Minimal number of changes needed to udpate to draft-28 (#115)

* includes AD in authentication check of TLS records

As per 5.2 of TLS 1.3 draft-28, the additional data is record header.

* tests: Update tests in order to support draft-28

* Interoperability: Updates NSS and BoringSSL versions to the
  one supporting draft-28
* Bogo: Updates revision number to use tests for draft-28
* FIX: makefile was using test-compat target instead of
  test-interop

* DC test: constify

* Use binary interface to encode in big-endian
This commit is contained in:
Henry Case 2018-08-09 20:47:50 +01:00 committed by GitHub
parent 0d6e4561a6
commit d3e18f99e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 61 additions and 35 deletions

View File

@ -71,7 +71,7 @@ We run 3 kinds of test:.
* Unit testing: <br/>``make -f _dev/Makefile test-unit`` * Unit testing: <br/>``make -f _dev/Makefile test-unit``
* Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo`` * Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo``
* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-compat`` * Compatibility testing (see below):<br/>``make -f _dev/Makefile test-interop``
To run all the tests in one go use: To run all the tests in one go use:
``` ```

View File

@ -115,4 +115,4 @@ clean-all: clean
fmtcheck: fmtcheck:
$(DEV_DIR)/utils/fmtcheck.sh $(DEV_DIR)/utils/fmtcheck.sh
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-compat .PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-interop

View File

@ -26,7 +26,10 @@ RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \
#ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5 #ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
# Draft 23 (+ client authentication) # Draft 23 (+ client authentication)
ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf # ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
# Draft 28
ARG REVISION=33204d1eaa497819c6325998d7ba6b66316790f3
RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \ RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
git checkout $REVISION git checkout $REVISION

View File

@ -2,7 +2,7 @@
set -e set -e
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-tls13-variant draft23 -session-out /session -connect "$@" < /httpreq.txt -tls13-variant draft28 -session-out /session -connect "$@" < /httpreq.txt
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-tls13-variant draft23 -session-in /session -connect "$@" < /httpreq.txt -tls13-variant draft28 -session-in /session -connect "$@" < /httpreq.txt

View File

@ -6,21 +6,21 @@ set -x
bssl server \ bssl server \
-key rsa.pem \ -key rsa.pem \
-min-version tls1.2 -max-version tls1.3 \ -min-version tls1.2 -max-version tls1.3 \
-tls13-variant draft23 \ -tls13-variant draft28 \
-accept 1443 -loop -www 2>&1 & -accept 1443 -loop -www 2>&1 &
# ECDSA # ECDSA
bssl server \ bssl server \
-key ecdsa.pem \ -key ecdsa.pem \
-min-version tls1.2 -max-version tls1.3 \ -min-version tls1.2 -max-version tls1.3 \
-tls13-variant draft23 \ -tls13-variant draft28 \
-accept 2443 -loop -www 2>&1 & -accept 2443 -loop -www 2>&1 &
# Require client authentication (with ECDSA) # Require client authentication (with ECDSA)
bssl server \ bssl server \
-key ecdsa.pem \ -key ecdsa.pem \
-min-version tls1.2 -max-version tls1.3 \ -min-version tls1.2 -max-version tls1.3 \
-tls13-variant draft23 \ -tls13-variant draft28 \
-accept 6443 -loop -www \ -accept 6443 -loop -www \
-require-any-client-cert -debug 2>&1 & -require-any-client-cert -debug 2>&1 &

View File

@ -44,6 +44,7 @@ var tlsVersionToName = map[uint16]string{
tls.VersionTLS13Draft21: "1.3 (draft 21)", tls.VersionTLS13Draft21: "1.3 (draft 21)",
tls.VersionTLS13Draft22: "1.3 (draft 22)", tls.VersionTLS13Draft22: "1.3 (draft 22)",
tls.VersionTLS13Draft23: "1.3 (draft 23)", tls.VersionTLS13Draft23: "1.3 (draft 23)",
tls.VersionTLS13Draft28: "1.3 (draft 28)",
} }
func NewServer() *server { func NewServer() *server {

View File

@ -18,6 +18,7 @@ var tlsVersionToName = map[uint16]string{
tls.VersionTLS13: "1.3", tls.VersionTLS13: "1.3",
tls.VersionTLS13Draft18: "1.3 (draft 18)", tls.VersionTLS13Draft18: "1.3 (draft 18)",
tls.VersionTLS13Draft23: "1.3 (draft 23)", tls.VersionTLS13Draft23: "1.3 (draft 23)",
tls.VersionTLS13Draft28: "1.3 (draft 28)",
} }
var cipherSuiteIdToName = map[uint16]string{ var cipherSuiteIdToName = map[uint16]string{

View File

@ -24,7 +24,10 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
#ARG REVISION=88c3f3fa581b #ARG REVISION=88c3f3fa581b
# Draft 23 # Draft 23
ARG REVISION=16c622c9e1cc # ARG REVISION=16c622c9e1cc
# Latest
ARG REVISION=09ab3310e710
RUN cd nss && hg pull RUN cd nss && hg pull
RUN cd nss && hg checkout -C $REVISION RUN cd nss && hg checkout -C $REVISION

View File

@ -174,7 +174,10 @@ type fixedNonceAEAD struct {
aead cipher.AEAD aead cipher.AEAD
} }
func (f *fixedNonceAEAD) NonceSize() int { return 8 } func (f *fixedNonceAEAD) NonceSize() int { return 8 }
// Overhead returns the maximum difference between the lengths of a
// plaintext and its ciphertext.
