diff --git a/doc/plugin_server_upstreamauthority_awssecret.md b/doc/plugin_server_upstreamauthority_awssecret.md index 22c589442f7..c95f630e212 100644 --- a/doc/plugin_server_upstreamauthority_awssecret.md +++ b/doc/plugin_server_upstreamauthority_awssecret.md @@ -10,8 +10,9 @@ The plugin accepts the following configuration options: | Configuration | Description | |-------------------|-------------------------------------------------------| | region | AWS Region that the AWS Secrets Manager is running in | -| cert_file_arn | ARN of the "upstream" CA certificate | +| cert_file_arn | ARN of the "upstream" CA certificate that will be used for signing. If more than one certificate is present, they will be added to the chain in order of appearance, where the first certificate will be the one used for signing. | | key_file_arn | ARN of the "upstream" CA key file | +| bundle_file_arn | ARN of roots to include in the trust bundle. If `cert_file_arn` contains a self-signed root CA certificate this field can be left unset. Otherwise, `bundle_file_arn` must include one or more root CA certificates | | access_key_id | AWS access key ID | | secret_access_key | AWS secret access key | | secret_token | AWS secret token | @@ -40,6 +41,7 @@ A sample configuration: region = "us-west-2", cert_file_arn = "cert", key_file_arn = "key", + bundle_file_arn = "bundle", access_key_id = "ACCESS_KEY_ID", secret_access_key = "SECRET_ACCESS_KEY", secret_token = "SECRET_TOKEN" diff --git a/pkg/server/plugin/upstreamauthority/awssecret/awslib_fake_test.go b/pkg/server/plugin/upstreamauthority/awssecret/awslib_fake_test.go index fb275a82c7b..6c52217f8a7 100644 --- a/pkg/server/plugin/upstreamauthority/awssecret/awslib_fake_test.go +++ b/pkg/server/plugin/upstreamauthority/awssecret/awslib_fake_test.go @@ -2,17 +2,36 @@ package awssecret import ( "context" + "crypto" + "crypto/ecdsa" + "crypto/x509" "fmt" - "os" + "math/big" + "net/url" + "testing" + "time" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/secretsmanager" + "github.com/spiffe/spire/pkg/common/pemutil" + "github.com/spiffe/spire/test/clock" + "github.com/spiffe/spire/test/testca" + "github.com/spiffe/spire/test/testkey" + "github.com/stretchr/testify/require" ) type fakeSecretsManagerClient struct { storage map[string]string } +type testKeysAndCerts struct { + rootKey *ecdsa.PrivateKey + rootCert *x509.Certificate + alternativeKey *ecdsa.PrivateKey + intermediateKey *ecdsa.PrivateKey + intermediateCert *x509.Certificate +} + func (sm *fakeSecretsManagerClient) GetSecretValue(ctx context.Context, input *secretsmanager.GetSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error) { if value, ok := sm.storage[*input.SecretId]; ok { return &secretsmanager.GetSecretValueOutput{ @@ -23,35 +42,86 @@ func (sm *fakeSecretsManagerClient) GetSecretValue(ctx context.Context, input *s return nil, fmt.Errorf("secret not found") } -func newFakeSecretsManagerClient(ctx context.Context, config *Configuration, region string) (secretsManagerClient, error) { +func generateTestData(t *testing.T, clk clock.Clock) (*testKeysAndCerts, func(context.Context, *Configuration, string) (secretsManagerClient, error)) { + var keys testkey.Keys + + rootKey := keys.NewEC256(t) + rootCertificate := createCertificate(t, clk, "spiffe://root", rootKey, nil, nil) + + intermediateKey := keys.NewEC256(t) + intermediateCertificate := createCertificate(t, clk, "spiffe://intermediate", intermediateKey, rootCertificate, rootKey) + + alternativeKey := keys.NewEC256(t) + sm := new(fakeSecretsManagerClient) - if region == "" { - return nil, &aws.MissingRegionError{} + sm.storage = map[string]string{ + "cert": certToPEMstr(rootCertificate), + "key": keyToPEMstr(t, rootKey), + "alternative_key": keyToPEMstr(t, alternativeKey), + "bundle": certToPEMstr(rootCertificate), + "intermediate_cert": certToPEMstr(intermediateCertificate), + "intermediate_key": keyToPEMstr(t, intermediateKey), + "invalid_cert": "no a certificate", + "invalid_key": "no a key", } - cert, err := os.ReadFile("testdata/keys/EC/cert.pem") - if err != nil { - return nil, err + keysAndCerts := &testKeysAndCerts{ + rootKey: rootKey, + rootCert: rootCertificate, + alternativeKey: alternativeKey, + intermediateKey: intermediateKey, + intermediateCert: intermediateCertificate, } - key, err := os.ReadFile("testdata/keys/EC/private_key.pem") - if err != nil { - return nil, err + makeSecretsManagerClient := func(ctx context.Context, config *Configuration, region string) (secretsManagerClient, error) { + if region == "" { + return nil, &aws.MissingRegionError{} + } + return sm, nil } - alternativeKey, err := os.ReadFile("testdata/keys/EC/alternative_key.pem") - if err != nil { - return nil, err + return keysAndCerts, makeSecretsManagerClient +} + +func createCertificate( + t *testing.T, clk clock.Clock, + uri string, + key crypto.Signer, + parent *x509.Certificate, + parentKey crypto.Signer, +) *x509.Certificate { + now := clk.Now() + + u, err := url.Parse(uri) + require.NoError(t, err) + + template := &x509.Certificate{ + SerialNumber: big.NewInt(1), + BasicConstraintsValid: true, + IsCA: true, + NotBefore: now, + NotAfter: now.Add(time.Hour * 24), + URIs: []*url.URL{u}, } - sm.storage = map[string]string{ - "cert": string(cert), - "key": string(key), - "alternative_key": string(alternativeKey), - "invalid_cert": "no a certificate", - "invalid_key": "no a key", + // Making the template and key their own parents + // generates a self-signed certificate + if parent == nil { + parent = template + parentKey = key } - return sm, nil + return testca.CreateCertificate(t, template, parent, key.Public(), parentKey) +} + +func certToPEMstr(cert *x509.Certificate) string { + return string(pemutil.EncodeCertificate(cert)) +} + +func keyToPEMstr(t *testing.T, key *ecdsa.PrivateKey) string { + data, err := pemutil.EncodeECPrivateKey(key) + require.NoError(t, err) + + return string(data) } diff --git a/pkg/server/plugin/upstreamauthority/awssecret/awssecret.go b/pkg/server/plugin/upstreamauthority/awssecret/awssecret.go index 7a28622782f..fcc1b72847e 100644 --- a/pkg/server/plugin/upstreamauthority/awssecret/awssecret.go +++ b/pkg/server/plugin/upstreamauthority/awssecret/awssecret.go @@ -2,7 +2,6 @@ package awssecret import ( "context" - "crypto" "crypto/x509" "os" "sync" @@ -42,6 +41,7 @@ type Configuration struct { Region string `hcl:"region" json:"region"` CertFileARN string `hcl:"cert_file_arn" json:"cert_file_arn"` KeyFileARN string `hcl:"key_file_arn" json:"key_file_arn"` + BundleFileARN string `hcl:"bundle_file_arn" json:"bundle_file_arn"` AccessKeyID string `hcl:"access_key_id" json:"access_key_id"` SecretAccessKey string `hcl:"secret_access_key" json:"secret_access_key"` SecurityToken string `hcl:"secret_token" json:"secret_token"` @@ -54,9 +54,10 @@ type Plugin struct { log hclog.Logger - mtx sync.RWMutex - cert *x509.Certificate - upstreamCA *x509svid.UpstreamCA + mtx sync.RWMutex + upstreamCerts []*x509.Certificate + bundleCerts []*x509.Certificate + upstreamCA *x509svid.UpstreamCA hooks struct { clock clock.Clock @@ -94,8 +95,9 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) return nil, status.Errorf(codes.InvalidArgument, "failed to create AWS client: %v", err) } - key, cert, err := fetchFromSecretsManager(ctx, config, sm) + keyPEMstr, certsPEMstr, bundleCertsPEMstr, err := fetchFromSecretsManager(ctx, config, sm) if err != nil { + p.log.Error("Error loading files from AWS: %v", err) return nil, err } @@ -107,13 +109,16 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) p.mtx.Lock() defer p.mtx.Unlock() - p.cert = cert - p.upstreamCA = x509svid.NewUpstreamCA( - x509util.NewMemoryKeypair(cert, key), - trustDomain, - x509svid.UpstreamCAOptions{ - Clock: p.hooks.clock, - }) + upstreamCA, upstreamCerts, bundleCerts, err := p.loadUpstreamCAAndCerts( + trustDomain, keyPEMstr, certsPEMstr, bundleCertsPEMstr, + ) + if err != nil { + return nil, err + } + + p.upstreamCerts = upstreamCerts + p.bundleCerts = bundleCerts + p.upstreamCA = upstreamCA return &configv1.ConfigureResponse{}, nil } @@ -133,12 +138,12 @@ func (p *Plugin) MintX509CAAndSubscribe(request *upstreamauthorityv1.MintX509CAR return status.Errorf(codes.Internal, "unable to sign CSR: %v", err) } - x509CAChain, err := x509certificate.ToPluginProtos([]*x509.Certificate{cert}) + x509CAChain, err := x509certificate.ToPluginProtos(append([]*x509.Certificate{cert}, p.upstreamCerts...)) if err != nil { return status.Errorf(codes.Internal, "unable to form response X.509 CA chain: %v", err) } - upstreamX509Roots, err := x509certificate.ToPluginProtos([]*x509.Certificate{p.cert}) + upstreamX509Roots, err := x509certificate.ToPluginProtos(p.bundleCerts) if err != nil { return status.Errorf(codes.Internal, "unable to form response upstream X.509 roots: %v", err) } @@ -154,38 +159,99 @@ func (p *Plugin) PublishJWTKeyAndSubscribe(*upstreamauthorityv1.PublishJWTKeyReq return status.Error(codes.Unimplemented, "publishing upstream is unsupported") } -func fetchFromSecretsManager(ctx context.Context, config *Configuration, sm secretsManagerClient) (crypto.PrivateKey, *x509.Certificate, error) { - keyPEMstr, err := readARN(ctx, sm, config.KeyFileARN) +func (p *Plugin) loadUpstreamCAAndCerts(trustDomain spiffeid.TrustDomain, keyPEMstr, certsPEMstr, bundleCertsPEMstr string) (*x509svid.UpstreamCA, []*x509.Certificate, []*x509.Certificate, error) { + key, err := pemutil.ParsePrivateKey([]byte(keyPEMstr)) if err != nil { - return nil, nil, status.Errorf(codes.InvalidArgument, "unable to read %s: %v", config.KeyFileARN, err) + return nil, nil, nil, status.Errorf(codes.Internal, "unable to parse private key: %v", err) } - key, err := pemutil.ParsePrivateKey([]byte(keyPEMstr)) + certs, err := pemutil.ParseCertificates([]byte(certsPEMstr)) if err != nil { - return nil, nil, status.Errorf(codes.Internal, "unable to parse private key: %v", err) + return nil, nil, nil, status.Errorf(codes.Internal, "unable to parse certificate: %v", err) } - certPEMstr, err := readARN(ctx, sm, config.CertFileARN) + caCert := certs[0] // pemutil guarantees at least one cert + + var trustBundle []*x509.Certificate + if bundleCertsPEMstr == "" { + // If there is no bundle payload configured then the value of certs + // must be a self-signed cert. We enforce this by requiring that there is + // exactly one certificate; this certificate is reused for the trust + // bundle and bundleCertsPEMstr is ignored + if len(certs) != 1 { + return nil, nil, nil, status.Error(codes.InvalidArgument, "with no bundle_file_arn configured only self-signed CAs are supported") + } + trustBundle = certs + certs = nil + } else { + // If there is a bundle, instead of using the payload of cert_file_arn + // to populate the trust bundle, we assume that certs is a chain of + // intermediates and populate the trust bundle with roots from + // bundle_file_arn + trustBundle, err = pemutil.ParseCertificates([]byte(bundleCertsPEMstr)) + if err != nil { + return nil, nil, nil, status.Errorf(codes.InvalidArgument, "unable to load upstream CA bundle: %v", err) + } + } + + matched, err := x509util.CertificateMatchesPrivateKey(caCert, key) if err != nil { - return