check hosts in ssl certificates

vendor/github.com/google/certificate-transparency-go/x509/error_test.go

@@ -1,192 +0,0 @@
-package x509_test
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/google/certificate-transparency-go/x509"
-)
-
-func TestErrors(t *testing.T) {
-	var tests = []struct {
-		errs        []x509.Error
-		want        string
-		wantVerbose string
-		wantFatal   bool
-	}{
-		{
-			errs: []x509.Error{
-				{Summary: "Error", Field: "a.b.c"},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c)",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary:  "Error",
-					Field:    "a.b.c",
-					SpecRef:  "RFC5280 s4.1.2.2",
-					SpecText: "The serial number MUST be a positive integer",
-					Category: x509.MalformedCertificate,
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: Certificate does not comply with MUST clause in spec: RFC5280 s4.1.2.2, 'The serial number MUST be a positive integer')",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary:  "Error",
-					Field:    "a.b.c",
-					SpecRef:  "RFC5280 s4.1.2.2",
-					SpecText: "The serial number MUST be a positive integer",
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: RFC5280 s4.1.2.2, 'The serial number MUST be a positive integer')",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary:  "Error",
-					Field:    "a.b.c",
-					SpecRef:  "RFC5280 s4.1.2.2",
-					Category: x509.MalformedCertificate,
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: Certificate does not comply with MUST clause in spec: RFC5280 s4.1.2.2)",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary:  "Error",
-					Field:    "a.b.c",
-					SpecText: "The serial number MUST be a positive integer",
-					Category: x509.MalformedCertificate,
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: Certificate does not comply with MUST clause in spec: 'The serial number MUST be a positive integer')",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary: "Error",
-					Field:   "a.b.c",
-					SpecRef: "RFC5280 s4.1.2.2",
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: RFC5280 s4.1.2.2)",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary:  "Error",
-					Field:    "a.b.c",
-					SpecText: "The serial number MUST be a positive integer",
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: 'The serial number MUST be a positive integer')",
-		},
-		{
-			errs: []x509.Error{
-				{
-					Summary:  "Error",
-					Field:    "a.b.c",
-					Category: x509.MalformedCertificate,
-				},
-			},
-			want:        "Error",
-			wantVerbose: "Error (a.b.c: Certificate does not comply with MUST clause in spec)",
-		},
-		{
-			errs: []x509.Error{
-				{Summary: "Error"},
-			},
-			want:        "Error",
-			wantVerbose: "Error",
-		},
-		{
-			errs: []x509.Error{
-				{Summary: "Error\nwith newline", Field: "x", Category: x509.InvalidASN1DER},
-			},
-			want:        "Error\nwith newline",
-			wantVerbose: "Error\nwith newline (x: Invalid ASN.1 distinguished encoding)",
-		},
-		{
-			errs: []x509.Error{
-				{Summary: "Error1", Field: "a.b.c"},
-				{Summary: "Error2", Field: "a.b.c.d"},
-				{Summary: "Error3", Field: "x.y.z"},
-			},
-			want:        "Errors:\n  Error1\n  Error2\n  Error3",
-			wantVerbose: "Errors:\n  Error1 (a.b.c)\n  Error2 (a.b.c.d)\n  Error3 (x.y.z)",
-		},
-		{
-			errs: []x509.Error{
-				{Summary: "Error1", Field: "a.b.c"},
-				{Summary: "Error2", Field: "a.b.c.d", Fatal: true},
-				{Summary: "Error3", Field: "x.y.z"},
-			},
-			want:        "Errors:\n  Error1\n  Error2\n  Error3",
-			wantVerbose: "Errors:\n  Error1 (a.b.c)\n  Error2 (a.b.c.d)\n  Error3 (x.y.z)",
-			wantFatal:   true,
-		},
-	}
-
-	for _, test := range tests {
-		errs := x509.Errors{Errs: test.errs}
-		if got := errs.Error(); got != test.want {
-			t.Errorf("Errors(%+v).Error()=%q; want %q", test.errs, got, test.want)
-		}
-		if got := errs.VerboseError(); got != test.wantVerbose {
-			t.Errorf("Errors(%+v).VerboseError()=%q; want %q", test.errs, got, test.wantVerbose)
-		}
-		if got := errs.Fatal(); got != test.wantFatal {
-			t.Errorf("Errors(%+v).Fatal()=%v; want %v", test.errs, got, test.wantFatal)
-		}
-	}
-}
-
-func TestErrorsAppend(t *testing.T) {
-	var errs x509.Errors
-	if got, want := errs.Error(), ""; got != want {
-		t.Errorf("Errors().Error()=%q; want %q", got, want)
-	}
-	if got, want := errs.Empty(), true; got != want {