func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() } func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 } func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }

View File

@ -31,6 +31,7 @@ const (
VersionTLS13Draft21 = 0x7f00 | 21 VersionTLS13Draft21 = 0x7f00 | 21
VersionTLS13Draft22 = 0x7f00 | 22 VersionTLS13Draft22 = 0x7f00 | 22
VersionTLS13Draft23 = 0x7f00 | 23 VersionTLS13Draft23 = 0x7f00 | 23
VersionTLS13Draft28 = 0x7f00 | 28
) )
const ( const (
@ -41,7 +42,7 @@ const (
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
minVersion = VersionTLS12 minVersion = VersionTLS12
maxVersion = VersionTLS13Draft23 maxVersion = VersionTLS13Draft28
) )
// TLS record types. // TLS record types.
@ -888,7 +889,7 @@ var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11,
// with TLS 1.3 draft versions included. // with TLS 1.3 draft versions included.
// //
// TODO: remove once TLS 1.3 is finalised. // TODO: remove once TLS 1.3 is finalised.
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft23, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft28, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
// getSupportedVersions returns the protocol versions that are supported by the // getSupportedVersions returns the protocol versions that are supported by the
// current configuration. // current configuration.

26
conn.go
View File

@ -11,6 +11,7 @@ import (
"crypto/cipher" "crypto/cipher"
"crypto/subtle" "crypto/subtle"
"crypto/x509" "crypto/x509"
"encoding/binary"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -358,6 +359,15 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
hc.additionalData[11] = byte(n >> 8) hc.additionalData[11] = byte(n >> 8)
hc.additionalData[12] = byte(n) hc.additionalData[12] = byte(n)
additionalData = hc.additionalData[:] additionalData = hc.additionalData[:]
} else {
if len(payload) > int((1<<14)+256) {
return false, 0, alertRecordOverflow
}
// Check AD header, see 5.2 of RFC8446
additionalData = make([]byte, 5)
additionalData[0] = 23
binary.BigEndian.PutUint16(additionalData[1:], 0x0303)
binary.BigEndian.PutUint16(additionalData[3:], uint16(len(payload)))
} }
var err error var err error
payload, err = c.Open(payload[:0], nonce, payload, additionalData) payload, err = c.Open(payload[:0], nonce, payload, additionalData)
@ -460,10 +470,11 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
case cipher.Stream: case cipher.Stream:
c.XORKeyStream(payload, payload) c.XORKeyStream(payload, payload)
case aead: case aead:
// explicitIVLen is always 0 for TLS1.3
payloadLen := len(b.data) - recordHeaderLen - explicitIVLen payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
overhead := c.Overhead() overhead := c.Overhead()
if hc.version >= VersionTLS13 { if hc.version >= VersionTLS13 {
overhead++ overhead++ // TODO(kk): why this is done?
