Merge pull request #901 from Matus-p/feature/ssl_load_cert_dynamic

[Added] TLS: natsOptions_LoadCertificatesChainDynamic

Author: kozlovic

src/conn.c

@@ -761,9 +761,14 @@ _makeTLSConn(natsConnection *nc)
 #endif
     if ((s == NATS_OK) && (SSL_do_handshake(ssl) != 1))
     {
-        s = nats_setError(NATS_SSL_ERROR,
-                          "SSL handshake error: %s",
-                          (nc->errStr[0] != '\0' ? nc->errStr : NATS_SSL_ERR_REASON_STRING));
+        // check if there is already set NATS_SSL_ERROR from _sslCertCallback
+        nats_GetLastError(&s);
+        if (s != NATS_SSL_ERROR)
+        {
+            s = nats_setError(NATS_SSL_ERROR,
+                              "SSL handshake error: %s",
+                              (nc->errStr[0] != '\0' ? nc->errStr : NATS_SSL_ERR_REASON_STRING));
+        }
     }
     // Make sure that if nc-errStr was set in _collectSSLErr but
     // the overall handshake is ok, then we clear the error

src/nats.h

@@ -2663,6 +2663,24 @@ natsOptions_LoadCertificatesChain(natsOptions *opts,
                                   const char *certsFileName,
                                   const char *keyFileName);
 
+/** \brief Loads the certificate chain and key from a file on every connection attempt.
+ *
+ * Similar to #natsOptions_LoadCertificatesChain expect that instead of loading
+ * from file just once, the key and certificate is read on every connection attempt.
+ * This is useful when the certificate is renewed and the application
+ * needs to pick up the new certificate without restarting.
+ *
+ * @see natsOptions_LoadCertificatesChain()
+ *
+ * @param opts the pointer to the #natsOptions object.
+ * @param certsFileName the file containing the client certificates.
+ * @param keyFileName the file containing the client private key.
+ */
+NATS_EXTERN natsStatus
+natsOptions_LoadCertificatesChainDynamic(natsOptions *opts,
+                                         const char *certsFileName,
+                                         const char *keyFileName);
+
 /** \brief Sets the client certificate and key.
  *
  * Similar to #natsOptions_LoadCertificatesChain expect that instead

src/natsp.h

@@ -196,6 +196,8 @@ typedef struct __natsSSLCtx
     SSL_CTX         *ctx;
     char            *expectedHostname;
     bool            skipVerify;
+    char            *certFileName;
+    char            *keyFileName;
 
 #ifdef NATS_WITH_EXPERIMENTAL
     SSL_verify_cb   callback;

src/opts.c

@@ -233,6 +233,8 @@ natsSSLCtx_release(natsSSLCtx *ctx)
     if (refs == 0)
     {
         NATS_FREE(ctx->expectedHostname);
+        NATS_FREE(ctx->certFileName);
+        NATS_FREE(ctx->keyFileName);
         SSL_CTX_free(ctx->ctx);
         natsMutex_Destroy(ctx->lock);
         NATS_FREE(ctx);
@@ -556,6 +558,78 @@ natsOptions_LoadCertificatesChain(natsOptions *opts,
     return s;
 }
 
