Initial commit

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

tests/common/mod.rs

@@ -0,0 +1,373 @@
+use std::{path::PathBuf, sync::Arc};
+
+use mio::net::{TcpListener, TcpStream};
+
+use std::collections::HashMap;
+use std::fs;
+use std::io;
+use std::io::{BufReader, Read, Write};
+use std::net;
+
+// Token for our listening socket.
+pub const LISTENER: mio::Token = mio::Token(0);
+
+// Which mode the server operates in.
+#[derive(Clone)]
+pub enum ServerMode {
+    /// Write back received bytes
+    Echo,
+}
+
+/// This binds together a TCP listening socket, some outstanding
+/// connections, and a TLS server configuration.
+pub struct EchoServer {
+    server: TcpListener,
+    connections: HashMap<mio::Token, Connection>,
+    next_id: usize,
+    tls_config: Arc<rustls::ServerConfig>,
+    mode: ServerMode,
+}
+
+impl EchoServer {
+    pub fn new(
+        server: TcpListener,
+        mode: ServerMode,
+        cfg: Arc<rustls::ServerConfig>,
+    ) -> EchoServer {
+        EchoServer {
+            server,
+            connections: HashMap::new(),
+            next_id: 2,
+            tls_config: cfg,
+            mode,
+        }
+    }
+
+    pub fn accept(&mut self, registry: &mio::Registry) -> Result<(), io::Error> {
+        loop {
+            match self.server.accept() {
+                Ok((socket, addr)) => {
+                    log::debug!("Accepting new connection from {:?}", addr);
+
+                    let tls_session =
+                        rustls::ServerConnection::new(self.tls_config.clone()).unwrap();
+                    let mode = self.mode.clone();
+
+                    let token = mio::Token(self.next_id);
+                    self.next_id += 1;
+
+                    let mut connection = Connection::new(socket, token, mode, tls_session);
+                    connection.register(registry);
+                    self.connections.insert(token, connection);
+                }
+                Err(ref err) if err.kind() == io::ErrorKind::WouldBlock => return Ok(()),
+                Err(err) => {
+                    println!(
+                        "encountered error while accepting connection; err={:?}",
+                        err
+                    );
+                    return Err(err);
+                }
+            }
+        }
+    }
+
+    pub fn conn_event(&mut self, registry: &mio::Registry, event: &mio::event::Event) {
+        let token = event.token();
+
+        if self.connections.contains_key(&token) {
+            self.connections
+                .get_mut(&token)
+                .unwrap()
+                .ready(registry, event);
+
+            if self.connections[&token].is_closed() {
+                self.connections.remove(&token);
+            }
+        }
+    }
+}
+
+/// This is a connection which has been accepted by the server,
+/// and is currently being served.
+///
+/// It has a TCP-level stream, a TLS-level session, and some
+/// other state/metadata.
+struct Connection {
+    socket: TcpStream,
+    token: mio::Token,
+    closing: bool,
+    closed: bool,
+    mode: ServerMode,
+    tls_session: rustls::ServerConnection,
+    back: Option<TcpStream>,
+}
+
+/// Open a plaintext TCP-level connection for forwarded connections.
+fn open_back(_mode: &ServerMode) -> Option<TcpStream> {
+    None
+}
+
+/// This used to be conveniently exposed by mio: map EWOULDBLOCK
+/// errors to something less-errory.
+fn try_read(r: io::Result<usize>) -> io::Result<Option<usize>> {
+    match r {
+        Ok(len) => Ok(Some(len)),
+        Err(e) if e.kind() == io::ErrorKind::WouldBlock => Ok(None),
+        Err(e) => Err(e),
+    }
+}
+
+impl Connection {
+    fn new(
+        socket: TcpStream,
+        token: mio::Token,
+        mode: ServerMode,
+        tls_session: rustls::ServerConnection,
+    ) -> Connection {
+        let back = open_back(&mode);
+        Connection {
+            socket,
+            token,
+            closing: false,
+            closed: false,
+            mode,
+            tls_session,
+            back,
+        }
+    }
+
+    /// We're a connection, and we have something to do.
+    fn ready(&mut self, registry: &mio::Registry, ev: &mio::event::Event) {
+        if ev.is_readable() {
+            self.do_tls_read();
+            self.try_plain_read();
+            self.try_back_read();
+        }
+
+        if ev.is_writable() {
+            self.do_tls_write_and_handle_error();
+        }
+
+        if self.closing {
+            let _ = self.socket.shutdown(net::Shutdown::Both);
+            self.close_back();
+            self.closed = true;
+            self.deregister(registry);
+        } else {
+            self.reregister(registry);
+        }
+    }
+
+    fn close_back(&mut self) {
+        if self.back.is_some() {
+            let back = self.back.as_mut().unwrap();
+            back.shutdown(net::Shutdown::Both).unwrap();
+        }
+        self.back = None;
+    }
+
+    fn do_tls_read(&mut self) {
+        let rc = self.tls_session.read_tls(&mut self.socket);
+        if rc.is_err() {
+            let err = rc.unwrap_err();
+            if let io::ErrorKind::WouldBlock = err.kind() {
+                return;
+            }
+            log::warn!("read error {:?}", err);
+            self.closing = true;
+            return;
+        }
+        if rc.unwrap() == 0 {
+            log::debug!("eof");
+            self.closing = true;
+            return;
+        }
+        let processed = self.tls_session.process_new_packets();
+        if processed.is_err() {
+            log::warn!("cannot process packet: {:?}", processed);
+            self.do_tls_write_and_handle_error();
+            self.closing = true;
+        }
+    }
+
+    fn try_plain_read(&mut self) {
+        let mut buf = Vec::new();
+        let rc = self.tls_session.reader().read_to_end(&mut buf);