} }
b.resize(len(b.data) + overhead) b.resize(len(b.data) + overhead)
@ -478,16 +489,19 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
if hc.version < VersionTLS13 { if hc.version < VersionTLS13 {
copy(hc.additionalData[:], hc.seq[:]) copy(hc.additionalData[:], hc.seq[:])
copy(hc.additionalData[8:], b.data[:3]) copy(hc.additionalData[8:], b.data[:3])
hc.additionalData[11] = byte(payloadLen >> 8) binary.BigEndian.PutUint16(hc.additionalData[11:], uint16(payloadLen))
hc.additionalData[12] = byte(payloadLen)
additionalData = hc.additionalData[:] additionalData = hc.additionalData[:]
} } else {
if hc.version >= VersionTLS13 {
// opaque type // opaque type
payload = payload[:len(payload)+1] payload = payload[:len(payload)+1]
payload[len(payload)-1] = b.data[0] payload[len(payload)-1] = b.data[0]
b.data[0] = byte(recordTypeApplicationData) b.data[0] = byte(recordTypeApplicationData)
// Add AD header, see 5.2 of RFC8446
additionalData = make([]byte, 5)
additionalData[0] = byte(recordTypeApplicationData)
binary.BigEndian.PutUint16(additionalData[1:], VersionTLS12)
binary.BigEndian.PutUint16(additionalData[3:], uint16(payloadLen+overhead))
} }
c.Seal(payload[:0], nonce, payload, additionalData) c.Seal(payload[:0], nonce, payload, additionalData)

View File

@ -155,8 +155,8 @@ func ExampleConfig_keyLogWriter_TLS13() {
// preferences. // preferences.
// Output: // Output:
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 a829dab06ccbe9323e0ad6cf331cd64d9a499f7f4b1e0b52d0dfaba90c07f275 // CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 16ca97d21087a14d406b2601b4713dd82b156cc01d54665baaa4bdb62b72b9a4
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 5f6a288b5b5aba5cfc65d9966b279e911ac58bd7f81abbb67b10427106f01940 // SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 102c68d960da4f5e2b76a99636ac07bb5774e43b8ce8c14aa4dfd9bf54d11754
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 1f202d1c1d43e74a8c4f46a56eae2cef9de417ff9f5f3927195eacc168f459b3 // SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 f3208d533bb885f32f52142acb484eed104739970c2f426e72a1ee31f6d28650
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 67ece7874ec4f661fe1f06fb4240decd25f54062d78f0784844bf222d1967c20 // CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 70de6b1936df7db171c02f9cfdb04dfa9405a891c959beb15b86f26b2057ba23
} }

View File

@ -18,7 +18,7 @@ import (
// A PEM-encoded "delegation certificate", an X.509 certificate with the // A PEM-encoded "delegation certificate", an X.509 certificate with the
// DelegationUsage extension. The extension is defined in // DelegationUsage extension. The extension is defined in
// specified in https://tools.ietf.org/html/draft-ietf-tls-subcerts-02. // specified in https://tools.ietf.org/html/draft-ietf-tls-subcerts-02.
var dcDelegationCertPEM = `-----BEGIN CERTIFICATE----- const DcCertWithDelegationUsage = `-----BEGIN CERTIFICATE-----
MIIBejCCASGgAwIBAgIQXXtl0v50W2OadoW0QwLUlzAKBggqhkjOPQQDAjAUMRIw MIIBejCCASGgAwIBAgIQXXtl0v50W2OadoW0QwLUlzAKBggqhkjOPQQDAjAUMRIw
EAYDVQQKEwlBY21lIEluYy4wHhcNMTgwNzMwMjAxMTE5WhcNMTgwODA2MjAxMTE5 EAYDVQQKEwlBY21lIEluYy4wHhcNMTgwNzMwMjAxMTE5WhcNMTgwODA2MjAxMTE5
WjAUMRIwEAYDVQQKEwlBY21lIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC WjAUMRIwEAYDVQQKEwlBY21lIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
@ -32,7 +32,7 @@ AQQBgtpLLAQAMAoGCCqGSM49BAMCA0cAMEQCIEMdIkwwmzQAJ6RSDT3wcrsySx2B
// The PEM-encoded "delegation key", the secret key associated with the // The PEM-encoded "delegation key", the secret key associated with the
// delegation certificate. This is a key for ECDSA with P256 and SHA256. // delegation certificate. This is a key for ECDSA with P256 and SHA256.
