Initial commit

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

tests/common/mod.rs

@@ -0,0 +1,373 @@
+use std::{path::PathBuf, sync::Arc};
+
+use mio::net::{TcpListener, TcpStream};
+
+use std::collections::HashMap;
+use std::fs;
+use std::io;
+use std::io::{BufReader, Read, Write};
+use std::net;
+
+// Token for our listening socket.
+pub const LISTENER: mio::Token = mio::Token(0);
+
+// Which mode the server operates in.
+#[derive(Clone)]
+pub enum ServerMode {
+    /// Write back received bytes
+    Echo,
+}
+
+/// This binds together a TCP listening socket, some outstanding
+/// connections, and a TLS server configuration.
+pub struct EchoServer {
+    server: TcpListener,
+    connections: HashMap<mio::Token, Connection>,
+    next_id: usize,
+    tls_config: Arc<rustls::ServerConfig>,
+    mode: ServerMode,
+}
+
+impl EchoServer {
+    pub fn new(
+        server: TcpListener,
+        mode: ServerMode,
+        cfg: Arc<rustls::ServerConfig>,
+    ) -> EchoServer {
+        EchoServer {
+            server,
+            connections: HashMap::new(),
+            next_id: 2,
+            tls_config: cfg,
+            mode,
+        }
+    }
+
+    pub fn accept(&mut self, registry: &mio::Registry) -> Result<(), io::Error> {
+        loop {
+            match self.server.accept() {
+                Ok((socket, addr)) => {
+                    log::debug!("Accepting new connection from {:?}", addr);
+
+                    let tls_session =
+                        rustls::ServerConnection::new(self.tls_config.clone()).unwrap();
+                    let mode = self.mode.clone();
+
+                    let token = mio::Token(self.next_id);
+                    self.next_id += 1;
+
+                    let mut connection = Connection::new(socket, token, mode, tls_session);
+                    connection.register(registry);
+                    self.connections.insert(token, connection);
+                }
+                Err(ref err) if err.kind() == io::ErrorKind::WouldBlock => return Ok(()),
+                Err(err) => {
+                    println!(
+                        "encountered error while accepting connection; err={:?}",
+                        err
+                    );
+                    return Err(err);
+                }
+            }
+        }
+    }
+
+    pub fn conn_event(&mut self, registry: &mio::Registry, event: &mio::event::Event) {
+        let token = event.token();
+
+        if self.connections.contains_key(&token) {
+            self.connections
+                .get_mut(&token)
+                .unwrap()
+                .ready(registry, event);
+
+            if self.connections[&token].is_closed() {
+                self.connections.remove(&token);
+            }
+        }
+    }
+}
+
+/// This is a connection which has been accepted by the server,
+/// and is currently being served.
+///
+/// It has a TCP-level stream, a TLS-level session, and some
+/// other state/metadata.
+struct Connection {
+    socket: TcpStream,
+    token: mio::Token,
+    closing: bool,
+    closed: bool,
+    mode: ServerMode,
+    tls_session: rustls::ServerConnection,
+    back: Option<TcpStream>,
+}
+
+/// Open a plaintext TCP-level connection for forwarded connections.
+fn open_back(_mode: &ServerMode) -> Option<TcpStream> {
+    None
+}
+
+/// This used to be conveniently exposed by mio: map EWOULDBLOCK
+/// errors to something less-errory.
+fn try_read(r: io::Result<usize>) -> io::Result<Option<usize>> {
+    match r {
+        Ok(len) => Ok(Some(len)),
+        Err(e) if e.kind() == io::ErrorKind::WouldBlock => Ok(None),
+        Err(e) => Err(e),
+    }
+}
+
+impl Connection {
+    fn new(
+        socket: TcpStream,
+        token: mio::Token,
+        mode: ServerMode,
+        tls_session: rustls::ServerConnection,
+    ) -> Connection {
+        let back = open_back(&mode);
+        Connection {
+            socket,
+            token,
+            closing: false,
+            closed: false,
+            mode,
+            tls_session,
+            back,
+        }
+    }
+
+    /// We're a connection, and we have something to do.
+    fn ready(&mut self, registry: &mio::Registry, ev: &mio::event::Event) {
+        if ev.is_readable() {
+            self.do_tls_read();
+            self.try_plain_read();
+            self.try_back_read();
+        }
+
+        if ev.is_writable() {
+            self.do_tls_write_and_handle_error();
+        }
+
+        if self.closing {
+            let _ = self.socket.shutdown(net::Shutdown::Both);
+            self.close_back();
+            self.closed = true;
+            self.deregister(registry);
+        } else {
+            self.reregister(registry);
+        }
+    }
+
+    fn close_back(&mut self) {
+        if self.back.is_some() {
+            let back = self.back.as_mut().unwrap();
+            back.shutdown(net::Shutdown::Both).unwrap();
+        }
+        self.back = None;
+    }
+
+    fn do_tls_read(&mut self) {
+        let rc = self.tls_session.read_tls(&mut self.socket);
+        if rc.is_err() {
+            let err = rc.unwrap_err();
+            if let io::ErrorKind::WouldBlock = err.kind() {
+                return;
+            }
+            log::warn!("read error {:?}", err);
+            self.closing = true;
+            return;
+        }
+        if rc.unwrap() == 0 {
+            log::debug!("eof");
+            self.closing = true;
+            return;
+        }
+        let processed = self.tls_session.process_new_packets();
+        if processed.is_err() {
+            log::warn!("cannot process packet: {:?}", processed);
+            self.do_tls_write_and_handle_error();
+            self.closing = true;
+        }
+    }
+
+    fn try_plain_read(&mut self) {
+        let mut buf = Vec::new();
+        let rc = self.tls_session.reader().read_to_end(&mut buf);