+        if let Err(ref e) = rc {
+            if e.kind() != io::ErrorKind::WouldBlock {
+                log::warn!("plaintext read failed: {:?}", rc);
+                self.closing = true;
+                return;
+            }
+        }
+        if !buf.is_empty() {
+            log::debug!("plaintext read {:?}", buf.len());
+            self.incoming_plaintext(&buf);
+        }
+    }
+
+    fn try_back_read(&mut self) {
+        if self.back.is_none() {
+            return;
+        }
+        let mut buf = [0u8; 1024];
+        let back = self.back.as_mut().unwrap();
+        let rc = try_read(back.read(&mut buf));
+        if rc.is_err() {
+            log::warn!("backend read failed: {:?}", rc);
+            self.closing = true;
+            return;
+        }
+        let maybe_len = rc.unwrap();
+        match maybe_len {
+            Some(0) => {
+                log::debug!("back eof");
+                self.closing = true;
+            }
+            Some(len) => {
+                self.tls_session.writer().write_all(&buf[..len]).unwrap();
+            }
+            None => {}
+        };
+    }
+
+    fn incoming_plaintext(&mut self, buf: &[u8]) {
+        match self.mode {
+            ServerMode::Echo => {
+                self.tls_session.writer().write_all(buf).unwrap();
+            }
+        }
+    }
+
+    fn tls_write(&mut self) -> io::Result<usize> {
+        self.tls_session.write_tls(&mut self.socket)
+    }
+
+    fn do_tls_write_and_handle_error(&mut self) {
+        let rc = self.tls_write();
+        if rc.is_err() {
+            log::warn!("write failed {:?}", rc);
+            self.closing = true;
+        }
+    }
+
+    fn register(&mut self, registry: &mio::Registry) {
+        let event_set = self.event_set();
+        registry
+            .register(&mut self.socket, self.token, event_set)
+            .unwrap();
+        if self.back.is_some() {
+            registry
+                .register(
+                    self.back.as_mut().unwrap(),
+                    self.token,
+                    mio::Interest::READABLE,
+                )
+                .unwrap();
+        }
+    }
+
+    fn reregister(&mut self, registry: &mio::Registry) {
+        let event_set = self.event_set();
+        registry
+            .reregister(&mut self.socket, self.token, event_set)
+            .unwrap();
+    }
+
+    fn deregister(&mut self, registry: &mio::Registry) {
+        registry.deregister(&mut self.socket).unwrap();
+        if self.back.is_some() {
+            registry.deregister(self.back.as_mut().unwrap()).unwrap();
+        }
+    }
+
+    fn event_set(&self) -> mio::Interest {
+        let rd = self.tls_session.wants_read();
+        let wr = self.tls_session.wants_write();
+        if rd && wr {
+            mio::Interest::READABLE | mio::Interest::WRITABLE
+        } else if wr {
+            mio::Interest::WRITABLE
+        } else {
+            mio::Interest::READABLE
+        }
+    }
+
+    fn is_closed(&self) -> bool {
+        self.closed
+    }
+}
+
+pub fn load_certs(filename: &PathBuf) -> Vec<rustls::Certificate> {
+    let certfile = fs::File::open(filename).expect("cannot open certificate file");
+    let mut reader = BufReader::new(certfile);
+    rustls_pemfile::certs(&mut reader)
+        .unwrap()
+        .iter()
+        .map(|v| rustls::Certificate(v.clone()))
+        .collect()
+}
+
+pub fn load_private_key(filename: &PathBuf) -> rustls::PrivateKey {
+    let keyfile = fs::File::open(filename).expect("cannot open private key file");
+    let mut reader = BufReader::new(keyfile);
+    loop {
+        match rustls_pemfile::read_one(&mut reader).expect("cannot parse private key .pem file") {
+            Some(rustls_pemfile::Item::RSAKey(key)) => return rustls::PrivateKey(key),
+            Some(rustls_pemfile::Item::PKCS8Key(key)) => return rustls::PrivateKey(key),
+            Some(rustls_pemfile::Item::ECKey(key)) => return rustls::PrivateKey(key),
+            None => break,
+            _ => {}
+        }
+    }
+    panic!(
+        "no keys found in {:?} (encrypted keys not supported)",
+        filename
+    );
+}
+
+#[allow(dead_code)]
+pub fn run(listener: TcpListener) {
+    let versions = &[&rustls::version::TLS13];
+    let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
+    let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem"));
+    let privkey = load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
+    let config = rustls::ServerConfig::builder()
+        .with_cipher_suites(rustls::ALL_CIPHER_SUITES)
+        .with_kx_groups(&rustls::ALL_KX_GROUPS)
+        .with_protocol_versions(versions)
+        .unwrap()
+        .with_no_client_auth()
+        .with_single_cert(certs, privkey)
+        .unwrap();
+    run_with_config(listener, config)
+}
+
+pub fn run_with_config(mut listener: TcpListener, config: rustls::ServerConfig) {
+    let mut poll = mio::Poll::new().unwrap();
+    poll.registry()
+        .register(&mut listener, LISTENER, mio::Interest::READABLE)
+        .unwrap();
+    let mut tlsserv = EchoServer::new(listener, ServerMode::Echo, Arc::new(config));
+    let mut events = mio::Events::with_capacity(256);
+    loop {
+        if let Err(e) = poll.poll(&mut events, None) {
+            if e.kind() == std::io::ErrorKind::Interrupted {
+                log::debug!("I/O error {:?}", e);
+                continue;
+            }
+            panic!("I/O error {:?}", e);
+        }
+        for event in events.iter() {
+            match event.token() {
+                LISTENER => {
+                    tlsserv
+                        .accept(poll.registry())
+                        .expect("error accepting socket");
+                }
+                _ => tlsserv.conn_event(poll.registry(), event),
+            }
+        }
+    }
+}