var dcDelegationKeyPEM = `-----BEGIN EC PRIVATE KEY----- const DcKeyWithDelegationUsage = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIAS/pGktmxK1hlt3gF4N2nkMrJnoZihvOO63nnNcxXQroAoGCCqGSM49 MHcCAQEEIAS/pGktmxK1hlt3gF4N2nkMrJnoZihvOO63nnNcxXQroAoGCCqGSM49
AwEHoUQDQgAE3ELrmlDSd5KihrOAwXSVXe81s8hgDU+LgTRlZGdnIGg7HRZ8ffXx AwEHoUQDQgAE3ELrmlDSd5KihrOAwXSVXe81s8hgDU+LgTRlZGdnIGg7HRZ8ffXx
om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w== om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
@ -40,7 +40,7 @@ om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
` `
// A certificate without the DelegationUsage extension. // A certificate without the DelegationUsage extension.
var dcCertPEM = `-----BEGIN CERTIFICATE----- const DcCertWithoutDelegationUsage = `-----BEGIN CERTIFICATE-----
MIIBajCCAQ+gAwIBAgIRAMUg/VFqJaWWJwZ9iHoMjqIwCgYIKoZIzj0EAwIwEjEQ MIIBajCCAQ+gAwIBAgIRAMUg/VFqJaWWJwZ9iHoMjqIwCgYIKoZIzj0EAwIwEjEQ
MA4GA1UEChMHQWNtZSBDbzAeFw0xODA3MzAyMDExMTlaFw0xOTA3MzAyMDExMTla MA4GA1UEChMHQWNtZSBDbzAeFw0xODA3MzAyMDExMTlaFw0xOTA3MzAyMDExMTla
MBIxEDAOBgNVBAoTB0FjbWUgQ28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA MBIxEDAOBgNVBAoTB0FjbWUgQ28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA
@ -52,8 +52,8 @@ KFyrowMTan791RJnyANH/4uYhmvkfhfrFGSTXUli
-----END CERTIFICATE----- -----END CERTIFICATE-----
` `
// The secret key associatted with dcCertPEM. // The secret key associatted with DcCertWithoutDelegationUsage.
var dcKeyPEM = `-----BEGIN EC PRIVATE KEY----- const DcKeyWithoutDelegationUsage = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIEP82pOhzx0tKkky9t0OmUo9MHgmfdAHxDN2cHmWGqOhoAoGCCqGSM49 MHcCAQEEIEP82pOhzx0tKkky9t0OmUo9MHgmfdAHxDN2cHmWGqOhoAoGCCqGSM49
AwEHoUQDQgAEwJ/qHlkr0jR4RLJEkYJJHqwkA6FfzQPq90uQLQjhU+QGC7fMZbUk AwEHoUQDQgAEwJ/qHlkr0jR4RLJEkYJJHqwkA6FfzQPq90uQLQjhU+QGC7fMZbUk
1nqxSP2JWSyHC8ZST0+0/l6QZ30usWgLsQ== 1nqxSP2JWSyHC8ZST0+0/l6QZ30usWgLsQ==
@ -75,7 +75,7 @@ type dcTestDC struct {
// Use with maxVersion == VersionTLS13Draft23. // Use with maxVersion == VersionTLS13Draft23.
// //
// TODO(henrydcase): Remove this when we drop support for draft23. // TODO(henrydcase): Remove this when we drop support for draft23.
var dcTestDataDraft23PEM = `-----BEGIN DC TEST DATA----- const DcTestDataDraft23PEM = `-----BEGIN DC TEST DATA-----
MIIIPDCCAUETCXRsczEzcDI1NgICfxcCAgQDBIGwAAk6gAQDfxcAWzBZMBMGByqG MIIIPDCCAUETCXRsczEzcDI1NgICfxcCAgQDBIGwAAk6gAQDfxcAWzBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABDFeK+EcMQWKDM6xZJqHEHLcIWE0iHTAL1xAB5r6 SM49AgEGCCqGSM49AwEHA0IABDFeK+EcMQWKDM6xZJqHEHLcIWE0iHTAL1xAB5r6
bkm7GLlz1HLWcTy28PNsb9KQLV3Yeay2WYA2d2zGQjNbEhcEAwBHMEUCIQDnXyP4 bkm7GLlz1HLWcTy28PNsb9KQLV3Yeay2WYA2d2zGQjNbEhcEAwBHMEUCIQDnXyP4
@ -126,7 +126,7 @@ AiEiKCRicw1Upfdy+xdSF0N3XXkLHB13criCfJr2rbZ1o8V7CsX6U70o+/48huPI
// Use with maxVersion == VersionTLS13Draft28. // Use with maxVersion == VersionTLS13Draft28.