+static int
+_sslCertCallback(SSL* ssl, void* arg)
+{
+    natsSSLCtx *ctx = (natsSSLCtx*)arg;
+    if (ctx == NULL)
+        return 0;
+
+    // delete any certificates associated with the SSL object
+    SSL_certs_clear(ssl);
+
+    if (SSL_use_certificate_chain_file(ssl, ctx->certFileName) != 1)
+    {
+        nats_setError(NATS_SSL_ERROR,
+                      "Error loading certificate chain '%s': %s",
+                      ctx->certFileName,
+                      NATS_SSL_ERR_REASON_STRING);
+        return 0;
+    }
+
+    if (SSL_use_PrivateKey_file(ssl, ctx->keyFileName, SSL_FILETYPE_PEM) != 1)
+    {
+        nats_setError(NATS_SSL_ERROR,
+                      "Error loading private key '%s': %s",
+                      ctx->keyFileName,
+                      NATS_SSL_ERR_REASON_STRING);
+        return 0;
+    }
+
+    return 1;
+}
+
+natsStatus
+natsOptions_LoadCertificatesChainDynamic(natsOptions *opts,
+                                  const char *certFileName,
+                                  const char *keyFileName)
+{
+    natsStatus s = NATS_OK;
+
+    if (nats_IsStringEmpty(certFileName) || nats_IsStringEmpty(keyFileName))
+    {
+        return nats_setError(NATS_INVALID_ARG, "%s",
+                             "certificate and key file names can't be NULL nor empty");
+    }
+
+    LOCK_AND_CHECK_OPTIONS(opts, 0);
+
+    s = _getSSLCtx(opts);
+    if (s == NATS_OK)
+    {
+        NATS_FREE(opts->sslCtx->certFileName);
+        opts->sslCtx->certFileName = NATS_STRDUP(certFileName);
+        if (opts->sslCtx->certFileName == NULL)
+            s = nats_setDefaultError(NATS_NO_MEMORY);
+    }
+    if (s == NATS_OK)
+    {
+        NATS_FREE(opts->sslCtx->keyFileName);
+        opts->sslCtx->keyFileName = NATS_STRDUP(keyFileName);
+        if (opts->sslCtx->keyFileName == NULL)
+            s = nats_setDefaultError(NATS_NO_MEMORY);
+    }
+    if (s == NATS_OK)
+    {
+        nats_sslRegisterThreadForCleanup();
+        SSL_CTX_set_cert_cb(opts->sslCtx->ctx, _sslCertCallback, opts->sslCtx);
+    }
+
+    UNLOCK_OPTS(opts);
+
+    return s;
+}
+
 natsStatus
 natsOptions_SetCertificatesChain(natsOptions *opts, const char *certStr, const char *keyStr)
 {