tests/fixtures/chain.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIBvjCCAWSgAwIBAgIUXXNrQ1jydxm9uhK7n0OmDUOPiCUwCgYIKoZIzj0EAwIw
+WzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJUZXN0SW50ZXJtZWRpYXRlQ0EwHhcN
+MjYwMjIxMDgzODU4WhcNMzYwMjE5MDgzODU4WjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAStUYteJnlqMQQaVt8Y3GY92A4E
+/E4/9tB9Y5w9OniFssXUzubEhFyWRUMzF/0plx3Q1LJpEFi+PHOUOMZIUplHo00w
+SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTmipGtVpxknBpCkG5VwqycrALvuzAfBgNV
+HSMEGDAWgBTRmjFBdHm/8OSJJ4GuT+NLNY6LsDAKBggqhkjOPQQDAgNIADBFAiB2
+ZslSroEj+F/JaLSbNNMTTiRzIeP8jz6Lw+18bWo0agIhAK6gPc06G4rghYixJrWI
+348sgPEgLNyoDXPAIN+EabvM
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICAjCCAamgAwIBAgIUaNQANP0JbqEIRANchWyHObCtwycwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+Mzg1N1oXDTM2MDIxOTA4Mzg1N1owWzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJU
+ZXN0SW50ZXJtZWRpYXRlQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrQQZ/
+9Om99T1hcWWBLRceIiPBy5y8AwzeG/30E+CipqpXcGfJJj6b9riPDueOnTbMhRH8
+BmNgJAZBXvKEQd4Po1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTRmjFB
+dHm/8OSJJ4GuT+NLNY6LsDAfBgNVHSMEGDAWgBRkhR8ezN8mKycuLoqDnfSBhZid
+mzAKBggqhkjOPQQDAgNHADBEAiB5ISXZkzQlbgZZ7q8vpWTb9Cfxx3rpKBg6IfIg
+NKm5lgIgJhsTXYO4tWz3UfWDXub2NtXoDGXwMvTsE4UXDRDO15E=
+-----END CERTIFICATE-----

tests/fixtures/intermediate-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIC94ig/ME0X0FOyu8Byk4tDkAdd/LmuUk3KjalEk/7ImoAoGCCqGSM49
+AwEHoUQDQgAEq0EGf/TpvfU9YXFlgS0XHiIjwcucvAMM3hv99BPgoqaqV3BnySY+
+m/a4jw7njp02zIUR/AZjYCQGQV7yhEHeDw==
+-----END EC PRIVATE KEY-----

tests/fixtures/intermediate-ca.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICAjCCAamgAwIBAgIUaNQANP0JbqEIRANchWyHObCtwycwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+Mzg1N1oXDTM2MDIxOTA4Mzg1N1owWzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJU
+ZXN0SW50ZXJtZWRpYXRlQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrQQZ/
+9Om99T1hcWWBLRceIiPBy5y8AwzeG/30E+CipqpXcGfJJj6b9riPDueOnTbMhRH8
+BmNgJAZBXvKEQd4Po1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTRmjFB
+dHm/8OSJJ4GuT+NLNY6LsDAfBgNVHSMEGDAWgBRkhR8ezN8mKycuLoqDnfSBhZid
+mzAKBggqhkjOPQQDAgNHADBEAiB5ISXZkzQlbgZZ7q8vpWTb9Cfxx3rpKBg6IfIg
+NKm5lgIgJhsTXYO4tWz3UfWDXub2NtXoDGXwMvTsE4UXDRDO15E=
+-----END CERTIFICATE-----

tests/fixtures/intermediate-ca.srl

@@ -0,0 +1 @@
+5D736B4358F27719BDBA12BB9F43A60D438F8825

tests/fixtures/intermediate-server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINVUisAFH2zQI1zMfTTQ5Imx89obUgjLnhR1LNKR7xCGoAoGCCqGSM49
+AwEHoUQDQgAErVGLXiZ5ajEEGlbfGNxmPdgOBPxOP/bQfWOcPTp4hbLF1M7mxIRc
+lkVDMxf9KZcd0NSyaRBYvjxzlDjGSFKZRw==
+-----END EC PRIVATE KEY-----

tests/fixtures/intermediate-server.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvjCCAWSgAwIBAgIUXXNrQ1jydxm9uhK7n0OmDUOPiCUwCgYIKoZIzj0EAwIw
+WzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJUZXN0SW50ZXJtZWRpYXRlQ0EwHhcN
+MjYwMjIxMDgzODU4WhcNMzYwMjE5MDgzODU4WjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAStUYteJnlqMQQaVt8Y3GY92A4E
+/E4/9tB9Y5w9OniFssXUzubEhFyWRUMzF/0plx3Q1LJpEFi+PHOUOMZIUplHo00w
+SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTmipGtVpxknBpCkG5VwqycrALvuzAfBgNV
+HSMEGDAWgBTRmjFBdHm/8OSJJ4GuT+NLNY6LsDAKBggqhkjOPQQDAgNIADBFAiB2
+ZslSroEj+F/JaLSbNNMTTiRzIeP8jz6Lw+18bWo0agIhAK6gPc06G4rghYixJrWI
+348sgPEgLNyoDXPAIN+EabvM
+-----END CERTIFICATE-----