-		t.Errorf("Errors().Empty()=%t; want %t", got, want)
-	}
-	errs.Errs = append(errs.Errs, x509.Error{
-		Summary: "Error",
-		Field:   "a.b.c",
-		SpecRef: "RFC5280 s4.1.2.2"})
-	if got, want := errs.VerboseError(), "Error (a.b.c: RFC5280 s4.1.2.2)"; got != want {
-		t.Errorf("Errors(%+v).Error=%q; want %q", errs, got, want)
-	}
-	if got, want := errs.Empty(), false; got != want {
-		t.Errorf("Errors().Empty()=%t; want %t", got, want)
-	}
-}
-
-func TestErrorsFilter(t *testing.T) {
-	var errs x509.Errors
-	id := x509.ErrMaxID + 2
-	errs.AddID(id, "arg1", 2, "arg3")
-	baseErr := errs.Error()
-
-	errs.AddID(x509.ErrMaxID + 1)
-	if got, want := errs.Error(), fmt.Sprintf("Errors:\n  %s\n  E%03d: Unknown error ID %v: args []", baseErr, x509.ErrMaxID+1, x509.ErrMaxID+1); got != want {
-		t.Errorf("Errors(%+v).Error=%q; want %q", errs, got, want)
-	}
-
-	errList := fmt.Sprintf("%d, %d", x509.ErrMaxID+1, x509.ErrMaxID+1)
-	filter := x509.ErrorFilter(errList)
-	errs2 := errs.Filter(filter)
-	if got, want := errs2.Error(), baseErr; got != want {
-		t.Errorf("Errors(%+v).Error=%q; want %q", errs, got, want)
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/errors_test.go

@@ -1,13 +0,0 @@
-package x509
-
-import (
-	"testing"
-)
-
-func TestTemplateIDs(t *testing.T) {
-	for id, template := range idToError {
-		if template.ID != id {
-			t.Errorf("idToError[%v].id=%v; want %v", id, template.ID, id)
-		}
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/example_test.go

@@ -1,135 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509_test
-
-import (
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"encoding/pem"
-	"fmt"
-
-	"github.com/google/certificate-transparency-go/x509"
-)
-
-func ExampleCertificate_Verify() {
-	// Verifying with a custom list of root certificates.
-
-	const rootPEM = `
------BEGIN CERTIFICATE-----
-MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
-YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
-EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
-bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
-VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
-h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
-ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
-EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
-DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
-qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
-VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
-K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
-KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
-ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
-BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
-/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
-zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
-HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
-WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
-yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
------END CERTIFICATE-----`
-
-	const certPEM = `
------BEGIN CERTIFICATE-----
-MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
-BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
-cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
-WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
-TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
-bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
-5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
-7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
-BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
-BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
-LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
-cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
-BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
-AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
-L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
-gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
-TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
-0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
-RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
-yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
------END CERTIFICATE-----`
-
-	// First, create the set of root certificates. For this example we only
-	// have one. It's also possible to omit this in order to use the
-	// default root set of the current operating system.