nil, nil, status.Errorf(codes.InvalidArgument, "unable to read %s: %v", config.CertFileARN, err) + return nil, nil, nil, status.Errorf(codes.InvalidArgument, "unable to verify CA cert matches private key: %v", err) + } + if !matched { + return nil, nil, nil, status.Error(codes.InvalidArgument, "unable to load upstream CA: certificate and private key do not match") } - cert, err := pemutil.ParseCertificate([]byte(certPEMstr)) + intermediates := x509.NewCertPool() + roots := x509.NewCertPool() + + for _, c := range certs { + intermediates.AddCert(c) + } + for _, c := range trustBundle { + roots.AddCert(c) + } + selfVerifyOpts := x509.VerifyOptions{ + Intermediates: intermediates, + Roots: roots, + } + _, err = caCert.Verify(selfVerifyOpts) if err != nil { - return nil, nil, status.Errorf(codes.Internal, "unable to parse certificate: %v", err) + return nil, nil, nil, status.Error(codes.InvalidArgument, "unable to load upstream CA: certificate could not be validated with the provided bundle or is not self signed") } - // Validate cert matches private key - matched, err := x509util.CertificateMatchesPrivateKey(cert, key) + // If we get to this point we've successfully validated that: + // - cert_file_arn contains a single self-signed certificate OR + // - cert_file_arn contains a chain of certificates which terminate at a root + // which is provided in bundle_file_arn + return x509svid.NewUpstreamCA( + x509util.NewMemoryKeypair(caCert, key), + trustDomain, + x509svid.UpstreamCAOptions{ + Clock: p.hooks.clock, + }, + ), certs, trustBundle, nil +} + +func fetchFromSecretsManager(ctx context.Context, config *Configuration, sm secretsManagerClient) (string, string, string, error) { + keyPEMstr, err := readARN(ctx, sm, config.KeyFileARN) if err != nil { - return nil, nil, status.Errorf(codes.Internal, "unable to validate certificate: %v", err) + return "", "", "", status.Errorf(codes.InvalidArgument, "unable to read %s: %v", config.KeyFileARN, err) } - if !matched { - return nil, nil, status.Errorf(codes.InvalidArgument, "certificate and private key does not match") + certsPEMstr, err := readARN(ctx, sm, config.CertFileARN) + if err != nil { + return "", "", "", status.Errorf(codes.InvalidArgument, "unable to read %s: %v", config.CertFileARN, err) + } + var bundlePEMstr string + if config.BundleFileARN != "" { + bundlePEMstr, err = readARN(ctx, sm, config.BundleFileARN) + if err != nil { + return "", "", "", status.Errorf(codes.InvalidArgument, "unable to read %s: %v", config.BundleFileARN, err) + } } - return key, cert, nil + return keyPEMstr, certsPEMstr, bundlePEMstr, nil } func (p *Plugin) validateConfig(req *configv1.ConfigureRequest) (*Configuration, error) { diff --git a/pkg/server/plugin/upstreamauthority/awssecret/awssecret_test.go b/pkg/server/plugin/upstreamauthority/awssecret/awssecret_test.go index 738926d1fc0..437e2dcbfcd 100644 --- a/pkg/server/plugin/upstreamauthority/awssecret/awssecret_test.go +++ b/pkg/server/plugin/upstreamauthority/awssecret/awssecret_test.go @@ -8,14 +8,13 @@ import ( "testing" "time" - "github.com/andres-erbsen/clock" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/spire/pkg/common/catalog" "github.com/spiffe/spire/pkg/common/cryptoutil" - "github.com/spiffe/spire/pkg/common/pemutil" "github.com/spiffe/spire/pkg/common/x509svid" "github.com/spiffe/spire/pkg/server/plugin/upstreamauthority" "github.com/spiffe/spire/proto/spire/common" + "github.com/spiffe/spire/test/clock" "github.com/spiffe/spire/test/plugintest" "github.com/spiffe/spire/test/spiretest" "github.com/spiffe/spire/test/testkey" @@ -26,6 +25,8 @@ import ( ) func TestConfigure(t *testing.T) { + clk := clock.NewMock(t) + _, fakeStorageClientCreator := generateTestData(t, clk) for _, tt := range []struct { test string overrideCoreConfig *catalog.CoreConfig @@ -37,6 +38,7 @@ func TestConfigure(t *testing.T) { region string certFileARN string keyFileARN string + bundleFileARN string accessKeyID string secretAccessKey string securityToken string @@ -167,7 +169,31 @@ func TestConfigure(t *testing.T) { securityToken: "security_token", assumeRoleARN: "assume_role_arn", expectCode: codes.InvalidArgument, - expectMsgPrefix: "certificate and private key does not match", + expectMsgPrefix: "unable to load upstream CA: certificate and private key do not match", + }, + { + test: "additional bundle set", + region: "region_1", + certFileARN: "cert", + keyFileARN: "key", + bundleFileARN: "bundle", + accessKeyID: "access_key_id", + secretAccessKey: "secret_access_key", + securityToken: "security_token", + assumeRoleARN: "assume_role_arn", + }, + { + test: "invalid bundle set", + region: "region_1", + certFileARN: "cert", + keyFileARN: "key", + bundleFileARN: "missing_bundle", + accessKeyID: "access_key_id", + secretAccessKey: "secret_access_key", + securityToken: "security_token", + assumeRoleARN: "assume_role_arn", + expectCode: codes.InvalidArgument, + expectMsgPrefix: "unable to read missing_bundle: secret not found", }, } { tt := tt @@ -193,6 +219,7 @@ func TestConfigure(t *testing.T) { Region: tt.region, CertFileARN: tt.certFileARN, KeyFileARN: tt.keyFileARN, + BundleFileARN: tt.bundleFileARN, AccessKeyID: tt.accessKeyID, SecretAccessKey: tt.secretAccessKey, SecurityToken: tt.securityToken, @@ -201,8 +228,8 @@ func TestConfigure(t *testing.T) { } p := new(Plugin) - p.hooks.clock = clock.NewMock() - p.hooks.newClient = newFakeSecretsManagerClient + p.hooks.clock = clk + p.hooks.newClient = fakeStorageClientCreator plugintest.Load(t, builtin(p), nil, options...) spiretest.RequireGRPCStatusHasPrefix(t, err, tt.expectCode, tt.expectMsgPrefix) @@ -212,10 +239,10 @@ func TestConfigure(t *testing.T) { func TestMintX509CA(t *testing.T) { key := testkey.NewEC256(t) - clk := clock.NewMock() + clk := clock.NewMock(t) + certsAndKeys, fakeStorageClientCreator := generateTestData(t, clk) - x509Authority, err := pemutil.LoadCertificates("testdata/keys/EC/cert.pem") - require.NoError(t, err, "failed to load X509 Authority from disk") + x509Authority := []*x509.Certificate{certsAndKeys.rootCert} makeCSR := func(spiffeID string) []byte { csr, err := util.NewCSRTemplateWithKey(spiffeID, key) @@ -233,6 +260,17 @@ func TestMintX509CA(t *testing.T) { AssumeRoleARN: "assume_role_arn", } + withBundleConfiguration := &Configuration{ + Region: "region_1", + CertFileARN: "intermediate_cert", + KeyFileARN: "intermediate_key", + BundleFileARN: "bundle", + AccessKeyID: "access_key_id", + SecretAccessKey: "secret_access_key", + SecurityToken: "security_token", + AssumeRoleARN: "assume_role_arn", + } + for _, tt := range []struct { test string configuration *Configuration @@ -243,6 +281,7 @@ func TestMintX509CA(t *testing.T) { expectX509CASpiffeID string expectedX509Authorities []*x509.Certificate expectTTL time.Duration + numExpectedCAs int }{ { test: "valid CSR", @@ -252,6 +291,16 @@ func TestMintX509CA(t *testing.T) { expectTTL: x509svid.DefaultUpstreamCATTL + time.Hour, expectX509CASpiffeID: "spiffe://example.org", expectedX509Authorities: x509Authority, + numExpectedCAs: 1, + }, + { + test: "CA is intermediate", + configuration: withBundleConfiguration, + csr: makeCSR("spiffe://example.org"), + expectTTL: x509svid.DefaultUpstreamCATTL, + expectX509CASpiffeID: "spiffe://example.org", + expectedX509Authorities: x509Authority, + numExpectedCAs: 2, }, { test: "using default ttl", @@ -260,6 +309,7 @@ func TestMintX509CA(t *testing.T) { expectTTL: x509svid.DefaultUpstreamCATTL, expectX509CASpiffeID: "spiffe://example.org", expectedX509Authorities: x509Authority, + numExpectedCAs: 1, }, { test: "configuration fail", @@ -282,7 +332,7 @@ func TestMintX509CA(t *testing.T) { p.hooks.getenv = func(s string) string { return "" } - p.hooks.newClient = newFakeSecretsManagerClient + p.hooks.newClient = fakeStorageClientCreator var err error options := []plugintest.Option{ @@ -310,7 +360,7 @@ func TestMintX509CA(t *testing.T) { return } - if assert.Len(t, x509CA, 1, "only expect 1 x509CA") { + if assert.Len(t, x509CA, tt.numExpectedCAs, "only expecting %d x509CA", tt.numExpectedCAs) { cert := x509CA[0] // assert key isEqual, err := cryptoutil.PublicKeyEqual(cert.PublicKey, key.Public()) @@ -321,6 +371,11 @@ func TestMintX509CA(t *testing.T) { ttl := cert.NotAfter.Sub(clk.Now()) assert.Equal(t, tt.expectTTL, ttl, "TTL does not match") + // assert expected intermediate is in chain + if tt.configuration.CertFileARN == "intermediate_cert" { + assert.Equal(t, certsAndKeys.intermediateCert, x509CA[1]) + } + // assert CA has expected SpiffeID assert.Equal(t, tt.expectX509CASpiffeID, cert.URIs[0].String()) } @@ -336,9 +391,11 @@ func TestMintX509CA(t *testing.T) { } func TestPublishJWTKey(t *testing.T) { + clk := clock.NewMock(t) + _, fakeStorageClientCreator := generateTestData(t, clk) p := new(Plugin) - p.hooks.clock = clock.NewMock() - p.hooks.newClient = newFakeSecretsManagerClient + p.hooks.clock = clk + p.hooks.newClient = fakeStorageClientCreator ua := new(upstreamauthority.V1) plugintest.Load(t, builtin(p), ua, diff --git a/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/alternative_key.pem b/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/alternative_key.pem deleted file mode 100644 index f57a3fe6812..00000000000 --- a/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/alternative_key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIO4jqA2EFccPT1isOaP2CFQB6pXqdl6jD1r3eUU6vAzooAoGCCqGSM49 -AwEHoUQDQgAE5f4tXVQiLSQqbk/pT0140Z4SSCywo+LggqtFyCqTOczf4D99J+Fr -ai6wiv388wVhc69I5OwFVKz+FXhxkp5OoQ== ------END EC PRIVATE KEY----- diff --git a/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/cert.pem b/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/cert.pem deleted file mode 100644 index 0edff5dc4c7..00000000000 --- a/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/cert.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBtjCCARigAwIBAgIDAeJAMAoGCCqGSM49BAMEMAAwHhcNMTcwOTA2MTkwNDMy -WhcNMjIwOTA1MTkwNDMyWjAAMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBJX6d -h0ijS65ZVUsUjpBjRxF9qtTMPXhCREiUagYxI12Z/U9r9K2mrmetCLeqAgHcthQ/ -17deves7G43H/5EkveUBdUB/JrGZsJAHvm1BuIv2+HyxRt1t+0e/+pZuvNRZddit -pRE1X+6BUayo59EJkwPF4R48QB64Nsjc6sPEexT/J8KjPjA8MA4GA1UdDwEB/wQE -AwIBBjAPBgNVHRMBAf8EBTADAQH/MBkGA1UdEQQSMBCGDnNwaWZmZTovL2xvY2Fs -MAoGCCqGSM49BAMEA4GLADCBhwJCAYtVgPXHZ/ic+La7tI86/ZCrgmlWNkJI5pI3 -sXASj1ABxDl3Nw3a3ZMZ50JClabZuh52re4Jf17FNYzzlLX86hCyAkEk99GkJ/uN -gEuQRYDmZztPxzxEw6xzSR9zVvR1J45nzN75sPdW+HoPb4L6mp3eHYMCGF9Y9QzB -UMPjLafiGse3Yg== ------END CERTIFICATE----- diff --git a/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/private_key.pem b/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/private_key.pem deleted file mode 100644 index 188dfa0648d..00000000000 --- a/pkg/server/plugin/upstreamauthority/awssecret/testdata/keys/EC/private_key.pem +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MIHcAgEBBEIBA2CChLPY49n/g0ygWUL5Jfq4l6e53GportOS9WcGENKX8WzCQJ9j -3lbppfjHr3CnS7GRPV35TGPwoo9kNXSymD2gBwYFK4EEACOhgYkDgYYABAElfp2H -SKNLrllVSxSOkGNHEX2q1Mw9eEJESJRqBjEjXZn9T2v0raauZ60It6oCAdy2FD/X -t1696zsbjcf/kSS95QF1QH8msZmwkAe+bUG4i/b4fLFG3W37R7/6lm681Fl12K2l -ETVf7oFRrKjn0QmTA8XhHjxAHrg2yNzqw8R7FP8nwg== ------END EC PRIVATE KEY-----