tests/fixtures/leaf-client-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICyVJZJWFmk9fLUocyUgG1Vy3DN0tEK2C2akRjxu/9uUoAoGCCqGSM49
+AwEHoUQDQgAESmy9Dc5o67THYEEMOhf55AtrPfE/b9oECoHxsE08kAYiEhDNHF3b
+fHAsG/8o8K0+D/nZBiHSVz7qOJEAYtI38g==
+-----END EC PRIVATE KEY-----

tests/fixtures/leaf-client.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9DCCAZugAwIBAgIUaNQANP0JbqEIRANchWyHObCtwykwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+Mzg1OFoXDTM2MDIxOTA4Mzg1OFowUzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApU
+ZXN0Q2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESmy9Dc5o67THYEEM
+Ohf55AtrPfE/b9oECoHxsE08kAYiEhDNHF3bfHAsG/8o8K0+D/nZBiHSVz7qOJEA
+YtI38qNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUmnmdVS/JiP0+xsswPzbU0Q5T
+qxYwHwYDVR0jBBgwFoAUZIUfHszfJisnLi6Kg530gYWYnZswCgYIKoZIzj0EAwID
+RwAwRAIgfuTkH23Somj9TonLSQScjTlX3wQOmnmK0tnopK81SdQCIHwFLvOtatXW
+oYwcJFlV9VnsdM1Kl+XqxWotTKNGgGHQ
+-----END CERTIFICATE-----

tests/fixtures/leaf-server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINmGVq3b5UlwxwkUApMi+qlCUXptr279ZWzkPuY06h8koAoGCCqGSM49
+AwEHoUQDQgAEzZQXKPiuG7YT3j8zFOz4SNJqoKWw8gKivlVqVpBNLcOvcfkrzFvd
+vvT4FiaTUWxjNsiXDT1mj35Gbeip1HLabw==
+-----END EC PRIVATE KEY-----

tests/fixtures/leaf-server.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVygAwIBAgIUaNQANP0JbqEIRANchWyHObCtwygwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+Mzg1OFoXDTM2MDIxOTA4Mzg1OFowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEzZQXKPiuG7YT3j8zFOz4SNJqoKWw8gKivlVq
+VpBNLcOvcfkrzFvdvvT4FiaTUWxjNsiXDT1mj35Gbeip1HLab6NNMEswCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUSvq+CjEju6CTX5ySu6YiKDTuCVswHwYDVR0jBBgwFoAU
+ZIUfHszfJisnLi6Kg530gYWYnZswCgYIKoZIzj0EAwIDSAAwRQIgWzKWT9G3NwTM
+wi0DJ9S+34oyL2WU7h+nPgJ0/ZFPR80CIQDx9pppEpipI83lB5A8wAB6Vi/Kugf9
+ZL3JtaYEl1gJzQ==
+-----END CERTIFICATE-----

tests/fixtures/root-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILDaSJAPexCKKVxUwA2Obha08yO3FVDlzXwRPk+HDm7EoAoGCCqGSM49
+AwEHoUQDQgAEddxFuwZN+JLJFTiSKPb9DJPOdbLFMPzz66JkcxB28da2r2DqQKTK
+EmramKjIsI9WuXGY06XF1tYDxSfe7lTZZQ==
+-----END EC PRIVATE KEY-----

tests/fixtures/root-ca.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAaGgAwIBAgIUfXCGhET97fQO0Q5r972wMTrwA3gwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+Mzg1N1oXDTM2MDIxOTA4Mzg1N1owUzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApU
+ZXN0Um9vdENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEddxFuwZN+JLJFTiS
+KPb9DJPOdbLFMPzz66JkcxB28da2r2DqQKTKEmramKjIsI9WuXGY06XF1tYDxSfe
+7lTZZaNTMFEwHQYDVR0OBBYEFGSFHx7M3yYrJy4uioOd9IGFmJ2bMB8GA1UdIwQY
+MBaAFGSFHx7M3yYrJy4uioOd9IGFmJ2bMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZI
+zj0EAwIDSAAwRQIhAJrkXZrhS2zAexShCh/Dh47d1LtOvMiq9uqbgP7xI10pAiAF
+fMNptczj+DpN9nRTlELt8FxC8rTxGxjC/tL0aOomDw==
+-----END CERTIFICATE-----

