
+YY0kW2WOx+gTlBWH5KL4ASyacbWAKTOvA7Yl9NQBjnGQxdsZ20NNHcjarVhKpu0C
+Pb5knpT/PcBNUnOGEFHZO1cK/qQQP9RR1B8iSIXWh3VREjLS4rkX5Z9M6gZdFiym
+UBdiyMAGS609Zc0CgcAI55csXm1bufg6T3Xr0NNQzkabZovnMP26mlhMkZlihwWF
+FBMolOqfiAY/UAvWKBkgc6Z7abt5KZMA3pnzTEap95iBd6Cj5P+uuMLkXxM8dMHs
+1cd9SwZVwCO7dWvFQikdcygQPveh+AVfWwhF2BkqPCNG8KIaVN/QkFh3EGuuvESg
+Y/HJSk4ApUhPlF/egL5AEPyMD4iPs5oyBkVLZ/MnQRTsF5KtRmJZy61eDCID9ZBe
+dvHy4IAbs+piV0ORZAECgcBsqhBAB1CdUOjj4EVPeEKngGZweQkJPRLKblCLGK8l
+QtcSUfrqoxP8b9Ary/I0gbMhWtkUP/kZOZi/GNelswnzdSlxRKdzQvns5vw+jLfl
+aw5v2ps600+e11KQ1IMVSdRdwESEBs0IQAJV3lfmpNcdxIwf8EjLjGL+uq4KGylW
+z8vfM0/i2GK33hxNrQRXSrTHsiqiKGK78h7S+twll5W8T1ZYFkI1oROZOmMlA/hU
+d8ykPRRZ7XjXCmIgCS9TsF8=
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem b/bin/tests/system/forward/CA/certs/srv02.crt02-expired.example.nil.pem
new file mode 100644 (file)
index 0000000..8cae3b1
--- /dev/null
@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cc:c1:18:08:26:32:e1:8c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Dec  7 11:55:54 2022 GMT
+            Not After : Dec  8 11:55:54 2022 GMT
+        Subject: CN=srv02.crt02-expired.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:ce:00:36:6e:b8:3f:db:fe:90:f7:de:e1:ed:43:
+                    4b:19:97:78:d8:ae:32:3c:4b:d5:8e:cd:1f:29:78:
+                    e2:af:d3:02:95:34:2c:5e:cd:54:8a:07:70:6b:61:
+                    a9:af:22:a7:6e:cf:86:b6:71:d7:4d:b4:af:f3:f0:
+                    9b:28:49:18:8c:66:88:67:63:47:e9:cd:a8:e9:5c:
+                    63:c0:be:08:b2:77:81:05:83:c7:3a:53:1b:c6:7a:
+                    82:99:fa:54:6f:4f:30:80:50:96:92:16:6e:10:16:
+                    ca:76:ee:c9:e5:90:63:98:98:e7:58:61:09:15:e9:
+                    45:67:89:f1:df:21:69:b6:ad:b7:24:68:92:07:b6:
+                    6f:93:f8:fb:bd:b5:90:c9:57:5a:e5:46:6c:d0:73:
+                    33:3c:10:6e:01:dc:46:f5:84:95:5d:2b:03:e3:3a:
+                    0d:66:59:f8:92:37:78:49:74:32:32:96:fa:bd:05:
+                    27:43:f8:f9:90:7c:e4:2b:36:54:c0:f2:77:fd:4f:
+                    ed:87:00:08:23:4d:57:81:a0:4f:f6:2e:9c:a0:22:
+                    3d:f6:27:b2:39:ed:44:8e:5c:92:4c:4b:b9:74:bb:
+                    0a:c4:97:e3:85:66:29:fc:75:3b:b5:3d:e1:22:57:
+                    33:11:2e:9a:a9:41:84:82:ea:44:b5:fc:3a:b4:88:
+                    31:11:46:98:c2:ec:db:43:55:72:a7:9f:a1:65:c0:
+                    bf:11:a7:44:27:a3:8b:06:4f:08:2a:2d:4c:c9:aa:
+                    d5:3d:03:24:66:e6:03:9b:9c:98:1a:5f:45:e8:b9:
+                    1d:f1:05:40:d8:3e:ed:40:05:1e:fa:8a:58:c5:a2:
+                    f2:2a:a1:cb:25:7e:61:8c:0e:3c:cc:5b:43:3a:7c:
+                    8b:a7:64:b8:c5:2b:6b:16:59:06:ad:ec:19:b5:1d:
+                    73:44:2f:f4:6c:31:f1:6e:f4:55:f6:44:37:ee:db:
+                    20:fe:54:92:43:28:f8:44:cb:9f:9f:b6:2c:aa:61:
+                    1f:2f:1a:15:15:cc:61:f3:b9:6f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2
+            X509v3 Subject Key Identifier: 
+                A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E
+            X509v3 Authority Key Identifier: 
+                7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        34:7b:38:92:d9:c1:ba:ed:c7:b3:61:63:e6:d2:11:4e:0c:83:
+        8f:97:3a:11:97:51:3e:8d:9b:49:bb:f5:2c:92:d1:c2:e4:3b:
+        ad:db:69:cc:1f:cf:58:3d:4f:51:97:d1:09:19:2f:22:b5:3d:
+        e1:0d:e5:65:40:2a:54:19:55:22:11:85:18:1a:08:31:97:d8:
+        fe:cf:4c:9b:ec:8b:8f:9c:cd:cf:5b:a1:56:e4:1d:e0:79:4b:
+        ee:6b:1c:0b:60:a8:d8:fd:5c:a8:9d:dc:74:4f:ce:b8:f8:19:
+        a4:00:db:93:7b:ae:34:55:c6:fb:35:1b:9e:bc:d0:5f:da:8d:
+        77:0e:1f:45:89:d4:dd:f1:a9:4e:48:64:d2:4e:b6:4b:57:a0:
+        87:cf:a8:30:35:6e:09:91:56:59:9b:01:af:8a:f7:11:8c:d8:
+        2e:56:89:eb:a5:a0:6c:d2:56:0c:da:13:4d:36:92:28:50:b1:
+        e5:cd:64:60:ac:93:f4:98:d7:eb:df:7b:42:89:da:c0:6d:6e:
+        75:ae:45:28:9b:e8:de:00:dc:eb:df:ba:4f:63:2a:61:e5:42:
+        f3:e0:8f:aa:bd:f7:f6:9b:67:1b:ed:1e:a6:ae:4c:81:a2:62:
+        ff:a8:8f:94:da:a8:9d:27:fa:a4:46:44:2e:13:f2:05:2b:c4:
+        a6:57:d3:95:1c:ca:f8:e3:d2:0f:28:70:8a:1b:37:4f:b7:c1:
+        b3:fd:4b:85:ca:9d:8a:bb:62:85:47:66:c7:31:b8:db:c4:5d:
+        66:9d:6e:7b:94:07:fa:09:ae:5b:5b:23:31:ba:c8:40:82:4b:
+        6a:48:d2:83:0c:5f:b9:62:64:06:16:05:dd:e8:a8:02:eb:d7:
+        7a:9b:d9:49:d6:87:0e:16:ca:d6:4e:46:46:e5:37:e4:0d:68:
+        b7:d2:d6:78:c4:ee:c1:3b:38:8e:83:df:1f:39:63:1c:65:7a:
+        e0:26:1f:96:8a:57:9d:6b:27:62:6e:40:86:83:29:fd:1f:a1:
+        69:2a:92:cf:ab:db
+-----BEGIN CERTIFICATE-----
+MIIEnjCCAwagAwIBAgIJAMzBGAgmMuGMMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
+aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
+AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yMjEyMDcxMTU1NTRaFw0yMjEyMDgx
+MTU1NTRaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAyLWV4cGlyZWQuZXhhbXBsZS5u
+aWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDOADZuuD/b/pD33uHt
+Q0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z8Jso
+SRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp27snl
+kGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B3Eb1
+hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeBoE/2
+LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1/Dq0
+iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0XouR3x
+BUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNEL/Rs
+MfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAaN0MHIwMAYD
+VR0RBCkwJ4Ifc3J2MDIuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5pbIcECjUAAjAd
+BgNVHQ4EFgQUp4pt6hC0a7gTFmu6oCbDmuemcX4wHwYDVR0jBBgwFoAUfInoXOvl
+H3JIBMWP+5IInPVgJjkwDQYJKoZIhvcNAQELBQADggGBADR7OJLZwbrtx7NhY+bS
+EU4Mg4+XOhGXUT6Nm0m79SyS0cLkO63bacwfz1g9T1GX0QkZLyK1PeEN5WVAKlQZ
+VSIRhRgaCDGX2P7PTJvsi4+czc9boVbkHeB5S+5rHAtgqNj9XKid3HRPzrj4GaQA
+25N7rjRVxvs1G5680F/ajXcOH0WJ1N3xqU5IZNJOtktXoIfPqDA1bgmRVlmbAa+K
+9xGM2C5WieuloGzSVgzaE002kihQseXNZGCsk/SY1+vfe0KJ2sBtbnWuRSib6N4A
+3Ovfuk9jKmHlQvPgj6q99/abZxvtHqauTIGiYv+oj5TaqJ0n+qRGRC4T8gUrxKZX
+05Ucyvjj0g8ocIobN0+3wbP9S4XKnYq7YoVHZscxuNvEXWadbnuUB/oJrltbIzG6
+yECCS2pI0oMMX7liZAYWBd3oqALr13qb2UnWhw4WytZORkblN+QNaLfS1njE7sE7
+OI6D3x85YxxleuAmH5aKV51rJ2JuQIaDKf0foWkqks+r2w==
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key b/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.key
new file mode 100644 (file)
index 0000000..3b5c4b1
--- /dev/null
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCN5ooQbwaPsuX0
+3hRN1DwaIQP+MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8w
+qJmxwxrIlqWKDHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ2
+4xiLYHdsaNOeYoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr
+/wKTzAiTnh4MozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rM
+gNNkVm8Jr/Zzi8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRw
+ej8L22Q+I6WZRxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcx
+K0vcOwkArZoSyunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2
+JXZOqxHJpdfKMgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAQKCAYAZ
+f+E1nM4ACrT6MOJTLh1y0JYIGvKZl9Sn5Q5Ujw/l7B+7DFeVZofwt7+B9QjZcrUS
+ol0K3zaoFBgI5XNhF197xl6PFTkMv7/us5sAcaj1tXwwSlazuRyCzoxo7iWU8+XB
+WMH2ATq8ckEZL+wcN8SeLaRBpRAC334EuCe+yGWQdiEQ5+OidhAGNzaujUbpqmsL
+o5CFg50Q4A2B+7x51MOBy3s46CaQbm2zNyC7Ac5DB74JMF3XO50HZ3TeRjPaOQ84
+f8fWoFTqfwS3h7SIswsWpZRa2Lz9Q3FTQjtZ54ZVdnIqQblXnFh5yTw5ERmVWgXZ
+EGmUPqMHyhOPRM2kTIvs4GFs+wAJiy2keMgWd39ZT4Z0qXlOrYpTKpRxoG49QS/v
+zzddU3FgcjrrA3PZqMse9/elBWaFGxa/3Y8FI5wMaSL1Y7z+sTozF5qb+HGwd71M
+09/N2vU3M4dqgSfEjsCPxeG+/6z693nyzrqYh0D0LeEl+ZsyHsTfkAUrFG330fEC
+gcEAuhy8LM6sdoMTLYPkAxTs4mUfZtZS3EFQsPyjbcJXbOeugNUphEMr6mik/yYf
+fkOKz7VZ6CR8ugX4mLGHB57YIX5QjoPN0Obu1BeCxspAq36XDYrRcJM5eEsWdkfB
+43YN4xzMT0uH+660hMnrvxU1kCAVjF+e4AUwFUY/2879LtQZZbdOupwLEmYAaYUI
+RyWLmdDPf8W1R38K7QRLG6VCjwdo0reEYIOqj/01fErzKwRdRYbjMJUtUZ8Iy20o
+O8vnAoHBAMMvqc9oaxFicVsHMZU3mc91jcOVJqvNCINP7y3fNwcvwcdwXecNFoTn
+ygTWgkBDRzueZcxJwtcZOtiq2o4L+zlEZinFyROmJqKVcy+g/hvepj9mbT+5CwYx
+/J6AKWwFAIylFbWmqVMeBsZp4K/9qQN+s4V2MWsMNrqoVFCjlBxef4grIbyJSOzU
+DZVqz97vA5IqWnAQU53BPUoVns3u2jHkgNDMdMPIdhx++l7++FinNluWheV5KYOF
+T1OJe6gpKQKBwQCWubbcQvUBdd4OOoZqyIOgRm1MB79LicojzDc/KOlM1cVJqVja
+ONxUFzOpP+K5i1HcLe8GRqaMsVFHuF63GTnIxlfPU4dX6+737aKIBDyjpv4Ghaph
+FZqxhX5HhI3N/Un56NS+U1lpx2+DK1S1iCO8+X76FGbC3vC2ChKlndkGF9gJvI8S
+KlX9LIag7pBprkqE48tom2HY6Vab5aI+XXSuCT4niWC4GWoE+vhaFQkiiYJQUJGm
+QupU9AtXVKwE4XkCgcEAtef35Fq2Xi9W4bUkmqKE8HnoMv0QW1DsvCSFDkVXrZTu
+jgbFHQ5vjFHRTwzzuxx4iLGowemEcp8K3t7sbTHxYn/Cju/L5EoW+7M49IygBi1M
+1w2Ih7jW82EmxDlBYXCQAIPiZbb7W4FCYyxNwPcwyxcMDDgI+nEZmIBEhBrPcFkJ
+lkhMWr+/fShruHMhY+1xcImUW5h7tSxhCGh55gbSx2jkPLQvpj9vBEO650nM/iJo
+YJc6FpEDBZX6Rip9Wk1xAoHAUcms1tuGcDRTtzCRdKOl0PiZTr8qzwJPzZlDxrsA
+KqcONMhhiFMXneu4xj/M09EVMiElcf1xxs0CtD/1aod3kK5IMq4D+ck2rd/1QKed
+FH5jOesE7PRZtW4Du8PCsi2D5V8dR/yBLy/525unqTTCCEZWZ1hrZqStR3nNFcNQ
+aC6hhkMTr2GqFJsfNowFQ9gto4kn2XsIpvMW14Gqm0rW+K0i3HDjXk7R7RTDSO5J
+B2yNl2lHM+2aSG8A3vug23aE
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem b/bin/tests/system/forward/CA/certs/srv04.crt01.example.nil.pem
new file mode 100644 (file)
index 0000000..ca558fc
--- /dev/null
@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cc:c1:18:08:26:32:e1:8d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Dec  8 11:58:45 2022 GMT
+            Not After : Nov 30 11:58:45 2052 GMT
+        Subject: CN=srv04.crt01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:8d:e6:8a:10:6f:06:8f:b2:e5:f4:de:14:4d:d4:
+                    3c:1a:21:03:fe:32:02:d6:6d:0a:25:35:3d:50:00:
+                    71:d6:7b:75:d1:e0:04:36:20:da:39:db:9d:df:19:
+                    fe:5b:c3:e2:d0:72:c4:0d:be:57:d8:c2:3f:30:a8:
+                    99:b1:c3:1a:c8:96:a5:8a:0c:7a:e6:e9:2b:3e:c9:
+                    f9:f5:46:b2:cc:14:4c:e6:d1:65:25:19:fb:2c:2b:
+                    e4:6d:00:ba:7c:7f:f6:07:24:17:30:42:cb:04:e9:
+                    94:36:e3:18:8b:60:77:6c:68:d3:9e:62:81:82:64:
+                    24:2c:e9:ba:b8:d0:40:2f:e6:fd:e9:fa:aa:14:83:
+                    6f:26:16:c1:b7:b3:6d:fd:4a:3f:8f:a1:a9:e6:7b:
+                    bd:c1:60:a1:6b:ff:02:93:cc:08:93:9e:1e:0c:a3:
+                    31:29:20:74:e5:37:46:d8:41:10:c7:11:f4:d8:e7:
+                    43:7c:4d:bc:fb:fd:39:3a:79:8e:c2:0b:fe:21:df:
+                    16:c2:fc:10:b3:9b:da:cc:80:d3:64:56:6f:09:af:
+                    f6:73:8b:cb:64:e4:fe:c5:4c:85:4e:c3:ed:a4:0a:
+                    0a:53:f6:be:8d:5e:7a:42:4f:cd:b0:21:a4:8e:e4:
+                    45:fe:28:f6:4d:29:58:db:4a:b4:70:7a:3f:0b:db:
+                    64:3e:23:a5:99:47:11:7b:2c:66:83:a9:79:27:09:
+                    45:72:ac:4a:fa:35:6f:1f:64:d4:ab:cf:09:90:92:
+                    71:4a:d1:02:80:b1:ab:b0:19:ec:01:c6:a7:31:2b:
+                    4b:dc:3b:09:00:ad:9a:12:ca:e9:cd:54:bd:96:23:
+                    a3:14:2e:40:58:33:58:2f:70:05:c9:c6:28:f1:3e:
+                    d4:94:13:db:09:b3:63:78:6f:57:72:e8:1f:28:6f:
+                    7c:b6:25:76:4e:ab:11:c9:a5:d7:ca:32:00:5f:5e:
+                    14:ae:53:65:13:37:2b:d2:98:3c:d4:47:74:40:cf:
+                    ff:1b:ad:59:35:c1:d1:d3:a6:ff
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv04.crt01.example.nil, IP Address:10.53.0.4
+            X509v3 Subject Key Identifier: 
+                CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2
+            X509v3 Authority Key Identifier: 
+                7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        6f:24:c5:ba:8e:62:5d:58:50:a5:25:a1:fc:41:fc:18:cb:7c:
+        11:02:0a:ad:7f:13:2a:20:07:92:5a:82:c0:92:9d:35:40:b0:
+        c9:85:5a:23:26:fb:55:b7:99:7a:18:a7:ae:b4:6e:a2:29:f8:
+        25:70:fa:3e:bf:b0:ec:91:d7:46:55:55:ab:fd:22:a6:c1:b4:
+        50:92:27:ea:d8:a1:71:ec:14:84:69:0a:c9:de:3f:c1:63:94:
+        17:5e:78:e7:85:34:80:bf:c3:58:f1:4d:fb:0c:b4:2e:2b:9c:
+        66:15:1f:e3:d6:3a:c1:95:b1:f5:f2:9c:dc:99:cb:d5:39:35:
+        6a:bf:bc:f4:81:9d:7c:4c:c1:76:f8:4d:26:ab:f4:f0:50:b2:
+        f9:41:65:6c:df:9d:16:57:e3:dc:7d:85:0a:14:5f:20:ea:08:
+        5e:ab:3c:75:ae:f6:7e:55:62:3b:4c:4a:c7:48:4f:24:f2:78:
+        e6:99:52:76:87:6e:b3:08:7c:d6:4e:41:72:8f:ed:f1:5a:1a:
+        20:e7:c2:cd:a0:6f:04:6c:f1:71:87:21:00:49:29:c1:fb:bd:
+        08:a7:51:34:bb:e0:f1:f7:59:3d:b8:9e:c6:48:06:fe:e6:ea:
+        30:8b:65:8f:d2:31:c5:d6:4e:a8:22:7e:fc:85:05:3d:e4:7c:
+        38:54:07:46:cc:94:8e:a5:d3:4c:09:71:6e:60:63:e4:6a:8e:
+        aa:c2:81:df:31:37:2a:96:b3:53:36:a2:76:44:59:18:33:81:
+        6c:24:84:a3:61:68:63:a2:02:bd:fd:b2:9c:db:0f:cc:a6:44:
+        54:c6:2d:13:fb:96:80:63:e7:e9:2e:36:3c:00:34:3e:62:5d:
+        fe:59:95:cb:b2:d0:cc:9a:69:ce:00:cc:59:c3:f7:79:3a:4f:
+        95:e9:64:c9:ad:28:96:e2:80:dd:59:45:29:6c:ed:0d:6e:4e:
+        50:69:6e:ef:50:32:4e:5c:af:63:39:57:90:08:0f:b9:4e:ba:
+        b2:24:ae:bb:78:39
+-----BEGIN CERTIFICATE-----
+MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGNMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
+aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
+AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTU4NDVaGA8yMDUyMTEz
+MDExNTg0NVowIjEgMB4GA1UEAwwXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWwwggGi
+MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCN5ooQbwaPsuX03hRN1DwaIQP+
+MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8wqJmxwxrIlqWK
+DHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ24xiLYHdsaNOe
+YoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr/wKTzAiTnh4M
+ozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rMgNNkVm8Jr/Zz
+i8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRwej8L22Q+I6WZ
+RxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcxK0vcOwkArZoS
+yunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2JXZOqxHJpdfK
+MgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAaNsMGowKAYDVR0RBCEw
+H4IXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAQwHQYDVR0OBBYEFMqDBvs+
+V1Dd/b8AWmDibZhxzSzyMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
+MA0GCSqGSIb3DQEBCwUAA4IBgQBvJMW6jmJdWFClJaH8QfwYy3wRAgqtfxMqIAeS
+WoLAkp01QLDJhVojJvtVt5l6GKeutG6iKfglcPo+v7DskddGVVWr/SKmwbRQkifq
+2KFx7BSEaQrJ3j/BY5QXXnjnhTSAv8NY8U37DLQuK5xmFR/j1jrBlbH18pzcmcvV
+OTVqv7z0gZ18TMF2+E0mq/TwULL5QWVs350WV+PcfYUKFF8g6gheqzx1rvZ+VWI7
+TErHSE8k8njmmVJ2h26zCHzWTkFyj+3xWhog58LNoG8EbPFxhyEASSnB+70Ip1E0
+u+Dx91k9uJ7GSAb+5uowi2WP0jHF1k6oIn78hQU95Hw4VAdGzJSOpdNMCXFuYGPk
+ao6qwoHfMTcqlrNTNqJ2RFkYM4FsJISjYWhjogK9/bKc2w/MpkRUxi0T+5aAY+fp
+LjY8ADQ+Yl3+WZXLstDMmmnOAMxZw/d5Ok+V6WTJrSiW4oDdWUUpbO0Nbk5QaW7v
+UDJOXK9jOVeQCA+5TrqyJK67eDk=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/index.txt b/bin/tests/system/forward/CA/index.txt
new file mode 100644 (file)
index 0000000..1d7c495
--- /dev/null
@@ -0,0 +1,3 @@
+V      20521130115243Z         CCC118082632E18B        unknown /CN=srv02.crt01.example.nil
+V      221208115554Z           CCC118082632E18C        unknown /CN=srv02.crt02-expired.example.nil
+V      20521130115845Z         CCC118082632E18D        unknown /CN=srv04.crt01.example.nil
diff --git a/bin/tests/system/forward/CA/index.txt.attr b/bin/tests/system/forward/CA/index.txt.attr
new file mode 100644 (file)
index 0000000..8f7e63a
--- /dev/null
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem b/bin/tests/system/forward/CA/newcerts/CCC118082632E18B.pem
new file mode 100644 (file)
index 0000000..27e8b3c
--- /dev/null
@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cc:c1:18:08:26:32:e1:8b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Dec  8 11:52:43 2022 GMT