-	roots := x509.NewCertPool()
-	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
-	if !ok {
-		panic("failed to parse root certificate")
-	}
-
-	block, _ := pem.Decode([]byte(certPEM))
-	if block == nil {
-		panic("failed to parse certificate PEM")
-	}
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		panic("failed to parse certificate: " + err.Error())
-	}
-
-	opts := x509.VerifyOptions{
-		DNSName: "mail.google.com",
-		Roots:   roots,
-	}
-
-	if _, err := cert.Verify(opts); err != nil {
-		panic("failed to verify certificate: " + err.Error())
-	}
-}
-
-func ExampleParsePKIXPublicKey() {
-	const pubPEM = `
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlRuRnThUjU8/prwYxbty
-WPT9pURI3lbsKMiB6Fn/VHOKE13p4D8xgOCADpdRagdT6n4etr9atzDKUSvpMtR3
-CP5noNc97WiNCggBjVWhs7szEe8ugyqF23XwpHQ6uV1LKH50m92MbOWfCtjU9p/x
-qhNpQQ1AZhqNy5Gevap5k8XzRmjSldNAFZMY7Yv3Gi+nyCwGwpVtBUwhuLzgNFK/
-yDtw2WcWmUU7NuC8Q6MWvPebxVtCfVp/iQU6q60yyt6aGOBkhAX0LpKAEhKidixY
-nP9PNVBvxgu3XZ4P36gZV6+ummKdBVnc3NqwBLu5+CcdRdusmHPHd5pHf4/38Z3/
-6qU2a/fPvWzceVTEgZ47QjFMTCTmCwNt29cvi7zZeQzjtwQgn4ipN9NibRH/Ax/q
-TbIzHfrJ1xa2RteWSdFjwtxi9C20HUkjXSeI4YlzQMH0fPX6KCE7aVePTOnB69I/
-a9/q96DiXZajwlpq3wFctrs1oXqBp5DVrCIj8hU2wNgB7LtQ1mCtsYz//heai0K9
-PhE4X6hiE0YmeAZjR0uHl8M/5aW9xCoJ72+12kKpWAa0SFRWLy6FejNYCYpkupVJ
-yecLk/4L1W0l6jQQZnWErXZYe0PNFcmwGXy1Rep83kfBRNKRy5tvocalLlwXLdUk
-AIU+2GKjyT3iMuzZxxFxPFMCAwEAAQ==
------END PUBLIC KEY-----`
-
-	block, _ := pem.Decode([]byte(pubPEM))
-	if block == nil {
-		panic("failed to parse PEM block containing the public key")
-	}
-
-	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		panic("failed to parse DER encoded public key: " + err.Error())
-	}
-
-	switch pub := pub.(type) {
-	case *rsa.PublicKey:
-		fmt.Println("pub is of type RSA:", pub)
-	case *dsa.PublicKey:
-		fmt.Println("pub is of type DSA:", pub)
-	case *ecdsa.PublicKey:
-		fmt.Println("pub is of type ECDSA:", pub)
-	default:
-		panic("unknown type of public key")
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/names_test.go

@@ -1,267 +0,0 @@
-// Copyright 2017 Google Inc. All Rights Reserved.