tests/fixtures/root-ca.srl

@@ -0,0 +1 @@
+68D40034FD096EA10844035C856C8739B0ADC329

tests/fixtures/rsa-leaf-client-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCPYjGfNwKAhIsD
+Fepzgc57jcHso5dO/hfs5k4JTRhACoGDA+6QFm9KAb8YC1NFbcJsExJAfvVlSr3S
+82WJqvQOH5LQ7TXPRaG0tAIrWoB76jYb+TQhmi6o0WepOxqDR6w64O3bM6geFR7A
+zbhl2bzOYlZwF+tdCn3L41LpjhzcEVUM8M/IUaCbzexq/jUsRUpFdpYSvEFCKMSR
+BvbV/I0/zMWo+jZXG/YQqbOhNmgQugypPlVIYQLtAVye+92qpajLFlg5RCvXmAtE
+0KGl6nhHPNutqOUJGgmPVmx0fAj1IIjTRws++kIuRYgncxS9qtcblFVy4Ji0NdKu
++Z6LeyLZAgMBAAECggEAA8wP8mtK9MUSFG+sLTxxfretka09IaqR128Q/2Ko+5Qe
+2MdYk+eKD0joONvA/RaKd0FdX3muUHWzSbBuf7dT57mT/wDmgonef/3jL56qPjMt
+rsqyu1ytObhrSR+oeOudSg/huXp3bmVQluC70JGewwkZDNiPc0Qo5OJo1mY6wxex
+dps0A4fCmZtB9ZgmaejCiQaw7udgcpOGo5xdfVrgAtAqCBSaWOoZWNHzjsntSrHO
+fRDa4ilLhwuWwrkIsg5om/zasfTDLM70YyXq4s0ccYyCEPkquPgN/mII/lK+78U6
+AXYfsvSfyVNRoMzMXdTKC+G1QlYDGWeqAoVCS9TyawKBgQDC1ihsohh6PSjYHS7Y
++QODmDXEbwXU/V5iEnFKf4/9+QSW+g12mbckjHS+njvNV4wzdx/ph+bNDAdI8bQU
+Dr5bJXtGbHy1r8/PtNUP4SJmoRvmMVrr34g7QjaHYJ8Jy2m9JHpuRnr38pzg6vP6
+deDtxupT2xPTqV7ivwUDLK9SKwKBgQC8ZRGp2Ny17cH9aKnyjibXLKvtITdDc7H9
+kqs+LM3bcEXpXs0o5ED7J0uhpbNkpplV95Lcm7zdDAkHHiek4yWBUohtgqfbZ76d
+vA+BtnbjDdCyH8B5mN5IDc1zEIJZB1x9CpIhIsDRrBCH/NXl3ldJLBF/ZCJTXWCf
+nqRgwllRCwKBgQC4k7W8JFvYAfSduBfXiSAhHKNjMmJuApHViu80ymAZFD2a4cy7
+XKg5wa4fnzu8LoIth17+F7c47XpBSml0zvra0klU0BXc8W+HsCJgZsH2RA5wJrWh
+2yPuL64E1i4UU1Yaz2IE8lQwbPDdyvfTgLTTzavUQSkpTb0MRjZzaXO1/QKBgG8X
+0mCr5wrJF1nNfFnyBWlhiEifC62U7eKvuJdDaGj8Pd2t76EraD4yH+FEixLRQx50
+jX/VvntC+5fc6lfLMnSeLKEXKNCyzq7JFQPSiyy9GtHO83tA7+LhcMNnetXxB1Md
+BqrPiZCavGzUZXXVtPcLK45JiAxMxguaSyhbsrudAoGAMjK2bcu7buE13KM3wbte
+lysax9gxKKNlqFX68/qx4SUrHxhz5ugF95zlkiDciq/jG5TH1IGNX3q0C7Eid4FY
+0XHwJAqBG5wFWnjx3U+Ozk2QYVXK6rfyk7drAWO2XlsAZVHwf6DlVhYCOT+a9O6W
+60KKqnpWzmBnrc2fzOJgJTM=
+-----END PRIVATE KEY-----

tests/fixtures/rsa-leaf-client.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIUPL2aFs+m1HMJy9P1zeCRHsgB/dUwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdUZXN0T3JnMRYwFAYDVQQDDA1UZXN0UnNhUm9vdENBMB4XDTI2
+MDIyMTA4MzkwMFoXDTM2MDIxOTA4MzkwMFowUzELMAkGA1UEBhMCVVMxDjAMBgNV
+BAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRMwEQYD
+VQQDDApUZXN0Q2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+j2IxnzcCgISLAxXqc4HOe43B7KOXTv4X7OZOCU0YQAqBgwPukBZvSgG/GAtTRW3C
+bBMSQH71ZUq90vNliar0Dh+S0O01z0WhtLQCK1qAe+o2G/k0IZouqNFnqTsag0es
+OuDt2zOoHhUewM24Zdm8zmJWcBfrXQp9y+NS6Y4c3BFVDPDPyFGgm83sav41LEVK
+RXaWErxBQijEkQb21fyNP8zFqPo2Vxv2EKmzoTZoELoMqT5VSGEC7QFcnvvdqqWo
+yxZYOUQr15gLRNChpep4RzzbrajlCRoJj1ZsdHwI9SCI00cLPvpCLkWIJ3MUvarX
+G5RVcuCYtDXSrvmei3si2QIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQV
+mkgyHQUCPp0zo8903lXsOeKE5DAfBgNVHSMEGDAWgBRHYiOHw458Ka7uZ2w7wkbk
+WsD5MTANBgkqhkiG9w0BAQsFAAOCAQEAhrtvIHbrRPFc5QbaT/eelrAqWkhwpxxL
+X/gVwbqtP2+uU2xUVGsfRJV5EI27kzyysq+ySdQLq3j8oe0X6poqDJiE8/zUg7KO
+OYCkH/UGhr+L0hk6Ibvc7izu/LSFT3K5Mo78aB/C4cjDrLgA/cbFKT+OVQW4iw49
+2Pgw7+vuNLzYJSu2m5XzeR07FMcTpf2EAOGseDde6zFwduUBJtAbGj4YHkTQp+MD
+dEE5ymyXl4+ehcafk0g4ZZARN5qVPMOqjRASWRhuZI+36Ihc6KBL22B1KzexyoYx
+2sEyd04NU1PX9i5Zn7JXNbHIESNCkLk4IspSnk6DBEpNpQgEW6l3Cw==
+-----END CERTIFICATE-----