+            Not After : Nov 30 11:52:43 2052 GMT
+        Subject: CN=srv02.crt01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:93:ea:3a:43:83:ff:92:80:06:be:4e:a0:53:5d:
+                    0b:9d:c9:b1:b8:fe:d5:cc:dc:af:94:7a:ab:ba:13:
+                    0f:c0:b6:99:71:78:90:b1:7f:41:07:85:59:26:90:
+                    14:88:7b:fc:0c:64:70:37:f3:2a:39:80:80:48:4e:
+                    5f:77:74:26:fa:aa:dd:3f:7b:8e:63:b5:a6:ce:bc:
+                    bc:5a:aa:1d:2c:b0:9a:54:8c:03:46:8b:e6:19:52:
+                    51:48:16:2d:88:ac:df:73:bb:5d:86:f5:80:ff:12:
+                    93:d1:53:7f:3b:69:35:56:6d:81:8a:ea:4b:bd:75:
+                    d5:bf:a2:b8:f9:98:17:c7:47:e7:5a:0a:47:a0:00:
+                    3d:5c:77:42:95:ef:60:ea:e2:2c:ab:97:a9:f3:1d:
+                    c7:a7:f9:aa:2f:5d:03:b6:5b:48:87:b4:27:4b:99:
+                    b3:e3:99:f8:cd:bb:51:88:f4:1e:34:d5:3e:e3:12:
+                    3c:2d:c0:b7:2a:9d:0b:73:7f:3a:ad:27:97:17:58:
+                    51:70:08:87:75:42:d2:87:47:67:c0:db:c6:b9:f8:
+                    b0:31:a6:cb:15:24:7b:54:06:fd:92:e6:24:71:3f:
+                    55:02:02:71:f2:47:7f:e5:fe:be:d4:5f:1e:b5:58:
+                    f7:09:fa:60:e3:36:25:bd:f4:91:58:e6:f2:fd:f1:
+                    5a:00:e8:77:26:dc:2d:20:10:fc:c7:a2:16:0a:e1:
+                    59:e4:e5:a0:72:d4:23:88:a7:56:71:1d:69:f5:1e:
+                    e4:c1:ec:87:7a:ef:19:dd:df:fa:25:f0:3b:6f:c5:
+                    5f:14:20:26:fa:9b:e0:af:51:c4:18:3f:3c:49:7d:
+                    26:25:c2:d9:5c:67:5d:f8:af:73:20:58:ae:65:5e:
+                    71:03:77:78:7d:45:37:0a:a3:b7:32:eb:fe:ff:5f:
+                    c6:e9:b8:5b:37:f1:61:d5:84:27:50:d3:55:72:2c:
+                    8a:75:16:9a:95:b5:f9:2d:eb:d0:22:49:57:6b:65:
+                    87:aa:71:a8:6d:39:96:fe:e7:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv02.crt01.example.nil, IP Address:10.53.0.2
+            X509v3 Subject Key Identifier: 
+                70:90:94:81:4A:B2:BF:13:D6:29:1A:90:D9:33:A4:C5:74:29:CF:59
+            X509v3 Authority Key Identifier: 
+                7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        77:6c:f4:07:36:0b:ef:6e:86:2d:41:73:e0:ba:f7:4c:f1:bd:
+        8f:77:89:1a:8c:63:2e:39:93:a2:43:ee:70:85:f1:5d:01:60:
+        ab:e6:50:a1:5e:72:e3:89:13:77:e0:a5:f7:fa:27:31:93:1f:
+        3a:a7:35:5f:7d:59:3c:d2:26:9c:12:fa:51:2b:d3:31:0c:5a:
+        e7:a8:be:6a:2e:b2:82:6c:42:f2:86:74:9c:0a:c8:58:a8:68:
+        35:73:6e:1b:0c:9e:3b:08:3f:b9:ef:68:61:e9:d3:40:1d:aa:
+        dd:42:e3:1d:b0:1b:6e:b8:58:60:a1:68:4a:ff:09:b7:58:5b:
+        72:e8:36:a3:6d:10:78:c7:7f:52:f6:dc:39:5c:05:7d:7a:ae:
+        8d:3f:89:8f:10:a6:4d:8b:55:6a:9b:cb:2c:1d:00:59:9b:0c:
+        c3:55:e0:a3:25:69:b4:29:30:2f:20:bf:07:f4:21:88:b7:d0:
+        62:ad:d7:ca:e1:91:45:9f:a2:5f:7d:07:f4:98:b0:5e:d4:3a:
+        92:86:e9:a1:fb:c0:9b:81:46:da:56:ed:92:47:c0:1a:aa:55:
+        37:0e:3c:92:2c:44:7a:80:55:1f:15:7a:7c:c4:7e:ad:d5:b0:
+        a5:7e:33:63:09:23:6b:78:42:de:37:aa:04:a7:52:ed:06:fe:
+        d4:56:36:12:85:b6:ec:ff:03:ea:4b:e2:7a:42:49:73:b6:ab:
+        e4:7d:4a:2b:94:65:1f:b1:17:a3:be:17:0b:4e:53:3d:8a:d3:
+        d7:04:0f:f1:1a:63:b2:a6:eb:00:31:64:b4:80:e9:ae:bb:69:
+        12:04:a5:7d:2c:bd:91:62:2c:b9:5a:6e:af:e0:ee:27:f0:88:
+        15:8b:b7:ce:07:5e:bc:6b:e9:3e:3f:23:c7:f9:c9:48:20:69:
+        6a:8e:f2:17:9b:58:ff:72:36:21:ed:d3:83:16:60:ec:de:6f:
+        c4:50:47:b7:61:ce:75:c1:d6:60:28:de:bd:69:7c:e6:db:0e:
+        b9:fa:7b:84:24:35
+-----BEGIN CERTIFICATE-----
+MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGLMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
+aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
+AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTUyNDNaGA8yMDUyMTEz
+MDExNTI0M1owIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWwwggGi
+MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCT6jpDg/+SgAa+TqBTXQudybG4
+/tXM3K+Uequ6Ew/AtplxeJCxf0EHhVkmkBSIe/wMZHA38yo5gIBITl93dCb6qt0/
+e45jtabOvLxaqh0ssJpUjANGi+YZUlFIFi2IrN9zu12G9YD/EpPRU387aTVWbYGK
+6ku9ddW/orj5mBfHR+daCkegAD1cd0KV72Dq4iyrl6nzHcen+aovXQO2W0iHtCdL
+mbPjmfjNu1GI9B401T7jEjwtwLcqnQtzfzqtJ5cXWFFwCId1QtKHR2fA28a5+LAx
+pssVJHtUBv2S5iRxP1UCAnHyR3/l/r7UXx61WPcJ+mDjNiW99JFY5vL98VoA6Hcm
+3C0gEPzHohYK4Vnk5aBy1COIp1ZxHWn1HuTB7Id67xnd3/ol8DtvxV8UICb6m+Cv
+UcQYPzxJfSYlwtlcZ134r3MgWK5lXnEDd3h9RTcKo7cy6/7/X8bpuFs38WHVhCdQ
+01VyLIp1FpqVtfkt69AiSVdrZYeqcahtOZb+56kCAwEAAaNsMGowKAYDVR0RBCEw
+H4IXc3J2MDIuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAIwHQYDVR0OBBYEFHCQlIFK
+sr8T1ikakNkzpMV0Kc9ZMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
+MA0GCSqGSIb3DQEBCwUAA4IBgQB3bPQHNgvvboYtQXPguvdM8b2Pd4kajGMuOZOi
+Q+5whfFdAWCr5lChXnLjiRN34KX3+icxkx86pzVffVk80iacEvpRK9MxDFrnqL5q
+LrKCbELyhnScCshYqGg1c24bDJ47CD+572hh6dNAHardQuMdsBtuuFhgoWhK/wm3
+WFty6DajbRB4x39S9tw5XAV9eq6NP4mPEKZNi1Vqm8ssHQBZmwzDVeCjJWm0KTAv
+IL8H9CGIt9BirdfK4ZFFn6JffQf0mLBe1DqShumh+8CbgUbaVu2SR8AaqlU3DjyS
+LER6gFUfFXp8xH6t1bClfjNjCSNreELeN6oEp1LtBv7UVjYShbbs/wPqS+J6Qklz