+        if let Err(ref e) = rc {
+            if e.kind() != io::ErrorKind::WouldBlock {
+                log::warn!("plaintext read failed: {:?}", rc);
+                self.closing = true;
+                return;
+            }
+        }
+        if !buf.is_empty() {
+            log::debug!("plaintext read {:?}", buf.len());
+            self.incoming_plaintext(&buf);
+        }
+    }
+
+    fn try_back_read(&mut self) {
+        if self.back.is_none() {
+            return;
+        }
+        let mut buf = [0u8; 1024];
+        let back = self.back.as_mut().unwrap();
+        let rc = try_read(back.read(&mut buf));
+        if rc.is_err() {
+            log::warn!("backend read failed: {:?}", rc);
+            self.closing = true;
+            return;
+        }
+        let maybe_len = rc.unwrap();
+        match maybe_len {
+            Some(0) => {
+                log::debug!("back eof");
+                self.closing = true;
+            }
+            Some(len) => {
+                self.tls_session.writer().write_all(&buf[..len]).unwrap();
+            }
+            None => {}
+        };
+    }
+
+    fn incoming_plaintext(&mut self, buf: &[u8]) {
+        match self.mode {
+            ServerMode::Echo => {
+                self.tls_session.writer().write_all(buf).unwrap();
+            }
+        }
+    }
+
+    fn tls_write(&mut self) -> io::Result<usize> {
+        self.tls_session.write_tls(&mut self.socket)
+    }
+
+    fn do_tls_write_and_handle_error(&mut self) {
+        let rc = self.tls_write();
+        if rc.is_err() {
+            log::warn!("write failed {:?}", rc);
+            self.closing = true;
+        }
+    }
+
+    fn register(&mut self, registry: &mio::Registry) {
+        let event_set = self.event_set();
+        registry
+            .register(&mut self.socket, self.token, event_set)
+            .unwrap();
+        if self.back.is_some() {
+            registry
+                .register(
+                    self.back.as_mut().unwrap(),
+                    self.token,
+                    mio::Interest::READABLE,
+                )
+                .unwrap();
+        }
+    }
+
+    fn reregister(&mut self, registry: &mio::Registry) {
+        let event_set = self.event_set();
+        registry
+            .reregister(&mut self.socket, self.token, event_set)
+            .unwrap();
+    }
+
+    fn deregister(&mut self, registry: &mio::Registry) {
+        registry.deregister(&mut self.socket).unwrap();
+        if self.back.is_some() {
+            registry.deregister(self.back.as_mut().unwrap()).unwrap();
+        }
+    }
+
+    fn event_set(&self) -> mio::Interest {
+        let rd = self.tls_session.wants_read();
+        let wr = self.tls_session.wants_write();
+        if rd && wr {
+            mio::Interest::READABLE | mio::Interest::WRITABLE
+        } else if wr {
+            mio::Interest::WRITABLE
+        } else {
+            mio::Interest::READABLE
+        }
+    }
+
+    fn is_closed(&self) -> bool {
+        self.closed
+    }
+}
+
+pub fn load_certs(filename: &PathBuf) -> Vec<rustls::Certificate> {
+    let certfile = fs::File::open(filename).expect("cannot open certificate file");
+    let mut reader = BufReader::new(certfile);
+    rustls_pemfile::certs(&mut reader)
+        .unwrap()
+        .iter()
+        .map(|v| rustls::Certificate(v.clone()))
+        .collect()
+}
+
+pub fn load_private_key(filename: &PathBuf) -> rustls::PrivateKey {
+    let keyfile = fs::File::open(filename).expect("cannot open private key file");
+    let mut reader = BufReader::new(keyfile);
+    loop {
+        match rustls_pemfile::read_one(&mut reader).expect("cannot parse private key .pem file") {
+            Some(rustls_pemfile::Item::RSAKey(key)) => return rustls::PrivateKey(key),
+            Some(rustls_pemfile::Item::PKCS8Key(key)) => return rustls::PrivateKey(key),
+            Some(rustls_pemfile::Item::ECKey(key)) => return rustls::PrivateKey(key),
+            None => break,
+            _ => {}
+        }
+    }
+    panic!(
+        "no keys found in {:?} (encrypted keys not supported)",
+        filename
+    );
+}
+
+#[allow(dead_code)]
+pub fn run(listener: TcpListener) {
+    let versions = &[&rustls::version::TLS13];
+    let test_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("tests");
+    let certs = load_certs(&test_dir.join("fixtures").join("leaf-server.pem"));
+    let privkey = load_private_key(&test_dir.join("fixtures").join("leaf-server-key.pem"));
+    let config = rustls::ServerConfig::builder()
+        .with_cipher_suites(rustls::ALL_CIPHER_SUITES)
+        .with_kx_groups(&rustls::ALL_KX_GROUPS)
+        .with_protocol_versions(versions)
+        .unwrap()
+        .with_no_client_auth()
+        .with_single_cert(certs, privkey)
+        .unwrap();
+    run_with_config(listener, config)
+}
+
+pub fn run_with_config(mut listener: TcpListener, config: rustls::ServerConfig) {
+    let mut poll = mio::Poll::new().unwrap();
+    poll.registry()
+        .register(&mut listener, LISTENER, mio::Interest::READABLE)
+        .unwrap();
+    let mut tlsserv = EchoServer::new(listener, ServerMode::Echo, Arc::new(config));
+    let mut events = mio::Events::with_capacity(256);
+    loop {
+        if let Err(e) = poll.poll(&mut events, None) {
+            if e.kind() == std::io::ErrorKind::Interrupted {
+                log::debug!("I/O error {:?}", e);
+                continue;
+            }
+            panic!("I/O error {:?}", e);
+        }
+        for event in events.iter() {
+            match event.token() {
+                LISTENER => {
+                    tlsserv
+                        .accept(poll.registry())
+                        .expect("error accepting socket");
+                }
+                _ => tlsserv.conn_event(poll.registry(), event),
+            }
+        }
+    }
+}