tests/fixtures/rsa-leaf-server-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCjK6TkX5PuTApT
+uL5Z0p6Iofo2zXHOPJVcDDeKzVW83KRwK9oFhjIT9HHKRFkar5ezKQuKY+xtsvmz
+JX2STGwg1itPIcHpngwvmtAy4/2lBB0wL1wxc+2sqpWYGmqLm5iqiuaVQo2n0uiL
+Nwd4aZzpjtRXWjyr9sjfBcXu6/m3bN6nYkmh613qu9BAo4L1YPy+NFtVhKkBzD9Q
+qPDZv7mVoqe+Y3Cyf8873+5T6PVrpV7+YCpFJA46fsA/UrmsyQfQPCOL5fbbLXqs
+V9yMf2/7JCCbrO+6mpIJaEWnciS51sEIh15oqH7IiF5+6az/Oe11X/LbWHkLRUzr
+k4uYGV61AgMBAAECggEABZz2Pq71CVEPV+L2lWNz9bJQx7rYi+Y0oyZ+cKVwqh8S
+/xLbHK6JoXsawQEJ6auZtd2XGosmcn2iLmH/SF2dqKGFeuLn50/7DlYujFmge6FB
+Gcu/Sao5xmNV4xYhjSzsmw1NMlxIQDo2qrdZZ/CGJ9i0gE7H4IiMT3PE49u1SvSD
+OkKmcZW3suPYyZGPZxl2h37cARIjqsmw9D3OmDxUA0hfZg6sGoABZeNrGi7IScZe
+D26DAhPhIWa0sDVUTfCZkezXtH+mFptwN0zSIbMRWozx49jEZF9hBF4QBmnNnUPm
+VTs+Z2AzeRQpUZPQ8rzWAbcf1oCwhPqSknXlcsxJnwKBgQDartbfUMkJ2LgBLTkl
+BSPxI2ngvb0ySzdzxfsPKZZe4EAz4KFl+1DqQ4EZifhdhJiqV+PicNPKNFo2AK6S
+3Wd0X4GAHZDAamiJces1WxqHigHXOrdVqu8/YSpVPEk/jdSYgHqwG7ji0IKEVtpw
+EZJ+LX6BDOvDpbedBGcZT7Mm/wKBgQC/A75DSRxHK48AeuCiG4Q6G72IvOTYqK/2
+hz45HgfUI22d41Bb/48ybH8xt/SDoJLibx8P88ej/81vvYg3eLIyH+QR0f18Ia2g
+sZd4Lj+2zo1fJbmQKptTI+O8PqrZzx9UZ2UfGXxQ0sNSuF37hFw8hI8ALzk1+UW/
+OoX90IUOSwKBgA0FJ+n352BctOftB1/65F7xGta0tVUPQWf1O7N1aGyRsYDlOPbX
+dcPc7QzWOCFpSaWqwfizewipAU4B0GMSJ5y4Kv+zwvCR5VN5ouV0XSoAv4dPCadi
+HAiMAnc8tafBDA1gaO2fWOy4OW0jtrHBehVlJAkO+eKWNU51+qV5J1OFAoGANS+N
+op6QySBPyQpt0bVns+ZVd+VgsxMFK9esc6rw8xiKRRQuI++cp6WeJPHbm2ryeyoF
+tCNkyz1Grn5Pl2J7+4j1sCCQPCgEeGH6kvQNuZD5vCx85q92YEf1+UxZthv91TqU
+5XvrKXYF/NppEMdiB1fBmYOMooKt8PkSpgGRitECgYAkF8zcg/zNCueYezn6iW7q
+PeO30XvLRnDbh4DnhkwoLbDR3vaxmmbphCzLe3tX8TDAA13QeWON/8JL7QU35HcY
+lBlVJo2Mr0crROKElPicXXXSZWDxXFjcdVj+Oa4ni5wwKsppE18HNo9Vlj+RNgjw
+dOfKqK1UP8tgaDa1W9ERDQ==
+-----END PRIVATE KEY-----

tests/fixtures/rsa-leaf-server.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUPL2aFs+m1HMJy9P1zeCRHsgB/dQwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdUZXN0T3JnMRYwFAYDVQQDDA1UZXN0UnNhUm9vdENBMB4XDTI2
+MDIyMTA4Mzg1OVoXDTM2MDIxOTA4Mzg1OVowFDESMBAGA1UEAwwJbG9jYWxob3N0
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyuk5F+T7kwKU7i+WdKe
+iKH6Ns1xzjyVXAw3is1VvNykcCvaBYYyE/RxykRZGq+XsykLimPsbbL5syV9kkxs
+INYrTyHB6Z4ML5rQMuP9pQQdMC9cMXPtrKqVmBpqi5uYqormlUKNp9LoizcHeGmc
+6Y7UV1o8q/bI3wXF7uv5t2zep2JJoetd6rvQQKOC9WD8vjRbVYSpAcw/UKjw2b+5
+laKnvmNwsn/PO9/uU+j1a6Ve/mAqRSQOOn7AP1K5rMkH0Dwji+X22y16rFfcjH9v
++yQgm6zvupqSCWhFp3IkudbBCIdeaKh+yIhefums/zntdV/y21h5C0VM65OLmBle
+tQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRsFCi7ZWnzarIhJkQzwWQm
+7r27WTAfBgNVHSMEGDAWgBRHYiOHw458Ka7uZ2w7wkbkWsD5MTANBgkqhkiG9w0B
+AQsFAAOCAQEAOuP/m6+3/XlGmospEkD3K8I3/zTNqYUQAeFaPcivdAO5WgqpBN7G
+JCPVEY12XGHd8KNYe6h7J0w2weCAUONiaU/2bsXCcrOKNA2c4no1DY+NJR7YKJmi
+QKHNXpw3qcDlqFzkz8/4GiIEf+NA+dtS6476iTr1d1OnJwYm9yjgVeWod/fp0kU/
+ECF52TIbB3qJKKYiZwhdEQm1ddjfMJAaM+kRkCf+53UZG5R/Z9ApX1DHALbIPlNe
+49s7ulKuNJs1ZfhjcgruJn4b6XTgsTZ/1KJv+Wgd31G6at9I/gRmRvGBOwUjAkyH
+O3ZKdDXZfHvhfoHiiO9Bjs5Hxt0F7xJ88g==
+-----END CERTIFICATE-----