-//
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-import (
-	"bytes"
-	"encoding/hex"
-	"net"
-	"reflect"
-	"strings"
-	"testing"
-
-	"github.com/google/certificate-transparency-go/asn1"
-	"github.com/google/certificate-transparency-go/x509/pkix"
-)
-
-func TestParseGeneralNames(t *testing.T) {
-	var tests = []struct {
-		data    string // as hex
-		want    GeneralNames
-		wantErr string
-	}{
-		{
-			data: ("3012" +
-				("8210" + "7777772e676f6f676c652e636f2e756b")),
-			want: GeneralNames{
-				DNSNames: []string{"www.google.co.uk"},
-			},
-		},
-		{
-			data: ("3024" +
-				("8210" + "7777772e676f6f676c652e636f2e756b") +
-				("8610" + "7777772e676f6f676c652e636f2e756b")),
-			want: GeneralNames{
-				DNSNames: []string{"www.google.co.uk"},
-				URIs:     []string{"www.google.co.uk"},
-			},
-		},
-		{
-			data:    "0a0101",
-			wantErr: "failed to parse GeneralNames sequence",
-		},
-		{
-			data:    "0a",
-			wantErr: "failed to parse GeneralNames:",
-		},
-		{
-			data:    "03000a0101",
-			wantErr: "trailing data",
-		},
-		{
-			data:    ("3005" + ("8703" + "010203")),
-			wantErr: "invalid IP length",
-		},
-	}
-	for _, test := range tests {
-		inData := fromHex(test.data)
-		var got GeneralNames
-		err := parseGeneralNames(inData, &got)
-		if err != nil {
-			if test.wantErr == "" {
-				t.Errorf("parseGeneralNames(%s)=%v; want nil", test.data, err)
-			} else if !strings.Contains(err.Error(), test.wantErr) {
-				t.Errorf("parseGeneralNames(%s)=%v; want %q", test.data, err, test.wantErr)
-			}
-			continue
-		}
-		if test.wantErr != "" {
-			t.Errorf("parseGeneralNames(%s)=%+v,nil; want %q", test.data, got, test.wantErr)
-			continue
-		}
-		if !reflect.DeepEqual(got, test.want) {
-			t.Errorf("parseGeneralNames(%s)=%+v; want %+v", test.data, got, test.want)
-		}
-	}
-}
-
-func TestParseGeneralName(t *testing.T) {
-	var tests = []struct {
-		data     string // as hex
-		withMask bool
-		want     GeneralNames
-		wantErr  string
-	}{
-		{
-			data: ("a008" +
-				("0603" + "551d0e") + // OID: subject-key-id
-				("0a01" + "01")), // enum=1
-			want: GeneralNames{
-				OtherNames: []OtherName{
-					{
-						TypeID: OIDExtensionSubjectKeyId,
-						Value: asn1.RawValue{
-							Class:      asn1.ClassUniversal,
-							Tag:        asn1.TagEnum,
-							IsCompound: false,
-							Bytes:      fromHex("01"),
-							FullBytes:  fromHex("0a0101"),
-						},
-					},
-				},
-			},
-		},
-		{
-			data: ("8008" +
-				("0603" + "551d0e") + // OID: subject-key-id
-				("0a01" + "01")), // enum=1
-			wantErr: "not compound",
-		},
-		{
-			data: ("a005" +
-				("0603" + "551d0e")), // OID: subject-key-id
-			wantErr: "sequence truncated",
-		},
-		{
-			data: ("8110" + "77777740676f6f676c652e636f2e756b"),
-			want: GeneralNames{
-				EmailAddresses: []string{"www@google.co.uk"},
-			},
-		},
-		{
-			data: ("8210" + "7777772e676f6f676c652e636f2e756b"),
-			want: GeneralNames{
-				DNSNames: []string{"www.google.co.uk"},
-			},
-		},
-		{
-			data: ("844b" +
-				("3049" +
-					("310b" +
-						("3009" +
-							("0603" + "550406") +
-							("1302" + "5553"))) + // "US"
-					("3113" +
-						("3011" +
-							("0603" + "55040a") +
-							("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
-					("3125" +