tests/fixtures/chain.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIBvjCCAWSgAwIBAgIUXXNrQ1jydxm9uhK7n0OmDUOPiCQwCgYIKoZIzj0EAwIw
+WzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJUZXN0SW50ZXJtZWRpYXRlQ0EwHhcN
+MjYwMjIxMDgzMDE1WhcNMzYwMjE5MDgzMDE1WjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQljcc4CF/2x0n5T7EdvNZaBOkE
+pM1bdrp7Zc+rUwvZlKbs6vUTQBD7GFoPoTtx7KmcPF4yC+m2Wbps97fjuf2po00w
+SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQWI63NaIN1ycxYkF07VcNN/68BrjAfBgNV
+HSMEGDAWgBSZHKZMU0B62yamD8iYJYZijS5saTAKBggqhkjOPQQDAgNIADBFAiBM
+deIDUWrrDndB13EBwhqQPNq0WdnbeP5ETTFzllfGewIhAL1kU5S4/ofLnvNCqlh1
+gYyZOvfQBq2c3HJQ7LFZz2E4
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICBDCCAamgAwIBAgIUaNQANP0JbqEIRANchWyHObCtwyQwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+MzAxNVoXDTM2MDIxOTA4MzAxNVowWzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJU
+ZXN0SW50ZXJtZWRpYXRlQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARAblvA
+Lgu+51BzDdUoT4p8vCgLvd9kCiGsHoa0S2sphCy2DbZguJar3h7WeFLa72EvoYwo
+JGMo1CF3VJ/IU2ugo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZHKZM
+U0B62yamD8iYJYZijS5saTAfBgNVHSMEGDAWgBTz3CbeFHL4OAweOp0osfWlJvyF
+ETAKBggqhkjOPQQDAgNJADBGAiEA/4feZ//so7F5N3HvrjVOfCaYeY2zuOciJhBq
+D1AJLc0CIQDfVNyECBECAK6Cd/dZkLMf5M8IggLqfQMLzB25vp2K6Q==
+-----END CERTIFICATE-----

tests/fixtures/intermediate-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEbKGg3eb4qwtVUemTHUWkxAJfNyoCeJ4GvJLMPdvLAmoAoGCCqGSM49
+AwEHoUQDQgAEQG5bwC4LvudQcw3VKE+KfLwoC73fZAohrB6GtEtrKYQstg22YLiW
+q94e1nhS2u9hL6GMKCRjKNQhd1SfyFNroA==
+-----END EC PRIVATE KEY-----

tests/fixtures/intermediate-ca.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICBDCCAamgAwIBAgIUaNQANP0JbqEIRANchWyHObCtwyQwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+MzAxNVoXDTM2MDIxOTA4MzAxNVowWzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJU
+ZXN0SW50ZXJtZWRpYXRlQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARAblvA
+Lgu+51BzDdUoT4p8vCgLvd9kCiGsHoa0S2sphCy2DbZguJar3h7WeFLa72EvoYwo
+JGMo1CF3VJ/IU2ugo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZHKZM
+U0B62yamD8iYJYZijS5saTAfBgNVHSMEGDAWgBTz3CbeFHL4OAweOp0osfWlJvyF
+ETAKBggqhkjOPQQDAgNJADBGAiEA/4feZ//so7F5N3HvrjVOfCaYeY2zuOciJhBq
+D1AJLc0CIQDfVNyECBECAK6Cd/dZkLMf5M8IggLqfQMLzB25vp2K6Q==
+-----END CERTIFICATE-----

tests/fixtures/intermediate-ca.srl

@@ -0,0 +1 @@
+5D736B4358F27719BDBA12BB9F43A60D438F8824

tests/fixtures/intermediate-server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIB/4vLEx10l/AmZYZVvzZZQRrEWu95QKF0Q8yfjSjn/ZoAoGCCqGSM49
+AwEHoUQDQgAEJY3HOAhf9sdJ+U+xHbzWWgTpBKTNW3a6e2XPq1ML2ZSm7Or1E0AQ
++xhaD6E7ceypnDxeMgvptlm6bPe347n9qQ==
+-----END EC PRIVATE KEY-----

tests/fixtures/intermediate-server.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvjCCAWSgAwIBAgIUXXNrQ1jydxm9uhK7n0OmDUOPiCQwCgYIKoZIzj0EAwIw
+WzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRswGQYDVQQDDBJUZXN0SW50ZXJtZWRpYXRlQ0EwHhcN
+MjYwMjIxMDgzMDE1WhcNMzYwMjE5MDgzMDE1WjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQljcc4CF/2x0n5T7EdvNZaBOkE
+pM1bdrp7Zc+rUwvZlKbs6vUTQBD7GFoPoTtx7KmcPF4yC+m2Wbps97fjuf2po00w
+SzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQWI63NaIN1ycxYkF07VcNN/68BrjAfBgNV
+HSMEGDAWgBSZHKZMU0B62yamD8iYJYZijS5saTAKBggqhkjOPQQDAgNIADBFAiBM
+deIDUWrrDndB13EBwhqQPNq0WdnbeP5ETTFzllfGewIhAL1kU5S4/ofLnvNCqlh1
+gYyZOvfQBq2c3HJQ7LFZz2E4
+-----END CERTIFICATE-----