tests/fixtures/rsa-root-ca-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEugIBADANBgkqhkiG9w0BAQEFAASCBKQwggSgAgEAAoIBAQCZKwbc7+1RFLyM
+7sWOdHLHfGwyGQnD5zkYyGnMrHuewFgua6D52zoI3XmTEL4tdKgHLFIjOI3z/kQ3
+78BX727vsGj+/uMUo64cnC6xJIOQKPUaNQPvHQfiUjwxqP3rV0Bf+bVj5D14rFFw
+ghWnp4KJ13dw50qjV2hPcGz2rf7HJtv/rNiTAoiVt5nc6NhMKFzJXPOMIzYAgTDL
+ISRtjw6LR2LOR+guSMvpEPe+Kgle44OSHjz+SLABNE9oXIdqzrmE1AStmMoNl9n9
+FLQ3ci2yaEGMshYBB/AU3cwAXOgQvObDusmPp+hbcsGglauem/7WTZSWUXhdJG4M
+mTzTf0GJAgMBAAECgf85I1PsF5TwKkwsRuZrvgUTZdb22WBLNHaYSCsvryhukFJU
+/tGOY7nClNxFgHlxe5MzGdWKTg6mdrP8KfQW2bsIr0Z72ZncmTLaeWjxrC1oGd9V
+Z3GQQcQvKX5LCD+xC1t4ci64lOxZl+7Jib2KTXLk+PwVojK1vGWtPMNpQn9IyyIz
+b13zG/4cN7tHECjvNa3Xp0mJ9p7y34LiAl7YD+FGh8DHt+LG5Tcbr8fV3fzafNZK
+S1cX8zBJlqPcmMuPxWwTEinW8Lo4A1P1E+8adxzDmIoD4VR3CR5zruzwGbAQv8GV
+EGAQzbRSCNXprRi0vmDs2sJm465U5bPGNCimt7cCgYEA09KbmFD/GcUbTC9v/uvC
+7xnbyMljwDFooxwYPLqe5FdCiBbLziY4U9D21BSvxZxDi11Ltbem1/kfj1Fpb5Xq
+qP7bMqcCO/pwzXvb7px3QFBvp+jPDjKr3I3/c+rXu20Ua2sQl+8AyTqm1QpmP1w2
+EvXkXFaH7aJ7gf8hGcrX8IcCgYEAuRzMtoPAkmou0mGf4sPt1hcoW9YuRyI2Jcsg
+WgTg0i2O1IX4TlEHG5pgIkM3uR3VEkSN0qJWB6V+1FP4CKnSrxgVq2V4422mQNtG
+d2Gd3gZFhpQE9B3McAq/2G3pXHI8ZQNd6Oc1z7ecmEnBff/PlE2xGhMoe2Srgwxh
+h/IzEW8CgYBg57LjJfrusSvh2Lnl57nQZQYVf3yxCmmSZWH5Nm9Gi10WoUcv0nBm
+d+zT7XrUbr6/3Tirs48SsxfrGxWfRPiLw7xIGft9sP82InnlWZN8ys+qA2nmVuwl
+BJlfUIrNZgO3eM2olGDJrplwUUehqO/cEL4eOEALSRAz0qI0CIZttQKBgFRV3KZi
+jD+ohMBwnclQfnEFh+ufPuJFoenCC3E3u73F58bHaoMzw0s+IAI8IY0DHGoANaT7
+NLqzGX9e6if4RvZiwKyfxF3JPO9bd1U4chYPQWm40jDtypBZNWJDYQgvO3jB+ez8
+ObXy7zMqly7ydv4YD1HT3KOrD8DaySyImd+dAoGAI8QU3UEdge0cY+UtD1vHLUb/
+Z6rfcnoDL17azt33CooNH3lCVw+IqgE0t63lO6W/3DCi8A3D9PJsopnAdPK7rvdT
+UrvmtretbgxNRGCBC8T2fVJV6Q9DGqmjMol2/rlNiYQNhgK8bEiAmPYw7GXH0LjO
+PEayI0HRcYAWrpEwwvs=
+-----END PRIVATE KEY-----