test/certs/ca.pem

@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEkDCCA3igAwIBAgIUSZwW7btc9EUbrMWtjHpbM0C2bSEwDQYJKoZIhvcNAQEL
+MIIEkDCCA3igAwIBAgIUNqvYsS3NkSQC/FntFcUL5rBfEs8wDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAoM
 B1N5bmFkaWExEDAOBgNVBAsMB25hdHMuaW8xKTAnBgNVBAMMIENlcnRpZmljYXRl
-IEF1dGhvcml0eSAyMDIyLTA4LTI3MB4XDTIyMDgyNzIwMjMwMloXDTMyMDgyNDIw
-MjMwMlowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNV
+IEF1dGhvcml0eSAyMDI1LTA4LTIwMB4XDTI1MDgyMDE4NDIwMVoXDTM1MDgxODE4
+NDIwMVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNV
 BAoMB1N5bmFkaWExEDAOBgNVBAsMB25hdHMuaW8xKTAnBgNVBAMMIENlcnRpZmlj
-YXRlIEF1dGhvcml0eSAyMDIyLTA4LTI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAqilVqyY8rmCpTwAsLF7DEtWEq37KbljBWVjmlp2Wo6TgMd3b537t
-6iO8+SbI8KH75i63RcxV3Uzt1/L9Yb6enDXF52A/U5ugmDhaa+Vsoo2HBTbCczmp
-qndp7znllQqn7wNLv6aGSvaeIUeYS5Dmlh3kt7Vqbn4YRANkOUTDYGSpMv7jYKSu
-1ee05Rco3H674zdwToYto8L8V7nVMrky42qZnGrJTaze+Cm9tmaIyHCwUq362CxS
-dkmaEuWx11MOIFZvL80n7ci6pveDxe5MIfwMC3/oGn7mbsSqidPMcTtjw6ey5NEu
-Z0UrC/2lL1FtF4gnVMKUSaEhU2oKjj0ZAQIDAQABo4IBHjCCARowHQYDVR0OBBYE
-FP7Pfz4u7sSt6ltviEVsx4hIFIs6MIGuBgNVHSMEgaYwgaOAFP7Pfz4u7sSt6ltv
-iEVsx4hIFIs6oXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5p
+YXRlIEF1dGhvcml0eSAyMDI1LTA4LTIwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAzXEVV4DpCyJXTjnKaDIR/d029wrR9Bn7XyDPhwUpxUV+dBBFYyMb
+Vjuu6Pz/Wyfw0H0J0Y0x8o5ScHEZmrGqgxV6Oqi5I5KVuzouYlk+U50eRqQ2wcVs
+dbA3I/cHYZYlEezXYjhPF7FlXfTIn7zuIR+K4FFfGe6tu2b9XkNTnksEDAleKyl9
+jaa79GEqDVPK2+kHGg5Z5ayngp9slFKhgRB97zryjq31eg+M03NW1nsavh9/P+UP
+33ERAro7lYvuKz4iWw7Wov86p6I4lhX3q4N0Exl0fW6zK2qCIxFA4GnKMONRbz7n
+WL5DoB3wPTjBr0dSN0s1dtbqY1RfmLpU/wIDAQABo4IBHjCCARowHQYDVR0OBBYE
+FLAMCZXqFT8jjuq8TID2Ejk6VnsoMIGuBgNVHSMEgaYwgaOAFLAMCZXqFT8jjuq8
+TID2Ejk6VnsooXWkczBxMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5p
 YTEQMA4GA1UECgwHU3luYWRpYTEQMA4GA1UECwwHbmF0cy5pbzEpMCcGA1UEAwwg
-Q2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMjItMDgtMjeCFEmcFu27XPRFG6zFrYx6
-WzNAtm0hMAwGA1UdEwQFMAMBAf8wOgYJYIZIAYb4QgENBC0WK25hdHMuaW8gbmF0
+Q2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMjUtMDgtMjCCFDar2LEtzZEkAvxZ7RXF
+C+awXxLPMAwGA1UdEwQFMAMBAf8wOgYJYIZIAYb4QgENBC0WK25hdHMuaW8gbmF0
 cy1zZXJ2ZXIgdGVzdC1zdWl0ZSB0cmFuc2llbnQgQ0EwDQYJKoZIhvcNAQELBQAD
-ggEBAHDCHLQklYZlnzHDaSwxgGSiPUrCf2zhk2DNIYSDyBgdzrIapmaVYQRrCBtA
-j/4jVFesgw5WDoe4TKsyha0QeVwJDIN8qg2pvpbmD8nOtLApfl0P966vcucxDwqO
-dQWrIgNsaUdHdwdo0OfvAlTfG0v/y2X0kbL7h/el5W9kWpxM/rfbX4IHseZL2sLq
-FH69SN3FhMbdIm1ldrcLBQVz8vJAGI+6B9hSSFQWljssE0JfAX+8VW/foJgMSx7A
-vBTq58rLkAko56Jlzqh/4QT+ckayg9I73v1Q5/44jP1mHw35s5ZrzpDQt2sVv4l5
-lwRPJFXMwe64flUs9sM+/vqJaIY=
+ggEBAERioFrhz1F27ERygpxgeWifp7+x7DwgroPY50QZcfCLPJ8A/wMSf/9BHXSp
+HDh8sFoCFhNpa10pwa6t2m/IOGwH8uJjCyL71MLwQe0pyCYeat6Vde793d843Dh/
+23Y44nT7Vp9MZK73/UjgLQk69iJh9wEjE/LK/teUBD28VEAuDImG8ae6b8pW07B0
+GxzqZx6CLCd1859YZy0wUWDlE3f9kTQ74QoVEPpvwj3IiK7N8TPnn6gnYjgqcpm9
+LJG2KWiRXSf5Ee8LcWC32nH7Mp9Ufijk2cvxbxSIgfg2cZOqdoa9Sr9ExwTnjeaF
+SNdZKkZz9siXP/U2V17eNEnJXWI=
 -----END CERTIFICATE-----