tests/fixtures/leaf-client-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIG1y//8RDl0lkBt2PjMzfDzWsBzda/3ZZ32sz6EJiKi3oAoGCCqGSM49
+AwEHoUQDQgAEh9c2BC3Y2CoL1ZBg5P+ySkXqlzSFB91uywNWpys/STUWvDV2+OHY
+ad2BdDt6PhxjkkRIgVgvqkkdKbB72uvThQ==
+-----END EC PRIVATE KEY-----

tests/fixtures/leaf-client.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAZugAwIBAgIUaNQANP0JbqEIRANchWyHObCtwyYwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+MzAxNVoXDTM2MDIxOTA4MzAxNVowUzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApU
+ZXN0Q2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh9c2BC3Y2CoL1ZBg
+5P+ySkXqlzSFB91uywNWpys/STUWvDV2+OHYad2BdDt6PhxjkkRIgVgvqkkdKbB7
+2uvThaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUZbrJ1ksnEO1+12ipJ4wSHCvm
+sFwwHwYDVR0jBBgwFoAU89wm3hRy+DgMHjqdKLH1pSb8hREwCgYIKoZIzj0EAwID
+SAAwRQIgYyIsX1E8PWh4ZIX7KM+gg5NZwY2a9UHioWSzMGqvPikCIQCQDy87OFxc
+1PR/eZZ1KFmRUYuxyghLtxIi1/+BgPE+2Q==
+-----END CERTIFICATE-----

tests/fixtures/leaf-server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIC3yo4TLklV3vUpwnchiCn13F9hABtjU3tLw2TQGACWXoAoGCCqGSM49
+AwEHoUQDQgAEDkIgrLrKWlGqoSVWlmsnyyTJateL/+OHBQBQcNA8z3yAlLZ1W2VV
+STVmFj7i2zN4jKo8IfYzAxpIAjKHcwNaKA==
+-----END EC PRIVATE KEY-----

tests/fixtures/leaf-server.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtzCCAVygAwIBAgIUaNQANP0JbqEIRANchWyHObCtwyUwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+MzAxNVoXDTM2MDIxOTA4MzAxNVowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEDkIgrLrKWlGqoSVWlmsnyyTJateL/+OHBQBQ
+cNA8z3yAlLZ1W2VVSTVmFj7i2zN4jKo8IfYzAxpIAjKHcwNaKKNNMEswCQYDVR0T
+BAIwADAdBgNVHQ4EFgQUy0tDB5Mr0y4OUgKgHgf0OCOUsyswHwYDVR0jBBgwFoAU
+89wm3hRy+DgMHjqdKLH1pSb8hREwCgYIKoZIzj0EAwIDSQAwRgIhAN2o1Otq0pJW
+D7X7foM/qGgr9L4wcr94KKnlJ/s55ODCAiEAvxeNd8OSMzuSf8AT3FbiZskPq9qw
+otekC0SmFtHVsu4=
+-----END CERTIFICATE-----

tests/fixtures/root-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPxaAHVgFs4Mf3NxaEJWGcr843M3JnCInDWbQwEcBVV7oAoGCCqGSM49
+AwEHoUQDQgAE498nsz667F1s+6cboTTXB/qiHxyd4a/ELpetMB6VVX2M2zbzbq2Z
+3ts8yycHe2XIw5LxM0Ezl8xa97BLzjkh8A==
+-----END EC PRIVATE KEY-----

tests/fixtures/root-ca.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAaGgAwIBAgIUdfWaj8vluUGRp2GfaHEfSWlO/tMwCgYIKoZIzj0EAwIw
+UzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAw
+DgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApUZXN0Um9vdENBMB4XDTI2MDIyMTA4
+MzAxNFoXDTM2MDIxOTA4MzAxNFowUzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0
+YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRMwEQYDVQQDDApU
+ZXN0Um9vdENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE498nsz667F1s+6cb
+oTTXB/qiHxyd4a/ELpetMB6VVX2M2zbzbq2Z3ts8yycHe2XIw5LxM0Ezl8xa97BL
+zjkh8KNTMFEwHQYDVR0OBBYEFPPcJt4Ucvg4DB46nSix9aUm/IURMB8GA1UdIwQY
+MBaAFPPcJt4Ucvg4DB46nSix9aUm/IURMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZI
+zj0EAwIDSQAwRgIhANfBHCD2cUfM79I6VFWzJWMRp4SE+gNJW4VRXHgjZthqAiEA
+ywMIQhLsVlfgcoG77/OIoMuyvwb+elvkSz2qNTh+ue4=
+-----END CERTIFICATE-----