tests/fixtures/rsa-root-ca.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIUWjGv/hbVIjFa4t9qWs3sd5RCzDQwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdUZXN0T3JnMRYwFAYDVQQDDA1UZXN0UnNhUm9vdENBMB4XDTI2
+MDIyMTA4Mzg1OVoXDTM2MDIxOTA4Mzg1OVowVjELMAkGA1UEBhMCVVMxDjAMBgNV
+BAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRYwFAYD
+VQQDDA1UZXN0UnNhUm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAmSsG3O/tURS8jO7FjnRyx3xsMhkJw+c5GMhpzKx7nsBYLmug+ds6CN15kxC+
+LXSoByxSIziN8/5EN+/AV+9u77Bo/v7jFKOuHJwusSSDkCj1GjUD7x0H4lI8Maj9
+61dAX/m1Y+Q9eKxRcIIVp6eCidd3cOdKo1doT3Bs9q3+xybb/6zYkwKIlbeZ3OjY
+TChcyVzzjCM2AIEwyyEkbY8Oi0dizkfoLkjL6RD3vioJXuODkh48/kiwATRPaFyH
+as65hNQErZjKDZfZ/RS0N3ItsmhBjLIWAQfwFN3MAFzoELzmw7rJj6foW3LBoJWr
+npv+1k2UllF4XSRuDJk8039BiQIDAQABo1MwUTAfBgNVHSMEGDAWgBRHYiOHw458
+Ka7uZ2w7wkbkWsD5MTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHYiOHw458
+Ka7uZ2w7wkbkWsD5MTANBgkqhkiG9w0BAQsFAAOCAQEAiHXmwDY+9t5cnFZcuxJl
+3lQSOpHQMmSYe7FiTpI+GglGW+ugahdyqc/c2GbNKqB1oxGA+mEv+KeKYgtTfC8J
+gTtBLVjhquUOY4K6AkU69i5e7g8/41TFuAF0nt8LnkAYZmo12kbYjX1gKTfkl9wl
+hMY+OSnoIoxBrw1cmqRtOu+Hn2wY9dVCQJVIgc89WuQr8USn9JXzq1bUCzOk6a8/
+dR6ZEPDVPo6RjEXuLNUuTOoTH1wCG3P1tHUs4Cwapr1EhgrEs7DC4uvB+9Y6EXqI
+OLqn0V3FBsBPN19bdLWTtaOm5C0xbNmiXfJPBH9nF38Hpj4tk72GfxOzKI4J+rG7
+Kg==
+-----END CERTIFICATE-----

tests/fixtures/rsa-root-ca.srl

@@ -0,0 +1 @@
+3CBD9A16CFA6D47309CBD3F5CDE0911EC801FDD5

tests/fixtures/setup_fixtures.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -e
+
+SUBJ_CA="/C=US/ST=State/L=City/O=TestOrg/CN=TestRootCA"
+SUBJ_IM="/C=US/ST=State/L=City/O=TestOrg/CN=TestIntermediateCA"
+SUBJ_SRV="/CN=localhost"
+SUBJ_CLI="/C=US/ST=State/L=City/O=TestOrg/CN=TestClient"
+SUBJ_RSA_CA="/C=US/ST=State/L=City/O=TestOrg/CN=TestRsaRootCA"
+
+EXT_CA="basicConstraints=critical,CA:TRUE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid:always"
+EXT_LEAF="basicConstraints=CA:FALSE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer"
+
+# Root CA
+openssl ecparam -name prime256v1 -genkey -noout -out root-ca-key.pem
+openssl req -new -x509 -sha256 -key root-ca-key.pem -days 3650 -out root-ca.pem -subj "$SUBJ_CA"
+
+# Intermediate CA
+openssl ecparam -name prime256v1 -genkey -noout -out intermediate-ca-key.pem
+openssl req -new -sha256 -key intermediate-ca-key.pem -out _im.csr -subj "$SUBJ_IM"
+openssl x509 -req -in _im.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out intermediate-ca.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_CA")
+rm _im.csr
+
+# Server leaf cert (signed by root CA)
+openssl ecparam -name prime256v1 -genkey -noout -out leaf-server-key.pem
+openssl req -new -sha256 -key leaf-server-key.pem -out _srv.csr -subj "$SUBJ_SRV"
+openssl x509 -req -in _srv.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out leaf-server.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _srv.csr
+
+# Client leaf cert (signed by root CA)
+openssl ecparam -name prime256v1 -genkey -noout -out leaf-client-key.pem
+openssl req -new -sha256 -key leaf-client-key.pem -out _cli.csr -subj "$SUBJ_CLI"
+openssl x509 -req -in _cli.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out leaf-client.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _cli.csr
+
+# Intermediate server cert + chain
+openssl ecparam -name prime256v1 -genkey -noout -out intermediate-server-key.pem
+openssl req -new -sha256 -key intermediate-server-key.pem -out _imsrv.csr -subj "$SUBJ_SRV"
+openssl x509 -req -in _imsrv.csr -CA intermediate-ca.pem -CAkey intermediate-ca-key.pem \
+  -CAcreateserial -out intermediate-server.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _imsrv.csr
+cat intermediate-server.pem intermediate-ca.pem > chain.pem
+
+# RSA root CA
+openssl req -x509 -newkey rsa:2048 -keyout rsa-root-ca-key.pem -nodes \
+  -out rsa-root-ca.pem -sha256 -days 3650 -subj "$SUBJ_RSA_CA" \
+  -addext "basicConstraints=critical,CA:TRUE" \
+  -addext "subjectKeyIdentifier=hash"
+
+# RSA server cert
+openssl req -newkey rsa:2048 -keyout rsa-leaf-server-key.pem -nodes \
+  -out _rsasrv.csr -sha256 -subj "$SUBJ_SRV"
+openssl x509 -req -CA rsa-root-ca.pem -CAkey rsa-root-ca-key.pem \
+  -in _rsasrv.csr -out rsa-leaf-server.pem -days 3650 -sha256 -CAcreateserial \
+  -extfile <(printf "$EXT_LEAF")
+rm _rsasrv.csr
+
+# RSA client cert
+openssl req -newkey rsa:2048 -keyout rsa-leaf-client-key.pem -nodes \
+  -out _rsacli.csr -sha256 -subj "$SUBJ_CLI"
+openssl x509 -req -CA rsa-root-ca.pem -CAkey rsa-root-ca-key.pem \
+  -in _rsacli.csr -out rsa-leaf-client.pem -days 3650 -sha256 -CAcreateserial \
+  -extfile <(printf "$EXT_LEAF")
+rm _rsacli.csr