test/certs/client-cert.pem

@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            38:4c:16:24:9b:04:1c:b3:db:e0:4c:3c:ed:b7:40:7d:68:b5:fa:1f
+            67:89:cf:80:a0:f2:68:05:1d:c8:9e:c1:f6:4b:d6:1a:0b:78:c1:aa
         Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, O=Synadia, OU=nats.io, CN=Certificate Authority 2022-08-27
+        Issuer: C=US, ST=California, O=Synadia, OU=nats.io, CN=Certificate Authority 2025-08-20
         Validity
-            Not Before: Aug 27 20:23:02 2022 GMT
-            Not After : Aug 24 20:23:02 2032 GMT
+            Not Before: Aug 20 18:42:01 2025 GMT
+            Not After : Aug 18 18:42:01 2035 GMT
         Subject: C=US, ST=California, O=Synadia, OU=nats.io, CN=localhost
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:ac:9c:3e:9d:3b:7a:12:56:85:78:ca:df:9c:fc:
                     0c:7e:5e:f2:4f:22:33:46:81:38:53:d7:a7:25:8f:
@@ -40,10 +40,9 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 1F:14:EF:2B:53:AB:28:4A:93:42:98:AE:85:06:0F:B4:7D:DC:36:AE
             X509v3 Authority Key Identifier: 
-                keyid:FE:CF:7F:3E:2E:EE:C4:AD:EA:5B:6F:88:45:6C:C7:88:48:14:8B:3A
-                DirName:/C=US/ST=California/O=Synadia/OU=nats.io/CN=Certificate Authority 2022-08-27
-                serial:49:9C:16:ED:BB:5C:F4:45:1B:AC:C5:AD:8C:7A:5B:33:40:B6:6D:21
-
+                keyid:B0:0C:09:95:EA:15:3F:23:8E:EA:BC:4C:80:F6:12:39:3A:56:7B:28
+                DirName:/C=US/ST=California/O=Synadia/OU=nats.io/CN=Certificate Authority 2025-08-20
+                serial:36:AB:D8:B1:2D:CD:91:24:02:FC:59:ED:15:C5:0B:E6:B0:5F:12:CF
             X509v3 Subject Alternative Name: 
                 DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, email:[email protected]
             Netscape Cert Type: 
@@ -53,27 +52,28 @@ Certificate:
             X509v3 Extended Key Usage: 
                 TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         60:43:0b:c6:11:0b:96:ae:03:dc:77:26:9a:4a:bd:6a:d7:03:
-         ec:43:16:2d:ba:8c:e5:50:fa:57:a9:1f:2f:a4:15:c3:a8:13:
-         b9:d3:59:2a:97:7c:ae:ce:a9:f8:44:e4:97:ee:7d:09:dc:74:
-         38:80:94:cf:47:e0:84:52:2a:91:44:8a:85:55:da:42:6a:f1:
-         91:1a:6e:5a:63:e6:0b:61:3c:0d:b0:aa:17:b8:77:94:32:20:
-         4d:20:8f:84:56:64:ae:ef:d8:8d:42:b5:52:4d:b0:1c:46:97:
-         bc:4c:77:8c:3f:a3:73:43:87:27:71:62:e7:fe:02:de:a1:27:
-         77:be:86:29:8f:62:a1:d9:e7:ea:61:33:73:f4:1f:0a:12:14:
-         68:eb:7d:8c:71:5b:42:e7:48:10:c9:df:30:3b:5b:eb:69:29:
-         b6:95:bc:09:fc:01:b0:be:fc:9f:ee:c4:f3:df:a0:01:c5:68:
-         20:f5:2f:f8:e7:1c:a5:4c:a8:a8:a2:20:a1:d2:0f:f6:f6:c4:
-         0d:f5:26:fd:ea:8b:b5:06:a9:9e:17:35:47:f7:fd:6e:78:3d:
-         5f:7a:87:ed:21:b2:4e:e9:6a:d1:d9:ed:0e:cf:43:61:83:7c:
-         fe:0d:b1:ad:ff:fa:2d:2b:36:9d:99:9c:20:48:21:0d:36:c8:
-         dd:b6:0a:d8
+    Signature Value:
+        9d:22:66:cb:9b:16:a9:ea:3d:88:18:ae:3f:33:d0:73:4d:e3:
+        0b:b0:b6:b8:85:aa:27:35:fa:61:6e:22:0f:ac:bd:bd:12:2e:
+        ad:99:32:ab:51:59:f4:5e:77:9b:e1:ea:33:87:a1:be:09:f6:
+        65:43:22:c1:2e:a1:5d:0f:96:27:ac:44:ed:56:67:da:83:5c:
+        72:fe:4a:49:58:47:2c:12:f8:46:5b:01:7a:13:04:67:06:a5:
+        4d:a0:a0:2f:bd:4d:de:e7:04:92:de:16:ef:40:32:02:a8:fb:
+        64:31:e4:40:1f:f9:46:b5:fb:58:f3:61:a9:d4:a1:42:ed:d7:
+        34:bf:b6:95:3a:55:c9:25:ce:4f:b1:5e:45:8c:3a:09:b3:27:
+        2c:25:ee:0b:e3:c9:4b:bd:40:9d:b0:d8:28:fa:06:df:4a:a8:
+        e9:de:c4:a8:51:85:37:d6:32:3b:71:f0:68:fb:59:76:e2:f5:
+        be:3b:b4:00:e9:82:f1:27:4c:30:21:de:4b:ee:0b:10:7f:bf:
+        77:a4:40:09:69:e7:5e:62:e0:35:a6:e4:b7:e1:86:19:b1:34:
+        b3:25:73:f2:f7:75:a4:1c:71:90:b7:7d:bd:77:1c:b0:e7:3b:
+        4a:f5:fc:16:58:96:2f:f4:9f:0a:6f:9b:50:00:dc:a6:23:08:
+        0a:54:01:af
 -----BEGIN CERTIFICATE-----
-MIIE5zCCA8+gAwIBAgIUOEwWJJsEHLPb4Ew87bdAfWi1+h8wDQYJKoZIhvcNAQEL
+MIIE5zCCA8+gAwIBAgIUZ4nPgKDyaAUdyJ7B9kvWGgt4waowDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAoM
 B1N5bmFkaWExEDAOBgNVBAsMB25hdHMuaW8xKTAnBgNVBAMMIENlcnRpZmljYXRl
-IEF1dGhvcml0eSAyMDIyLTA4LTI3MB4XDTIyMDgyNzIwMjMwMloXDTMyMDgyNDIw
-MjMwMlowWjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNV
+IEF1dGhvcml0eSAyMDI1LTA4LTIwMB4XDTI1MDgyMDE4NDIwMVoXDTM1MDgxODE4
+NDIwMVowWjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNV
 BAoMB1N5bmFkaWExEDAOBgNVBAsMB25hdHMuaW8xEjAQBgNVBAMMCWxvY2FsaG9z
 dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKycPp07ehJWhXjK35z8
 DH5e8k8iM0aBOFPXpyWP1+4WE+JnSYj2lJnwqabb/noXyePfMXNxOHA6lh6Ze10H
@@ -83,17 +83,17 @@ VW4uZZOakFQDbQ3mRNb3wNfY4ccewpujbojxfFgIop8TzFu5ESwdI286rkeaD2rO
 h8si/3AcSO264L7wvJ7g3FnbpXQlWLNhBPYzKGsHJWAPcpMWbJ+wrUoY954pHrdh
 NBcCAwEAAaOCAYwwggGIMAkGA1UdEwQCMAAwOQYJYIZIAYb4QgENBCwWKm5hdHMu
 aW8gbmF0cy1zZXJ2ZXIgdGVzdC1zdWl0ZSBjZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
-HxTvK1OrKEqTQpiuhQYPtH3cNq4wga4GA1UdIwSBpjCBo4AU/s9/Pi7uxK3qW2+I
-RWzHiEgUizqhdaRzMHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+HxTvK1OrKEqTQpiuhQYPtH3cNq4wga4GA1UdIwSBpjCBo4AUsAwJleoVPyOO6rxM
+gPYSOTpWeyihdaRzMHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
 MRAwDgYDVQQKDAdTeW5hZGlhMRAwDgYDVQQLDAduYXRzLmlvMSkwJwYDVQQDDCBD
-ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMi0wOC0yN4IUSZwW7btc9EUbrMWtjHpb
-M0C2bSEwOwYDVR0RBDQwMoIJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAA
+ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyNS0wOC0yMIIUNqvYsS3NkSQC/FntFcUL
+5rBfEs8wOwYDVR0RBDQwMoIJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAA
 AAABgQ1kZXJla0BuYXRzLmlvMBEGCWCGSAGG+EIBAQQEAwIHgDALBgNVHQ8EBAMC
-BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAGBDC8YR
-C5auA9x3JppKvWrXA+xDFi26jOVQ+lepHy+kFcOoE7nTWSqXfK7OqfhE5JfufQnc
-dDiAlM9H4IRSKpFEioVV2kJq8ZEablpj5gthPA2wqhe4d5QyIE0gj4RWZK7v2I1C
-tVJNsBxGl7xMd4w/o3NDhydxYuf+At6hJ3e+himPYqHZ5+phM3P0HwoSFGjrfYxx
-W0LnSBDJ3zA7W+tpKbaVvAn8AbC+/J/uxPPfoAHFaCD1L/jnHKVMqKiiIKHSD/b2
-xA31Jv3qi7UGqZ4XNUf3/W54PV96h+0hsk7patHZ7Q7PQ2GDfP4Nsa3/+i0rNp2Z
-nCBIIQ02yN22Ctg=
+BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAJ0iZsub
+FqnqPYgYrj8z0HNN4wuwtriFqic1+mFuIg+svb0SLq2ZMqtRWfRed5vh6jOHob4J
+9mVDIsEuoV0PliesRO1WZ9qDXHL+SklYRywS+EZbAXoTBGcGpU2goC+9Td7nBJLe
+Fu9AMgKo+2Qx5EAf+Ua1+1jzYanUoULt1zS/tpU6Vcklzk+xXkWMOgmzJywl7gvj
+yUu9QJ2w2Cj6Bt9KqOnexKhRhTfWMjtx8Gj7WXbi9b47tADpgvEnTDAh3kvuCxB/
+v3ekQAlp515i4DWm5LfhhhmxNLMlc/L3daQccZC3fb13HLDnO0r1/BZYli/0nwpv
+m1AA3KYjCApUAa8=
 -----END CERTIFICATE-----