+tqvkfUorlGUfsRejvhcLTlM9itPXBA/xGmOypusAMWS0gOmuu2kSBKV9LL2RYiy5
+Wm6v4O4n8IgVi7fOB168a+k+PyPH+clIIGlqjvIXm1j/cjYh7dODFmDs3m/EUEe3
+Yc51wdZgKN69aXzm2w65+nuEJDU=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem b/bin/tests/system/forward/CA/newcerts/CCC118082632E18C.pem
new file mode 100644 (file)
index 0000000..8cae3b1
--- /dev/null
@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cc:c1:18:08:26:32:e1:8c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Dec  7 11:55:54 2022 GMT
+            Not After : Dec  8 11:55:54 2022 GMT
+        Subject: CN=srv02.crt02-expired.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:ce:00:36:6e:b8:3f:db:fe:90:f7:de:e1:ed:43:
+                    4b:19:97:78:d8:ae:32:3c:4b:d5:8e:cd:1f:29:78:
+                    e2:af:d3:02:95:34:2c:5e:cd:54:8a:07:70:6b:61:
+                    a9:af:22:a7:6e:cf:86:b6:71:d7:4d:b4:af:f3:f0:
+                    9b:28:49:18:8c:66:88:67:63:47:e9:cd:a8:e9:5c:
+                    63:c0:be:08:b2:77:81:05:83:c7:3a:53:1b:c6:7a:
+                    82:99:fa:54:6f:4f:30:80:50:96:92:16:6e:10:16:
+                    ca:76:ee:c9:e5:90:63:98:98:e7:58:61:09:15:e9:
+                    45:67:89:f1:df:21:69:b6:ad:b7:24:68:92:07:b6:
+                    6f:93:f8:fb:bd:b5:90:c9:57:5a:e5:46:6c:d0:73:
+                    33:3c:10:6e:01:dc:46:f5:84:95:5d:2b:03:e3:3a:
+                    0d:66:59:f8:92:37:78:49:74:32:32:96:fa:bd:05:
+                    27:43:f8:f9:90:7c:e4:2b:36:54:c0:f2:77:fd:4f:
+                    ed:87:00:08:23:4d:57:81:a0:4f:f6:2e:9c:a0:22:
+                    3d:f6:27:b2:39:ed:44:8e:5c:92:4c:4b:b9:74:bb:
+                    0a:c4:97:e3:85:66:29:fc:75:3b:b5:3d:e1:22:57:
+                    33:11:2e:9a:a9:41:84:82:ea:44:b5:fc:3a:b4:88:
+                    31:11:46:98:c2:ec:db:43:55:72:a7:9f:a1:65:c0:
+                    bf:11:a7:44:27:a3:8b:06:4f:08:2a:2d:4c:c9:aa:
+                    d5:3d:03:24:66:e6:03:9b:9c:98:1a:5f:45:e8:b9:
+                    1d:f1:05:40:d8:3e:ed:40:05:1e:fa:8a:58:c5:a2:
+                    f2:2a:a1:cb:25:7e:61:8c:0e:3c:cc:5b:43:3a:7c:
+                    8b:a7:64:b8:c5:2b:6b:16:59:06:ad:ec:19:b5:1d:
+                    73:44:2f:f4:6c:31:f1:6e:f4:55:f6:44:37:ee:db:
+                    20:fe:54:92:43:28:f8:44:cb:9f:9f:b6:2c:aa:61:
+                    1f:2f:1a:15:15:cc:61:f3:b9:6f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv02.crt02-expired.example.nil, IP Address:10.53.0.2
+            X509v3 Subject Key Identifier: 
+                A7:8A:6D:EA:10:B4:6B:B8:13:16:6B:BA:A0:26:C3:9A:E7:A6:71:7E
+            X509v3 Authority Key Identifier: 
+                7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        34:7b:38:92:d9:c1:ba:ed:c7:b3:61:63:e6:d2:11:4e:0c:83:
+        8f:97:3a:11:97:51:3e:8d:9b:49:bb:f5:2c:92:d1:c2:e4:3b:
+        ad:db:69:cc:1f:cf:58:3d:4f:51:97:d1:09:19:2f:22:b5:3d:
+        e1:0d:e5:65:40:2a:54:19:55:22:11:85:18:1a:08:31:97:d8:
+        fe:cf:4c:9b:ec:8b:8f:9c:cd:cf:5b:a1:56:e4:1d:e0:79:4b:
+        ee:6b:1c:0b:60:a8:d8:fd:5c:a8:9d:dc:74:4f:ce:b8:f8:19:
+        a4:00:db:93:7b:ae:34:55:c6:fb:35:1b:9e:bc:d0:5f:da:8d:
+        77:0e:1f:45:89:d4:dd:f1:a9:4e:48:64:d2:4e:b6:4b:57:a0:
+        87:cf:a8:30:35:6e:09:91:56:59:9b:01:af:8a:f7:11:8c:d8:
+        2e:56:89:eb:a5:a0:6c:d2:56:0c:da:13:4d:36:92:28:50:b1:
+        e5:cd:64:60:ac:93:f4:98:d7:eb:df:7b:42:89:da:c0:6d:6e:
+        75:ae:45:28:9b:e8:de:00:dc:eb:df:ba:4f:63:2a:61:e5:42:
+        f3:e0:8f:aa:bd:f7:f6:9b:67:1b:ed:1e:a6:ae:4c:81:a2:62:
+        ff:a8:8f:94:da:a8:9d:27:fa:a4:46:44:2e:13:f2:05:2b:c4:
+        a6:57:d3:95:1c:ca:f8:e3:d2:0f:28:70:8a:1b:37:4f:b7:c1:
+        b3:fd:4b:85:ca:9d:8a:bb:62:85:47:66:c7:31:b8:db:c4:5d:
+        66:9d:6e:7b:94:07:fa:09:ae:5b:5b:23:31:ba:c8:40:82:4b:
+        6a:48:d2:83:0c:5f:b9:62:64:06:16:05:dd:e8:a8:02:eb:d7:
+        7a:9b:d9:49:d6:87:0e:16:ca:d6:4e:46:46:e5:37:e4:0d:68:
+        b7:d2:d6:78:c4:ee:c1:3b:38:8e:83:df:1f:39:63:1c:65:7a:
+        e0:26:1f:96:8a:57:9d:6b:27:62:6e:40:86:83:29:fd:1f:a1:
+        69:2a:92:cf:ab:db
+-----BEGIN CERTIFICATE-----
+MIIEnjCCAwagAwIBAgIJAMzBGAgmMuGMMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
+aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
+AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yMjEyMDcxMTU1NTRaFw0yMjEyMDgx
+MTU1NTRaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAyLWV4cGlyZWQuZXhhbXBsZS5u
+aWwwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDOADZuuD/b/pD33uHt
+Q0sZl3jYrjI8S9WOzR8peOKv0wKVNCxezVSKB3BrYamvIqduz4a2cddNtK/z8Jso
+SRiMZohnY0fpzajpXGPAvgiyd4EFg8c6UxvGeoKZ+lRvTzCAUJaSFm4QFsp27snl
+kGOYmOdYYQkV6UVnifHfIWm2rbckaJIHtm+T+Pu9tZDJV1rlRmzQczM8EG4B3Eb1
+hJVdKwPjOg1mWfiSN3hJdDIylvq9BSdD+PmQfOQrNlTA8nf9T+2HAAgjTVeBoE/2
+LpygIj32J7I57USOXJJMS7l0uwrEl+OFZin8dTu1PeEiVzMRLpqpQYSC6kS1/Dq0
+iDERRpjC7NtDVXKnn6FlwL8Rp0Qno4sGTwgqLUzJqtU9AyRm5gObnJgaX0XouR3x
+BUDYPu1ABR76iljFovIqocslfmGMDjzMW0M6fIunZLjFK2sWWQat7Bm1HXNEL/Rs
+MfFu9FX2RDfu2yD+VJJDKPhEy5+ftiyqYR8vGhUVzGHzuW8CAwEAAaN0MHIwMAYD
+VR0RBCkwJ4Ifc3J2MDIuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5pbIcECjUAAjAd
+BgNVHQ4EFgQUp4pt6hC0a7gTFmu6oCbDmuemcX4wHwYDVR0jBBgwFoAUfInoXOvl