tests/fixtures/root-ca.srl

@@ -0,0 +1 @@
+68D40034FD096EA10844035C856C8739B0ADC326

tests/fixtures/rsa-leaf-client-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCPtbfD6hP/fTBm
+3ggp+8CC5VV0tQVou5U1aYsNlm01YsdCIRBPg+jsIySeVmvCM7Mx3YJ8gcxud0ef
+9oPqArxNKq9HLEsnFOJx2tg405MEMExKhyv1gn8ax/Qzav1jVUBg9l5mTrGNCera
+nZawpeVHh8Pc2seKG9pawc0x1kCPeTVt0poT+VVfrNiyB1ksdxn9Sq8RhYDnSLFd
+ZZWKfJxNQWnwk3U1yZp1KsBpVPqR02vTdFilnfJ3hS3ExUIy6zDnYbOTm9Kn0DHT
+dNSLuAHifu6LMOzekLRrTrV/LbZlpb2Q9Jemt+Mrd0ehfjw2haC78PbW0GLY+e1K
+9tAJ4zb7AgMBAAECggEAEWFSxjjrDj0fu3Ei36D42VvPB/xUmSQGmZ0YGh6VOp2l
+p5PEGznC07w0U4n0IlqKU3+Mpm40QS/f07LGpWiLSXHeHOd4d1OJR2fGOqkr4JfO
+wjyyzlBn+t8v44APARJwZMmnBQyDYKFQa/wfG2IU5p++ylkTRNq1f8Bshph42mEJ
+9hiZ2lt2wsdmh91UJm/XWoeXDCqNx62WLPTUboVHwxYv195gkH/abUUK9kWv8i4R
+P7EUk9ITVfBYD/shwr6m6oBS1l9vkamALa33zWRyn2mmIn6UJp1jlyXSmstNsPnS
+JISfafXzYvIVli9dTtHQrpYEFDe8qIftRApImDmlEQKBgQDAbEmZXNLcUbzt6K5d
+KJs2FhU+tslrcBpS8L9GyAHl8W0aP6JTdolWIMZ4WsIzQT3hsZPNalca1zGC1SrH
+nuvGhiENjaQPd1OjD6F3YvR4s+WMtXmZVmGu83UyryEh+Zjenat81Ce4j59D4sO3
+7We9n3smfA4ky5m8XlTM/qDLTwKBgQC/MSAZGjNKqmMd6CpHqpXfkCpXfgSQYxyb
+9+Ox8BgxJZGuY60YvV09xN+GrI7UwV75HmDTbCftZSp0Vy3mEofry8xk83vuThou
+SGACa506os0jr/fWoFum0ME69dd3BWup+CuV/bwdJL45GAlHCozRNGdCCeN7WL3+
+R+x46wR+lQKBgFD+A2iTAooLuYsmEiZSDiqQ1vZjt5oKQHpCrTAcxXfEy9htimS5
+Ewt2ljNYeD9cqbBSr1SZ+vnoNAXOtcf6I2GXWVg8Ex8TadfLn3oB48beabN1Oy6I
+hms+PElOH5MOXQLuuJy9K87qXO4VB65mNfFBrHNBai6gqB/6UJVMY9/PAoGAG8dV
+dJA795M+B3BeBD+iuvLFVCT5IMlltLuVl5rcyPc+bWoKElghHgJmv7h+oCbgV620
+P8OtIW7bdj/caVsz6GyZ6+j8jqlGYIcfe/qKw6Q3zgGZLtPpvRkDmj9x6Ncex3lJ
+S+er10gpYz48ytebkiHdBtlM9fT01ec5UnBDHOkCgYBJ5KwdsFl5omwUvNFljEov
+92wcP5VDVVaBK4ZmqRWfTMWF3TvJVcByujuVLeOXTiQuvp5HkaLINtnkbWASC/cw
+AdBrvZJ1jsmRFnpAEgXLMSe0wazMXycN6+phdF25OmNuNGReE5q11t+7oaN0/9V1
+i5CiwYXqnGcHqPuE/bvGvw==
+-----END PRIVATE KEY-----

tests/fixtures/rsa-leaf-client.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhgCFDy9mhbPptRzCcvT9c3gkR7IAf3TMA0GCSqGSIb3DQEBCwUAMFYx
+CzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEQMA4G
+A1UECgwHVGVzdE9yZzEWMBQGA1UEAwwNVGVzdFJzYVJvb3RDQTAeFw0yNjAyMjEw
+ODMwMTdaFw0zNjAyMTkwODMwMTdaMFMxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVT
+dGF0ZTENMAsGA1UEBwwEQ2l0eTEQMA4GA1UECgwHVGVzdE9yZzETMBEGA1UEAwwK
+VGVzdENsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI+1t8Pq
+E/99MGbeCCn7wILlVXS1BWi7lTVpiw2WbTVix0IhEE+D6OwjJJ5Wa8IzszHdgnyB
+zG53R5/2g+oCvE0qr0csSycU4nHa2DjTkwQwTEqHK/WCfxrH9DNq/WNVQGD2XmZO
+sY0J6tqdlrCl5UeHw9zax4ob2lrBzTHWQI95NW3SmhP5VV+s2LIHWSx3Gf1KrxGF
+gOdIsV1llYp8nE1BafCTdTXJmnUqwGlU+pHTa9N0WKWd8neFLcTFQjLrMOdhs5Ob
+0qfQMdN01Iu4AeJ+7osw7N6QtGtOtX8ttmWlvZD0l6a34yt3R6F+PDaFoLvw9tbQ
+Ytj57Ur20AnjNvsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACMujqep7PRc5eOIo
+K15+67kr+nu4AScGHZbDP5Rr69bG34azzrCK4s0JqAVLDk3NyHDieFbW5Xi7zmzw
+Eav5FjiPEDHx5zZ/xh8W9TsbPoNw7E3H1qOUMfpyWQuUtQyUahdCufuMU8doGv8B
+R6rxk2OnbaITFLeZ9OfIG+qZ6/dvFvlFdpHsTRvGF3bfSD6+637KsmOQXwOm+577
+D6cPBFa0x0HxJxp1R1nwJ3o1opsD3gWJO/+HiLRQbTcjsF1ZIs+9tuaL90L17d6+
+1VRR5Xz2xCoOqE6RQ8mmXFwiDoPDiLzGcv+GdYSPoDpe/TGKf0LHubGd0Kcb5f2H
+nJePMg==
+-----END CERTIFICATE-----