-						("3023" +
-							("0603" + "550403") +
-							("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732"))))), // "GoogleInternet Authority G2"
-			want: GeneralNames{
-				DirectoryNames: []pkix.Name{
-					{
-						Country:      []string{"US"},
-						Organization: []string{"Google Inc"},
-						CommonName:   "Google Internet Authority G2",
-						Names: []pkix.AttributeTypeAndValue{
-							{Type: pkix.OIDCountry, Value: "US"},
-							{Type: pkix.OIDOrganization, Value: "Google Inc"},
-							{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
-						},
-					},
-				},
-			},
-		},
-		{
-			data:    ("8410" + "7777772e676f6f676c652e636f2e756b"),
-			wantErr: "failed to unmarshal GeneralNames.directoryName",
-		},
-		{
-			data: ("8610" + "7777772e676f6f676c652e636f2e756b"),
-			want: GeneralNames{
-				URIs: []string{"www.google.co.uk"},
-			},
-		},
-		{
-			data: ("8704" + "01020304"),
-			want: GeneralNames{
-				IPNets: []net.IPNet{{IP: net.IP{1, 2, 3, 4}}},
-			},
-		},
-		{
-			data:     ("8708" + "01020304ffffff00"),
-			withMask: true,
-			want: GeneralNames{
-				IPNets: []net.IPNet{{IP: net.IP{1, 2, 3, 4}, Mask: net.IPMask{0xff, 0xff, 0xff, 0x00}}},
-			},
-		},
-		{
-			data: ("8710" + "01020304111213142122232431323334"),
-			want: GeneralNames{
-				IPNets: []net.IPNet{{IP: net.IP{1, 2, 3, 4, 0x11, 0x12, 0x13, 0x14, 0x21, 0x22, 0x23, 0x24, 0x31, 0x32, 0x33, 0x34}}},
-			},
-		},
-		{
-			data:    ("8703" + "010203"),
-			wantErr: "invalid IP length",
-		},
-		{
-			data:     ("8707" + "01020304ffffff"),
-			withMask: true,
-			wantErr:  "invalid IP/mask length",
-		},
-		{
-			data: ("8803" + "551d0e"), // OID: subject-key-id
-			want: GeneralNames{
-				RegisteredIDs: []asn1.ObjectIdentifier{OIDExtensionSubjectKeyId},
-			},
-		},
-		{
-			data:    ("8803" + "551d8e"),
-			wantErr: "syntax error",
-		},
-		{
-			data:    ("9003" + "551d8e"),
-			wantErr: "unknown tag",
-		},
-		{
-			data:    ("8803"),
-			wantErr: "data truncated",
-		},
-	}
-
-	for _, test := range tests {
-		inData := fromHex(test.data)
-		var got GeneralNames
-		_, err := parseGeneralName(inData, &got, test.withMask)
-		if err != nil {
-			if test.wantErr == "" {
-				t.Errorf("parseGeneralName(%s)=%v; want nil", test.data, err)
-			} else if !strings.Contains(err.Error(), test.wantErr) {
-				t.Errorf("parseGeneralName(%s)=%v; want %q", test.data, err, test.wantErr)
-			}
-			continue
-		}
-		if test.wantErr != "" {
-			t.Errorf("parseGeneralName(%s)=%+v,nil; want %q", test.data, got, test.wantErr)
-			continue
-		}
-		if !reflect.DeepEqual(got, test.want) {
-			t.Errorf("parseGeneralName(%s)=%+v; want %+v", test.data, got, test.want)
-		}
-		if got.Empty() {
-			t.Errorf("parseGeneralName(%s).Empty(%+v)=true; want false", test.data, got)
-		}
-		if gotLen, wantLen := got.Len(), 1; gotLen != wantLen {
-			t.Errorf("parseGeneralName(%s).Len(%+v)=%d; want %d", test.data, got, gotLen, wantLen)
-		}
-		if !bytes.Equal(inData, fromHex(test.data)) {
-			t.Errorf("parseGeneralName(%s) modified data to %x", test.data, inData)
-		}
-
-		// Wrap the GeneralName up in a SEQUENCE and check that we get the same result using parseGeneralNames.
-		if test.withMask {
-			continue
-		}
-		seqData := append([]byte{0x30, byte(len(inData))}, inData...)