test/certs/client-cert2.pem

@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            25:06:c5:d0:c3:41:74:d3:04:85:b0:62:db:24:78:6b:56:36:36:b2
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, O=Synadia, OU=nats.io, CN=Certificate Authority 2025-08-20
+        Validity
+            Not Before: Aug 20 18:42:01 2025 GMT
+            Not After : Aug 18 18:42:01 2035 GMT
+        Subject: C=US, ST=California, O=Synadia, OU=nats.io, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cf:e9:75:d4:83:e2:c6:24:06:b2:98:dd:da:ea:
+                    8f:84:e5:57:46:51:97:80:9e:cb:42:39:f7:3a:28:
+                    3a:8f:e8:16:bd:ec:77:f8:28:dd:0a:62:17:7f:66:
+                    a1:76:89:8b:f4:b1:35:b8:7a:c3:d8:9d:a0:32:38:
+                    f4:bc:be:ad:66:95:b1:7b:af:f4:5b:b4:51:9f:79:
+                    c6:0e:9f:dd:56:1a:a2:5d:d8:35:d2:81:64:d1:ef:
+                    20:19:90:e2:a5:13:be:a9:a8:5e:41:75:88:eb:dc:
+                    50:8b:36:f8:05:8c:89:62:2b:24:37:98:49:c6:4c:
+                    e3:fc:e4:1b:92:37:67:fb:12:47:fd:29:4b:08:5c:
+                    11:e2:aa:23:c2:9b:e4:c2:fa:f1:4f:12:73:8b:7b:
+                    0a:64:53:19:aa:a0:35:67:ab:b7:4e:f8:fb:3c:07:
+                    ba:62:e4:d2:67:b1:17:e1:9b:e4:95:5d:3e:5e:55:
+                    b3:af:94:9e:f3:2d:e8:85:ba:1f:d2:25:c6:4c:e0:
+                    9d:e4:17:87:7f:a8:35:26:47:1e:14:12:dd:19:9f:
+                    b1:17:79:97:8a:a1:c4:18:b7:7e:5a:4c:96:fb:36:
+                    70:d1:81:5a:dc:72:e1:f3:83:6c:5e:a8:18:d6:d0:
+                    86:43:bf:f4:e9:ef:a7:78:a1:78:56:47:8e:b7:32:
+                    74:5b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                nats.io nats-server test-suite certificate
+            X509v3 Subject Key Identifier: 
+                F2:EE:0B:2B:52:66:45:42:BD:09:33:CA:33:53:41:03:09:40:35:62
+            X509v3 Authority Key Identifier: 
+                keyid:B0:0C:09:95:EA:15:3F:23:8E:EA:BC:4C:80:F6:12:39:3A:56:7B:28
+                DirName:/C=US/ST=California/O=Synadia/OU=nats.io/CN=Certificate Authority 2025-08-20
+                serial:36:AB:D8:B1:2D:CD:91:24:02:FC:59:ED:15:C5:0B:E6:B0:5F:12:CF
+            X509v3 Subject Alternative Name: 
+                DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, email:[email protected]
+            Netscape Cert Type: 
+                SSL Client
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        10:4b:23:c2:8f:34:33:09:b6:0f:65:2d:45:e1:06:eb:65:85:
+        e2:ff:b2:51:07:40:cb:2d:80:46:09:fc:5c:de:d3:0f:1e:2b:
+        5f:b0:95:3e:d0:cf:37:d6:53:ce:64:3f:3c:06:81:24:af:44:
+        b2:6c:8a:c9:53:08:d7:8a:23:4a:03:7e:56:07:42:1b:57:8b:
+        19:20:8a:e4:2a:53:39:e6:db:39:9f:47:e5:dd:fc:29:65:4c:
+        19:0e:79:0b:8c:d2:99:f5:31:14:67:72:1a:14:0f:8c:2c:c7:
+        7a:b8:e1:c1:5d:32:e8:84:34:0c:2e:7b:a8:0f:38:79:c3:18:
+        2c:47:7f:9f:db:7a:12:7b:ae:e5:70:aa:8b:90:17:e4:c6:ba:
+        84:ab:93:ec:9e:28:1f:00:3a:8d:d1:ed:83:37:2f:e8:66:1f:
+        c0:ba:9f:35:d3:81:3e:fd:86:6e:65:b7:6d:76:b5:51:d2:09:
+        8a:5f:fb:23:61:c3:74:3b:5e:4b:48:73:aa:06:78:62:77:4c:
+        61:23:2b:a2:64:74:6c:f0:3f:7c:ae:b9:5b:27:5f:58:40:8f:
+        8a:73:5f:bf:2a:02:71:7c:14:23:9a:b3:4b:74:06:fd:f8:46:
+        b7:55:7c:87:b2:e3:d6:da:0e:9a:ec:87:0b:34:64:ec:ab:ff:
+        2d:92:44:86
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIUJQbF0MNBdNMEhbBi2yR4a1Y2NrIwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAoM
+B1N5bmFkaWExEDAOBgNVBAsMB25hdHMuaW8xKTAnBgNVBAMMIENlcnRpZmljYXRl
+IEF1dGhvcml0eSAyMDI1LTA4LTIwMB4XDTI1MDgyMDE4NDIwMVoXDTM1MDgxODE4
+NDIwMVowWjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNV
+BAoMB1N5bmFkaWExEDAOBgNVBAsMB25hdHMuaW8xEjAQBgNVBAMMCWxvY2FsaG9z
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/pddSD4sYkBrKY3drq
+j4TlV0ZRl4Cey0I59zooOo/oFr3sd/go3QpiF39moXaJi/SxNbh6w9idoDI49Ly+
+rWaVsXuv9Fu0UZ95xg6f3VYaol3YNdKBZNHvIBmQ4qUTvqmoXkF1iOvcUIs2+AWM
+iWIrJDeYScZM4/zkG5I3Z/sSR/0pSwhcEeKqI8Kb5ML68U8Sc4t7CmRTGaqgNWer
+t074+zwHumLk0mexF+Gb5JVdPl5Vs6+UnvMt6IW6H9IlxkzgneQXh3+oNSZHHhQS
+3RmfsRd5l4qhxBi3flpMlvs2cNGBWtxy4fODbF6oGNbQhkO/9Onvp3iheFZHjrcy
+dFsCAwEAAaOCAYswggGHMAkGA1UdEwQCMAAwOQYJYIZIAYb4QgENBCwWKm5hdHMu
+aW8gbmF0cy1zZXJ2ZXIgdGVzdC1zdWl0ZSBjZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+8u4LK1JmRUK9CTPKM1NBAwlANWIwga4GA1UdIwSBpjCBo4AUsAwJleoVPyOO6rxM
+gPYSOTpWeyihdaRzMHExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+MRAwDgYDVQQKDAdTeW5hZGlhMRAwDgYDVQQLDAduYXRzLmlvMSkwJwYDVQQDDCBD
+ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyNS0wOC0yMIIUNqvYsS3NkSQC/FntFcUL
+5rBfEs8wOgYDVR0RBDMwMYIJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAA
+AAABgQxpdmFuQG5hdHMuaW8wEQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAEEsjwo80
+Mwm2D2UtReEG62WF4v+yUQdAyy2ARgn8XN7TDx4rX7CVPtDPN9ZTzmQ/PAaBJK9E
+smyKyVMI14ojSgN+VgdCG1eLGSCK5CpTOebbOZ9H5d38KWVMGQ55C4zSmfUxFGdy
+GhQPjCzHerjhwV0y6IQ0DC57qA84ecMYLEd/n9t6Enuu5XCqi5AX5Ma6hKuT7J4o
+HwA6jdHtgzcv6GYfwLqfNdOBPv2GbmW3bXa1UdIJil/7I2HDdDteS0hzqgZ4YndM
+YSMromR0bPA/fK65WydfWECPinNfvyoCcXwUI5qzS3QG/fhGt1V8h7Lj1toOmuyH
+CzRk7Kv/LZJEhg==
+-----END CERTIFICATE-----