tests/fixtures/rsa-leaf-server-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+AmLMV0jpmLyD
+bZ3rMWGj4XstfjT2LPJfRwYPbyPD+kgUHMotgIteNgbbxs2ZbyEtRHB1StMevgP5
+jROI+BUYHmHQwe5KQPdqgEkQTMhnBXTWyhk3AzAd509VzJwEDnIG414J7yntbVdL
+CZVrbocXV5Eqj6NtnpUUj39gOkaZ/L+KpFFbPhHLFDUfu+2n65KrSCw/ut2FGtbd
+M/WbytBxjBUyr4jcUxDtN6AX68K0DATGePxrBJEgYOYmTS8tzazTgqf23riWxINh
+L5eVuzEM9X/Je/ILjhjTvtgXBFx8ECnROnEJeuwfmrUOO/ieFNWlEO2V4xuTyWOD
+mpEkZcPLAgMBAAECggEAFOY9SL2XCv6eSZR+iLaTR0vPWScnGybBeAJfY8Y1OGKo
+l/G8uTmI2tF1eqoIxkYnb4u2FOiohRqgZEwEqI2lAFSjLKuQEsHHlQLMRoszhcVf
+Xxq2oErs+XUOUGEjjfyqxSAwIUaZpYBf2CSTN1Beco5SrMxEzRNi0XKhL4vpZRlr
+ie3dYU4oXQ/zw3+wOaQssq0CHmKwMeKtmnMp+fFInyqPC08xgzLmntwEIXKutMhh
+R+Q0DFBMEQ55GJ714gL36CFuYD/P7mbF43zUBUz5LgAyuk8zExG277eR63lX0AD4
+aFLEtHLU5B6OTEQxDjZ1413zP4jw4iOWJr1GxUi/AQKBgQD1heFXPCIB0Bgg8f1G
++3hMATnW14VqM3Spn2ZLV510aPw0aqlKk37LUT5lTTloMWeKQgzzpF3F/+Wcbcdz
++yJJMxNVmgvGGwQfLgjzT+3r2JfpCGTCQbcY6hb2LlOieptxM1dh5pTNpiDLUSRd
+jvMEJ12GScYGlEEsLhmHUURCywKBgQDGHhGKOtOgWm8ho91hUlH82sFvp8j4om3s
+bKwANJzsXNRXQm5yVWLmrA5ugDszKZbJK5pdLGvc4456SEeQgvQNjk+XDqtqA8Lw
+JlcwQ0fUHMDb7z4878ssZV4G6Z9C7xXZgntgRvq9irPEhtPnwRKUUy3QnQ9phIyp
+rSLx1UdjAQKBgBQgEUSRTUhQwmmQ7G3xFv9D6nXN3MXDygBNbJkoaWOtZ170j0Pp
+qy8HTdIH7ni39ADFQUKHaphcTXnxFbRQFZNieGc/5U8rz76ui1VGa/41Ft6nLXsu
+389PAOrVCU38Ntmkl7kSqYfh4jZIRG7W1Ny2TVhAm9bWODFi5fzNkIbZAoGBAIeV
+fmV+WuRr35BDJ7d58fg88ZLrXeOird3WhWPind44rW1GXnXKr9OzvnCrO1iJRtNI
+Du1jADJ8XT6chrWEmWdJlHiJpo/4IQnfA15ZPSgRwX8C3TIw3Xf1q4LJkZ/qJabk
+4HCEQwdCjEKcDxuVC5UM09boFesdtnJMthSQ5LkBAoGBAMBB5naBf3ASfAPefKP/
+F2AUH5IgTc6WhfKA1HCbQWC4PZmS9R30T7QpDy0JVn4gwnJ37TwI7u1PN+//+veV
+P0kbTNwVvzzCYDEcsvqEtqwXZZ7WZACREQWf6Su5V/OIi9dq7h2XmyY9WtJ71Mgu
+Z/F0hK9uRzN1YGrhO4MsVXNA
+-----END PRIVATE KEY-----

tests/fixtures/rsa-leaf-server.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdkCFDy9mhbPptRzCcvT9c3gkR7IAf3SMA0GCSqGSIb3DQEBCwUAMFYx
+CzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEQMA4G
+A1UECgwHVGVzdE9yZzEWMBQGA1UEAwwNVGVzdFJzYVJvb3RDQTAeFw0yNjAyMjEw
+ODMwMTZaFw0zNjAyMTkwODMwMTZaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4CYsxXSOmYvINtnesxYaPhey1+
+NPYs8l9HBg9vI8P6SBQcyi2Ai142BtvGzZlvIS1EcHVK0x6+A/mNE4j4FRgeYdDB
+7kpA92qASRBMyGcFdNbKGTcDMB3nT1XMnAQOcgbjXgnvKe1tV0sJlWtuhxdXkSqP
+o22elRSPf2A6Rpn8v4qkUVs+EcsUNR+77afrkqtILD+63YUa1t0z9ZvK0HGMFTKv
+iNxTEO03oBfrwrQMBMZ4/GsEkSBg5iZNLy3NrNOCp/beuJbEg2Evl5W7MQz1f8l7
+8guOGNO+2BcEXHwQKdE6cQl67B+atQ47+J4U1aUQ7ZXjG5PJY4OakSRlw8sCAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEAIYaOr2AXKtDfSDbSuucOoiTj8LyRbsnNz62z
++dFpi0R/vICrFYfjUOTUtHfxTZOe9q5/Vs3PJBwHdLaUKZhtZRDoicw4SkcxFGj+
+Gm/tWghkquY40ihLvEefOptQz4W1gukU+ppFHXsOeCN8EVHX9OrcegW5+bt4B4OR
+9p87B/YASjVgA23ZWJKIdJ09RY01wolRll7S8j52J3PeVFlTLiH8wCifdmglNjmX
+nCAOUnzpD5qkxfXzvgvgS7iQr09AstWjwEuV01++VBUDN1YW/wCN7itUnIcO5K+T
+GUkZyvdqNi8Z0V39PbPtN2YtLk3ylISa8ZdUC7+l1JkuSPqt5g==
+-----END CERTIFICATE-----