+H3JIBMWP+5IInPVgJjkwDQYJKoZIhvcNAQELBQADggGBADR7OJLZwbrtx7NhY+bS
+EU4Mg4+XOhGXUT6Nm0m79SyS0cLkO63bacwfz1g9T1GX0QkZLyK1PeEN5WVAKlQZ
+VSIRhRgaCDGX2P7PTJvsi4+czc9boVbkHeB5S+5rHAtgqNj9XKid3HRPzrj4GaQA
+25N7rjRVxvs1G5680F/ajXcOH0WJ1N3xqU5IZNJOtktXoIfPqDA1bgmRVlmbAa+K
+9xGM2C5WieuloGzSVgzaE002kihQseXNZGCsk/SY1+vfe0KJ2sBtbnWuRSib6N4A
+3Ovfuk9jKmHlQvPgj6q99/abZxvtHqauTIGiYv+oj5TaqJ0n+qRGRC4T8gUrxKZX
+05Ucyvjj0g8ocIobN0+3wbP9S4XKnYq7YoVHZscxuNvEXWadbnuUB/oJrltbIzG6
+yECCS2pI0oMMX7liZAYWBd3oqALr13qb2UnWhw4WytZORkblN+QNaLfS1njE7sE7
+OI6D3x85YxxleuAmH5aKV51rJ2JuQIaDKf0foWkqks+r2w==
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem b/bin/tests/system/forward/CA/newcerts/CCC118082632E18D.pem
new file mode 100644 (file)
index 0000000..ca558fc
--- /dev/null
@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cc:c1:18:08:26:32:e1:8d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Dec  8 11:58:45 2022 GMT
+            Not After : Nov 30 11:58:45 2052 GMT
+        Subject: CN=srv04.crt01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:8d:e6:8a:10:6f:06:8f:b2:e5:f4:de:14:4d:d4:
+                    3c:1a:21:03:fe:32:02:d6:6d:0a:25:35:3d:50:00:
+                    71:d6:7b:75:d1:e0:04:36:20:da:39:db:9d:df:19:
+                    fe:5b:c3:e2:d0:72:c4:0d:be:57:d8:c2:3f:30:a8:
+                    99:b1:c3:1a:c8:96:a5:8a:0c:7a:e6:e9:2b:3e:c9:
+                    f9:f5:46:b2:cc:14:4c:e6:d1:65:25:19:fb:2c:2b:
+                    e4:6d:00:ba:7c:7f:f6:07:24:17:30:42:cb:04:e9:
+                    94:36:e3:18:8b:60:77:6c:68:d3:9e:62:81:82:64:
+                    24:2c:e9:ba:b8:d0:40:2f:e6:fd:e9:fa:aa:14:83:
+                    6f:26:16:c1:b7:b3:6d:fd:4a:3f:8f:a1:a9:e6:7b:
+                    bd:c1:60:a1:6b:ff:02:93:cc:08:93:9e:1e:0c:a3:
+                    31:29:20:74:e5:37:46:d8:41:10:c7:11:f4:d8:e7:
+                    43:7c:4d:bc:fb:fd:39:3a:79:8e:c2:0b:fe:21:df:
+                    16:c2:fc:10:b3:9b:da:cc:80:d3:64:56:6f:09:af:
+                    f6:73:8b:cb:64:e4:fe:c5:4c:85:4e:c3:ed:a4:0a:
+                    0a:53:f6:be:8d:5e:7a:42:4f:cd:b0:21:a4:8e:e4:
+                    45:fe:28:f6:4d:29:58:db:4a:b4:70:7a:3f:0b:db:
+                    64:3e:23:a5:99:47:11:7b:2c:66:83:a9:79:27:09:
+                    45:72:ac:4a:fa:35:6f:1f:64:d4:ab:cf:09:90:92:
+                    71:4a:d1:02:80:b1:ab:b0:19:ec:01:c6:a7:31:2b:
+                    4b:dc:3b:09:00:ad:9a:12:ca:e9:cd:54:bd:96:23:
+                    a3:14:2e:40:58:33:58:2f:70:05:c9:c6:28:f1:3e:
+                    d4:94:13:db:09:b3:63:78:6f:57:72:e8:1f:28:6f:
+                    7c:b6:25:76:4e:ab:11:c9:a5:d7:ca:32:00:5f:5e:
+                    14:ae:53:65:13:37:2b:d2:98:3c:d4:47:74:40:cf:
+                    ff:1b:ad:59:35:c1:d1:d3:a6:ff
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv04.crt01.example.nil, IP Address:10.53.0.4
+            X509v3 Subject Key Identifier: 
+                CA:83:06:FB:3E:57:50:DD:FD:BF:00:5A:60:E2:6D:98:71:CD:2C:F2
+            X509v3 Authority Key Identifier: 
+                7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        6f:24:c5:ba:8e:62:5d:58:50:a5:25:a1:fc:41:fc:18:cb:7c:
+        11:02:0a:ad:7f:13:2a:20:07:92:5a:82:c0:92:9d:35:40:b0:
+        c9:85:5a:23:26:fb:55:b7:99:7a:18:a7:ae:b4:6e:a2:29:f8:
+        25:70:fa:3e:bf:b0:ec:91:d7:46:55:55:ab:fd:22:a6:c1:b4:
+        50:92:27:ea:d8:a1:71:ec:14:84:69:0a:c9:de:3f:c1:63:94:
+        17:5e:78:e7:85:34:80:bf:c3:58:f1:4d:fb:0c:b4:2e:2b:9c:
+        66:15:1f:e3:d6:3a:c1:95:b1:f5:f2:9c:dc:99:cb:d5:39:35:
+        6a:bf:bc:f4:81:9d:7c:4c:c1:76:f8:4d:26:ab:f4:f0:50:b2:
+        f9:41:65:6c:df:9d:16:57:e3:dc:7d:85:0a:14:5f:20:ea:08:
+        5e:ab:3c:75:ae:f6:7e:55:62:3b:4c:4a:c7:48:4f:24:f2:78:
+        e6:99:52:76:87:6e:b3:08:7c:d6:4e:41:72:8f:ed:f1:5a:1a:
+        20:e7:c2:cd:a0:6f:04:6c:f1:71:87:21:00:49:29:c1:fb:bd:
+        08:a7:51:34:bb:e0:f1:f7:59:3d:b8:9e:c6:48:06:fe:e6:ea:
+        30:8b:65:8f:d2:31:c5:d6:4e:a8:22:7e:fc:85:05:3d:e4:7c:
+        38:54:07:46:cc:94:8e:a5:d3:4c:09:71:6e:60:63:e4:6a:8e:
+        aa:c2:81:df:31:37:2a:96:b3:53:36:a2:76:44:59:18:33:81:
+        6c:24:84:a3:61:68:63:a2:02:bd:fd:b2:9c:db:0f:cc:a6:44:
+        54:c6:2d:13:fb:96:80:63:e7:e9:2e:36:3c:00:34:3e:62:5d:
+        fe:59:95:cb:b2:d0:cc:9a:69:ce:00:cc:59:c3:f7:79:3a:4f:
+        95:e9:64:c9:ad:28:96:e2:80:dd:59:45:29:6c:ed:0d:6e:4e:
+        50:69:6e:ef:50:32:4e:5c:af:63:39:57:90:08:0f:b9:4e:ba:
+        b2:24:ae:bb:78:39
+-----BEGIN CERTIFICATE-----
+MIIEkDCCAvigAwIBAgIJAMzBGAgmMuGNMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
+BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr
+aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE
+AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yMjEyMDgxMTU4NDVaGA8yMDUyMTEz
+MDExNTg0NVowIjEgMB4GA1UEAwwXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWwwggGi
+MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCN5ooQbwaPsuX03hRN1DwaIQP+
+MgLWbQolNT1QAHHWe3XR4AQ2INo5253fGf5bw+LQcsQNvlfYwj8wqJmxwxrIlqWK
+DHrm6Ss+yfn1RrLMFEzm0WUlGfssK+RtALp8f/YHJBcwQssE6ZQ24xiLYHdsaNOe
+YoGCZCQs6bq40EAv5v3p+qoUg28mFsG3s239Sj+Poanme73BYKFr/wKTzAiTnh4M