// //
// TODO(henrydcase): Remove this when we drop support for draft28. // TODO(henrydcase): Remove this when we drop support for draft28.
var dcTestDataDraft28PEM = `-----BEGIN DC TEST DATA----- const DcTestDataDraft28PEM = `-----BEGIN DC TEST DATA-----
MIIIOjCCAUATCXRsczEzcDI1NgICfxwCAgQDBIGvAAk6gAQDfxwAWzBZMBMGByqG MIIIOjCCAUATCXRsczEzcDI1NgICfxwCAgQDBIGvAAk6gAQDfxwAWzBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABAOcQMVs6VmVQ1BYyK+YhUAucZqH3LmDQmAaVDs8 SM49AgEGCCqGSM49AwEHA0IABAOcQMVs6VmVQ1BYyK+YhUAucZqH3LmDQmAaVDs8
brnePHVmSdOoQCU+Ybp3kgnklW958EFZiJ2oK7iWkIpi4TIEAwBGMEQCIB8w0eko brnePHVmSdOoQCU+Ybp3kgnklW958EFZiJ2oK7iWkIpi4TIEAwBGMEQCIB8w0eko
@ -175,7 +175,7 @@ x/tlNfATUGmFQGwPug4RyWVux22dGrn81/SsIXJ8hz1eb0s9EKOBbxwhJ//ACg==
` `
// Use with maxVersion == VersionTLS13. // Use with maxVersion == VersionTLS13.
var dcTestDataPEM = `-----BEGIN DC TEST DATA----- const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA-----
MIIIOzCCAUATCXRsczEzcDI1NgICAwQCAgQDBIGvAAk6gAQDAwQAWzBZMBMGByqG MIIIOzCCAUATCXRsczEzcDI1NgICAwQCAgQDBIGvAAk6gAQDAwQAWzBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABFTImzqflLfyu3rqlCVsezSv45fKJglhjDYcwJ3H SM49AgEGCCqGSM49AwEHA0IABFTImzqflLfyu3rqlCVsezSv45fKJglhjDYcwJ3H
ylqX6rFCupeCwKmMhFvxRkkWAOobv2DZxLYALFgggC8KckkEAwBGMEQCIBWO8rFt ylqX6rFCupeCwKmMhFvxRkkWAOobv2DZxLYALFgggC8KckkEAwBGMEQCIBWO8rFt
@ -273,11 +273,11 @@ func init() {
var testData []byte var testData []byte
switch maxVersion { switch maxVersion {
case VersionTLS13Draft23: case VersionTLS13Draft23:
testData = []byte(dcTestDataDraft23PEM) testData = []byte(DcTestDataDraft23PEM)
case 0x7f00 | 28: // TODO(henrydcase): Fix once draft 28 is implemented case 0x7f00 | 28: // TODO(henrydcase): Fix once draft 28 is implemented
testData = []byte(dcTestDataDraft28PEM) testData = []byte(DcTestDataDraft28PEM)
case 0x0304: // TODO(henrydcase): Fix once the final version is implemented case 0x0304: // TODO(henrydcase): Fix once the final version is implemented
testData = []byte(dcTestDataPEM) testData = []byte(DcTestDataTLS13PEM)
default: default:
panic(fmt.Errorf("no test data for version %04x", maxVersion)) panic(fmt.Errorf("no test data for version %04x", maxVersion))
} }
@ -299,7 +299,7 @@ func init() {
} }
// The delegation certificate. // The delegation certificate.
dcTestDelegationCert, err = X509KeyPair([]byte(dcDelegationCertPEM), []byte(dcDelegationKeyPEM)) dcTestDelegationCert, err = X509KeyPair([]byte(DcCertWithDelegationUsage), []byte(DcKeyWithDelegationUsage))
if err != nil { if err != nil {
panic(err) panic(err)
} }
@ -309,7 +309,7 @@ func init() {
} }
// A certificate without the the DelegationUsage extension for X.509. // A certificate without the the DelegationUsage extension for X.509.
dcTestCert, err = X509KeyPair([]byte(dcCertPEM), []byte(dcKeyPEM)) dcTestCert, err = X509KeyPair([]byte(DcCertWithoutDelegationUsage), []byte(DcKeyWithoutDelegationUsage))
if err != nil { if err != nil {
panic(err) panic(err)
} }