tests/fixtures/rsa-root-ca-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDCmnCyEFiU6DbC
+rOxjl36iO/665dpWE3AVqmY7pmRv8TyhS7LpOh0ekRieBTDO8pPrT2Z/z+BEJwny
+U2oUJv01uX4rhLq/vcbN3OO+AQHcG5ELKrZtiWy87t2amoitpsj1xWEWS2L3Rk5w
+CmZTofXBLNyMOMddfuKRU+JLW0WnyAZ6O+mmW/dy9HqT0fYvwb0ucWC2w3jvVNyi
+uBMkD0IdCpectHAFEGJgJUWiLUIG+ml2vt0C6OWUK3BT2RPo51B4e6tV+eL+s+AL
+NvXeTlo0Z7gyK6s2EPZrleFAFagbRVaOerNruhLZ3KTdx9u4Oj0z32rg/XX12/js
+rW2zS5hfAgMBAAECggEALPfTItJ0JbSjMskSttDDCmoiqr2CfnFvbRI7HX2Np/Bu
+ujbr2Mj9AZs1vQ4mASw80hs+7Dn08Mq0mbJ8yLtZt5htd1DsdnI8BkYMulMxQtN7
+6MCt9xHSdrYbryYWf0oTFffOP4CcFdfBOFKu4pSCXWkobZ6RMyGm6T4hBJjKt8Ix
+zY6UMJlmLlcHSRNPm1RNPsWWe6CNNOtJxyKQ/P8JyHu+9WW0ld7azfbIOLoAKbPV
+tY8+F3TVz0FcG9piD+6nhJL0uLn6wJJnMQVGAoJFau3CpedKSm3jbIOznaXUVei9
+yRv1M24kdkZc6OhPhihGYzHiKfBKxlrHVXHkh+lIwQKBgQDkxcm0TEU5gxJegKHc
+yVRKDIyW2/D/YgtOu8ZUtd2QVXQzO436kl4cjEW4ipS6isCLC1ENtJ5JuKnkwZH0
+T7hnRnzxHcyE91XYIDeEldBv1Cv5QYjJpJt6y+rFD1alSivvv/DqB/y5nOKuYOyH
+1z6gMUrXZ6uwApB/Df+cw68HDQKBgQDZw5YEI+Z7z76VPmtSFirE5c0rNBf4tzOr
+EmqkVmRtoRZVe/uw5Bm3V/iZrWYSTyAMguBKzCVUhPg5h+PlaHyLjtwV2LkkPYJp
+xTEXFcYh3p/cW/rqdvMnD6hnORs1Mj9XFpbMPWlekqruhWxtdtOkY6yxS9bDzzp5
+uxdmvvbCGwKBgQDEbIZJBguR29ZTycIwXbS/d5LmnKWJwNbQnS0m4pgAKz8AFixL
+bozbmhzq3CHjIOs891R6nhAiYCmPPhxhVmmQUtdH9zv5FpxgWxkP/8ndmqC+/OPD
+rk/I2XkUBZ1xggPDcFwbtQvrGqcO7i1oXQlqZahK1rp0/16tmIlWQjXvqQKBgQDA
+dg5mRlx0XN1yBiLP/+t47ilw36+4ECLINZSu/fPwuIiGsPd4FYFs+4EqQYiO8gO/
+SwR01wy/MG46WpHetYQty+tUG6E2GG7kkHWck4/za1EabujKxKqOgVYzNNOJJom4
+rKxGgphYD4SnHqD/9h+DkNyWLhL4KHTkFajPFEP+tQKBgQCfaogtT5Uv1wzQgs6c
+/ATSSCw4RMFPQA702KWquMcydGyyA5WiE2n7S5J8Gl2BhdGRdVBqoM2RBqQs9diw
+m8Da0SJkPjwgXda6FOmm4krQIowXO2bLTkDo0jEAWW3PmrF53MmmAGhBT7cB/8sK
+8C5KH7rGwI9dW5OxbbCxA6g2mw==
+-----END PRIVATE KEY-----