+ozEpIHTlN0bYQRDHEfTY50N8Tbz7/Tk6eY7CC/4h3xbC/BCzm9rMgNNkVm8Jr/Zz
+i8tk5P7FTIVOw+2kCgpT9r6NXnpCT82wIaSO5EX+KPZNKVjbSrRwej8L22Q+I6WZ
+RxF7LGaDqXknCUVyrEr6NW8fZNSrzwmQknFK0QKAsauwGewBxqcxK0vcOwkArZoS
+yunNVL2WI6MULkBYM1gvcAXJxijxPtSUE9sJs2N4b1dy6B8ob3y2JXZOqxHJpdfK
+MgBfXhSuU2UTNyvSmDzUR3RAz/8brVk1wdHTpv8CAwEAAaNsMGowKAYDVR0RBCEw
+H4IXc3J2MDQuY3J0MDEuZXhhbXBsZS5uaWyHBAo1AAQwHQYDVR0OBBYEFMqDBvs+
+V1Dd/b8AWmDibZhxzSzyMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5
+MA0GCSqGSIb3DQEBCwUAA4IBgQBvJMW6jmJdWFClJaH8QfwYy3wRAgqtfxMqIAeS
+WoLAkp01QLDJhVojJvtVt5l6GKeutG6iKfglcPo+v7DskddGVVWr/SKmwbRQkifq
+2KFx7BSEaQrJ3j/BY5QXXnjnhTSAv8NY8U37DLQuK5xmFR/j1jrBlbH18pzcmcvV
+OTVqv7z0gZ18TMF2+E0mq/TwULL5QWVs350WV+PcfYUKFF8g6gheqzx1rvZ+VWI7
+TErHSE8k8njmmVJ2h26zCHzWTkFyj+3xWhog58LNoG8EbPFxhyEASSnB+70Ip1E0
+u+Dx91k9uJ7GSAb+5uowi2WP0jHF1k6oIn78hQU95Hw4VAdGzJSOpdNMCXFuYGPk
+ao6qwoHfMTcqlrNTNqJ2RFkYM4FsJISjYWhjogK9/bKc2w/MpkRUxi0T+5aAY+fp
+LjY8ADQ+Yl3+WZXLstDMmmnOAMxZw/d5Ok+V6WTJrSiW4oDdWUUpbO0Nbk5QaW7v
+UDJOXK9jOVeQCA+5TrqyJK67eDk=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/forward/CA/private/CA.key b/bin/tests/system/forward/CA/private/CA.key
new file mode 100644 (file)
index 0000000..2d5419d
--- /dev/null
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC
+aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D
+lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm
+PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy
+VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy
+nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH
+EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp
+Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL
+wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc
+bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI
+r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC
+GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9
+DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x
+E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB
+wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8
+V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC
+SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke
+s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx
+HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx
+r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp
+tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk
+AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx
+LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa
+IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn
+RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf
+ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv
+NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao
+ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev
+dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr
+q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj
+bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw
+HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3
+nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9
+r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c
+j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn
+HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd
+B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw==
+-----END RSA PRIVATE KEY-----
diff --git a/bin/tests/system/forward/CA/serial b/bin/tests/system/forward/CA/serial
new file mode 100644 (file)
index 0000000..2e4ab4f
--- /dev/null
@@ -0,0 +1 @@
+CCC118082632E18E
index 6d76bb013cc761357cffad0facf9bb304d016c58..716f04cebf31a86ed32fd8610670697a185f1557 100644 (file)
@@ -19,6 +19,7 @@ rm -f ./*/named.conf
 rm -f ./*/named.memstats
 rm -f ./*/named.run ./*/named.run.prev ./*/ans.run
 rm -f ./*/named_dump.db
+rm -f ./ans*/query.log
 rm -f ./ns*/named.lock
 rm -f ./ns*/managed-keys.bind*
 rm -f ./ns1/root.db ./ns1/root.db.signed
diff --git a/bin/tests/system/forward/dhparam3072.pem b/bin/tests/system/forward/dhparam3072.pem
new file mode 100644 (file)
index 0000000..9c2e0aa
--- /dev/null
@@ -0,0 +1,11 @@
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K
+3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab
+EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os
+O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H
+0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR
+JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp
+eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ
+vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX
+GKz9+uk5eS6jAgEC
+-----END DH PARAMETERS-----
index f871fd6b29260fd9328d3afc745c6c55b00806a2..eff6e84cadef7ce915ac634e4106160e60deba6c 100644 (file)
@@ -66,6 +66,16 @@ zone "example6" {
        type forward;
 };
 
+zone "example8." {
+       type primary;
+       file "example.db";
+};
+
+zone "example9." {
+       type primary;
+       file "example.db";
+};
+
 zone "diditwork.net" {
        type primary;
        file "diditwork.net.db";
index f9a081a2d0833f56a90d3dc116600338de116377..c8e5cb59f8e6800141f44632e6525709de78cfbb 100644 (file)
  * information regarding copyright ownership.