tests/fixtures/rsa-root-ca.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIULqYXD4Y/S1pjcF50lTIKVEMHaqYwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdUZXN0T3JnMRYwFAYDVQQDDA1UZXN0UnNhUm9vdENBMB4XDTI2
+MDIyMTA4MzAxNVoXDTM2MDIxOTA4MzAxNVowVjELMAkGA1UEBhMCVVMxDjAMBgNV
+BAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdUZXN0T3JnMRYwFAYD
+VQQDDA1UZXN0UnNhUm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwppwshBYlOg2wqzsY5d+ojv+uuXaVhNwFapmO6Zkb/E8oUuy6TodHpEYngUw
+zvKT609mf8/gRCcJ8lNqFCb9Nbl+K4S6v73GzdzjvgEB3BuRCyq2bYlsvO7dmpqI
+rabI9cVhFkti90ZOcApmU6H1wSzcjDjHXX7ikVPiS1tFp8gGejvpplv3cvR6k9H2
+L8G9LnFgtsN471TcorgTJA9CHQqXnLRwBRBiYCVFoi1CBvppdr7dAujllCtwU9kT
+6OdQeHurVfni/rPgCzb13k5aNGe4MiurNhD2a5XhQBWoG0VWjnqza7oS2dyk3cfb
+uDo9M99q4P119dv47K1ts0uYXwIDAQABo1MwUTAdBgNVHQ4EFgQUJYIW2GVN+Z9d
+TiXBmXZWrpRO0u0wHwYDVR0jBBgwFoAUJYIW2GVN+Z9dTiXBmXZWrpRO0u0wDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMekKKzOrLtMUUeUDhT7z
+ZyNpdZQypboXH4jFZgnnSDQ4nhyTBQ1tydRsxKe/ySev2Ug4qqYeUUvoHVRe33bp
+HpQDlowRx0SYMY3QHZPNd4Bhi24N4L7Xv2ncfmhiUaECT9m6F3ZMBKhY0GgD6rzE
+vSBGAA/V59qI3FaREY2UmxRctDZx1ZdZyKw14rdrPHfxLZmCMJUtgxGdKcItyDjn
+pd4q6O7nf4fO0Cv8UDe035Jx5jQwpKw2nY7GcP8YHaLv/rzOT5Uog0UQ720GLjyV
+uGKfeXeH6Tw6yPjy/DNvjZKFG+SILJwdtW1m7w/NrWKiylhrDQqQamhetTquCmVf
+og==
+-----END CERTIFICATE-----

tests/fixtures/rsa-root-ca.srl

@@ -0,0 +1 @@
+3CBD9A16CFA6D47309CBD3F5CDE0911EC801FDD3

tests/fixtures/setup_fixtures.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+set -e
+
+SUBJ_CA="/C=US/ST=State/L=City/O=TestOrg/CN=TestRootCA"
+SUBJ_IM="/C=US/ST=State/L=City/O=TestOrg/CN=TestIntermediateCA"
+SUBJ_SRV="/CN=localhost"
+SUBJ_CLI="/C=US/ST=State/L=City/O=TestOrg/CN=TestClient"
+SUBJ_RSA_CA="/C=US/ST=State/L=City/O=TestOrg/CN=TestRsaRootCA"
+
+EXT_CA="basicConstraints=critical,CA:TRUE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid:always"
+EXT_LEAF="basicConstraints=CA:FALSE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer"
+
+# Root CA
+openssl ecparam -name prime256v1 -genkey -noout -out root-ca-key.pem
+openssl req -new -x509 -sha256 -key root-ca-key.pem -days 3650 -out root-ca.pem -subj "$SUBJ_CA"
+
+# Intermediate CA
+openssl ecparam -name prime256v1 -genkey -noout -out intermediate-ca-key.pem
+openssl req -new -sha256 -key intermediate-ca-key.pem -out _im.csr -subj "$SUBJ_IM"
+openssl x509 -req -in _im.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out intermediate-ca.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_CA")
+rm _im.csr
+
+# Server leaf cert (signed by root CA)
+openssl ecparam -name prime256v1 -genkey -noout -out leaf-server-key.pem
+openssl req -new -sha256 -key leaf-server-key.pem -out _srv.csr -subj "$SUBJ_SRV"
+openssl x509 -req -in _srv.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out leaf-server.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _srv.csr
+
+# Client leaf cert (signed by root CA)
+openssl ecparam -name prime256v1 -genkey -noout -out leaf-client-key.pem
+openssl req -new -sha256 -key leaf-client-key.pem -out _cli.csr -subj "$SUBJ_CLI"
+openssl x509 -req -in _cli.csr -CA root-ca.pem -CAkey root-ca-key.pem \
+  -CAcreateserial -out leaf-client.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _cli.csr
+
+# Intermediate server cert + chain
+openssl ecparam -name prime256v1 -genkey -noout -out intermediate-server-key.pem
+openssl req -new -sha256 -key intermediate-server-key.pem -out _imsrv.csr -subj "$SUBJ_SRV"
+openssl x509 -req -in _imsrv.csr -CA intermediate-ca.pem -CAkey intermediate-ca-key.pem \
+  -CAcreateserial -out intermediate-server.pem -days 3650 -sha256 \
+  -extfile <(printf "$EXT_LEAF")
+rm _imsrv.csr
+cat intermediate-server.pem intermediate-ca.pem > chain.pem
+
+# RSA root CA
+openssl req -x509 -newkey rsa:2048 -keyout rsa-root-ca-key.pem -nodes \
+  -out rsa-root-ca.pem -sha256 -days 3650 -subj "$SUBJ_RSA_CA"
+
+# RSA server cert
+openssl req -newkey rsa:2048 -keyout rsa-leaf-server-key.pem -nodes \
+  -out _rsasrv.csr -sha256 -subj "$SUBJ_SRV"
+openssl x509 -req -CA rsa-root-ca.pem -CAkey rsa-root-ca-key.pem \
+  -in _rsasrv.csr -out rsa-leaf-server.pem -days 3650 -CAcreateserial
+rm _rsasrv.csr
+
+# RSA client cert
+openssl req -newkey rsa:2048 -keyout rsa-leaf-client-key.pem -nodes \
+  -out _rsacli.csr -sha256 -subj "$SUBJ_CLI"
+openssl x509 -req -CA rsa-root-ca.pem -CAkey rsa-root-ca-key.pem \
+  -in _rsacli.csr -out rsa-leaf-client.pem -days 3650 -CAcreateserial
+rm _rsacli.csr