  */
 
+tls tls-forward-secrecy {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt01.example.nil.key";
+    cert-file "../CA/certs/srv02.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt01.example.nil.key";
+    cert-file "../CA/certs/srv02.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv02.crt02-expired.example.nil.key";
+    cert-file "../CA/certs/srv02.crt02-expired.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};
+
 options {
        query-source address 10.53.0.2;
        query-source-v6 address fd92:7065:b8e:ffff::2;
@@ -19,8 +47,13 @@ options {
        transfer-source 10.53.0.2;
        transfer-source-v6 fd92:7065:b8e:ffff::2;
        port @PORT@;
+       tls-port @TLSPORT@;
        pid-file "named.pid";
        listen-on { 10.53.0.2; };
+       listen-on tls ephemeral { 10.53.0.2; };
+       listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+       listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; };
+       listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.2; };
        listen-on-v6 { fd92:7065:b8e:ffff::2; };
        recursion no;
        dnssec-validation no;
@@ -56,6 +89,16 @@ zone "example7." {
        file "example.db";
 };
 
+zone "example8." {
+       type primary;
+       file "example.db";
+};
+
+zone "example9." {
+       type primary;
+       file "example.db";
+};
+
 zone "grafted." {
        type primary;
        file "example.db";
index c97823dee0e91ef4d748bb93043ed9a41f8606e2..098b58a12ceeedf070476211acc421a7c871b6a9 100644 (file)
@@ -16,6 +16,7 @@ options {
        notify-source 10.53.0.4;
        transfer-source 10.53.0.4;
        port @PORT@;
+       tls-port @TLSPORT@;
        pid-file "named.pid";
        listen-on { 10.53.0.4; };
        listen-on-v6 { none; };
@@ -29,15 +30,57 @@ zone "." {
        file "root.db";
 };
 
+tls tls-forward-secrecy {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-forward-secrecy-remote-hostname {
+    protocols { TLSv1.2; };
+    ca-file "../CA/CA.pem";
+    remote-hostname "srv02.crt01.example.nil";
+};
+
+tls tls-forward-secrecy-bad-remote-hostname {
+    protocols { TLSv1.2; };
+    ca-file "../CA/CA.pem";
+    remote-hostname "srv02-bad.crt01.example.nil";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    key-file "../CA/certs/srv04.crt01.example.nil.key";
+    cert-file "../CA/certs/srv04.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
 zone "example1." {
        type forward;
        forward first;
-       forwarders { 10.53.0.2; };
+       forwarders { 10.53.0.2 tls ephemeral; };
 };
 
 zone "example3." {
        type forward;
-       forwarders { 10.53.0.2; };
+       forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; };
+};
+
+zone "example4." {
+       type forward;
+       forward only;
+       forwarders port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2 tls tls-expired port @EXTRAPORT3@; };
 };
 
 zone "example5." {
@@ -46,10 +89,22 @@ zone "example5." {
        forwarders { 10.53.0.2; };
 };
 
+zone "example8." {
+       type forward;
+       forward only;
+       forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname { 10.53.0.2; };
+};
+
+zone "example9." {
+       type forward;
+       forward only;
+       forwarders port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname { 10.53.0.2; };
+};
+
 zone "1.0.10.in-addr.arpa" {
        type forward;
        forward only;
-       forwarders { 10.53.0.2; };
+       forwarders { 10.53.0.2 tls tls-forward-secrecy-mutual-tls port @EXTRAPORT2@; };
 };
 
 zone "grafted" {
index 914b30c65feb31158a2bfffad89d909b7e9cf87b..42e3ca9031dee16b650b821ed3019b05f44a6af3 100644 (file)
@@ -71,11 +71,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
 n=$((n+1))
-echo_i "checking that a forward zone works ($n)"
+echo_i "checking that DoT expired certificate does not work ($n)"
 ret=0
+nextpart ns4/named.run >/dev/null
+dig_with_opts +noadd +noauth txt.example4. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example4. txt @$f2 > dig.out.$n.f2 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
+wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that a forward zone works (DoT insecure) ($n)"
+ret=0
+nextpart ns4/named.run >/dev/null
 dig_with_opts +noadd +noauth txt.example1. txt @$hidden > dig.out.$n.hidden || ret=1
 dig_with_opts +noadd +noauth txt.example1. txt @$f2 > dig.out.$n.f2 || ret=1
 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
@@ -89,11 +102,35 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
 n=$((n+1))
-echo_i "checking that a forward zone with no specified policy works ($n)"
+echo_i "checking that a forward zone with no specified policy works (DoT forward-secrecy) ($n)"
 ret=0
+nextpart ns4/named.run >/dev/null
 dig_with_opts +noadd +noauth txt.example3. txt @$hidden > dig.out.$n.hidden || ret=1
 dig_with_opts +noadd +noauth txt.example3. txt @$f2 > dig.out.$n.f2 || ret=1
 digcomp dig.out.$n.hidden dig.out.$n.f2 || ret=1
+wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that DoT remote-hostname works ($n)"
+ret=0
+nextpart ns4/named.run >/dev/null
+dig_with_opts +noadd +noauth txt.example8. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example8. txt @$f2 > dig.out.$n.f2 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 || ret=1
+wait_for_log 1 "TLS client session created for 10.53.0.2" ns4/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that DoT bad remote-hostname does not work ($n)"
+ret=0
+nextpart ns4/named.run >/dev/null
+dig_with_opts +noadd +noauth txt.example9. txt @$hidden > dig.out.$n.hidden || ret=1
+dig_with_opts +noadd +noauth txt.example9. txt @$f2 > dig.out.$n.f2 || ret=1
+digcomp dig.out.$n.hidden dig.out.$n.f2 >/dev/null 2>&1 && ret=1
+wait_for_log 1 "TLS peer certificate verification failed" ns4/named.run || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
@@ -120,14 +157,14 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
 check_override() (
-    dig_with_opts 1.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
+    dig_with_opts 1.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 &&
     grep "status: NOERROR" dig.out.$n.f2 > /dev/null &&
-    dig_with_opts 2.0.10.in-addr.arpa TXT @10.53.0.4 > dig.out.$n.f2 &&
+    dig_with_opts 2.0.10.in-addr.arpa TXT @$f2 > dig.out.$n.f2 &&
     grep "status: NXDOMAIN" dig.out.$n.f2 > /dev/null
 )
 
 n=$((n+1))
-echo_i "checking that forward only zone overrides empty zone ($n)"
+echo_i "checking that forward only zone overrides empty zone (DoT forward-secrecy-mutual-tls) ($n)"
 ret=0
 # retry loop in case the server restart above causes transient failure
 retry_quiet 10 check_override || ret=1