-		var gotSeq GeneralNames
-		err = parseGeneralNames(seqData, &gotSeq)
-		if err != nil {
-			t.Errorf("parseGeneralNames(%x)=%v; want nil", seqData, err)
-			continue
-		}
-		if !reflect.DeepEqual(gotSeq, test.want) {
-			t.Errorf("parseGeneralNames(%x)=%+v; want %+v", seqData, gotSeq, test.want)
-		}
-	}
-}
-
-func fromHex(s string) []byte {
-	d, _ := hex.DecodeString(s)
-	return d
-}

vendor/github.com/google/certificate-transparency-go/x509/pem_decrypt_test.go

@@ -1,247 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/pem"
-	"strings"
-	"testing"
-)
-
-func TestDecrypt(t *testing.T) {
-	for i, data := range testData {
-		t.Logf("test %v. %v", i, data.kind)
-		block, rest := pem.Decode(data.pemData)
-		if len(rest) > 0 {
-			t.Error("extra data")
-		}
-		der, err := DecryptPEMBlock(block, data.password)
-		if err != nil {
-			t.Error("decrypt failed: ", err)
-			continue
-		}
-		if _, err := ParsePKCS1PrivateKey(der); err != nil {
-			t.Error("invalid private key: ", err)
-		}
-		plainDER, err := base64.StdEncoding.DecodeString(data.plainDER)
-		if err != nil {
-			t.Fatal("cannot decode test DER data: ", err)
-		}
-		if !bytes.Equal(der, plainDER) {
-			t.Error("data mismatch")
-		}
-	}
-}
-
-func TestEncrypt(t *testing.T) {
-	for i, data := range testData {
-		t.Logf("test %v. %v", i, data.kind)
-		plainDER, err := base64.StdEncoding.DecodeString(data.plainDER)
-		if err != nil {
-			t.Fatal("cannot decode test DER data: ", err)
-		}
-		password := []byte("kremvax1")
-		block, err := EncryptPEMBlock(rand.Reader, "RSA PRIVATE KEY", plainDER, password, data.kind)
-		if err != nil {
-			t.Error("encrypt: ", err)
-			continue
-		}
-		if !IsEncryptedPEMBlock(block) {
-			t.Error("PEM block does not appear to be encrypted")
-		}
-		if block.Type != "RSA PRIVATE KEY" {
-			t.Errorf("unexpected block type; got %q want %q", block.Type, "RSA PRIVATE KEY")
-		}
-		if block.Headers["Proc-Type"] != "4,ENCRYPTED" {
-			t.Errorf("block does not have correct Proc-Type header")
-		}
-		der, err := DecryptPEMBlock(block, password)
-		if err != nil {
-			t.Error("decrypt: ", err)
-			continue
-		}
-		if !bytes.Equal(der, plainDER) {
-			t.Errorf("data mismatch")
-		}
-	}
-}
-
-var testData = []struct {
-	kind     PEMCipher
-	password []byte
-	pemData  []byte
-	plainDER string
-}{
-	{
-		kind:     PEMCipherDES,
-		password: []byte("asdf"),
-		pemData: []byte(`
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,34F09A4FC8DE22B5
-
-WXxy8kbZdiZvANtKvhmPBLV7eVFj2A5z6oAxvI9KGyhG0ZK0skfnt00C24vfU7m5
-ICXeoqP67lzJ18xCzQfHjDaBNs53DSDT+Iz4e8QUep1xQ30+8QKX2NA2coee3nwc
-6oM1cuvhNUDemBH2i3dKgMVkfaga0zQiiOq6HJyGSncCMSruQ7F9iWEfRbFcxFCx
-qtHb1kirfGKEtgWTF+ynyco6+2gMXNu70L7nJcnxnV/RLFkHt7AUU1yrclxz7eZz
-XOH9VfTjb52q/I8Suozq9coVQwg4tXfIoYUdT//O+mB7zJb9HI9Ps77b9TxDE6Gm
-4C9brwZ3zg2vqXcwwV6QRZMtyll9rOpxkbw6NPlpfBqkc3xS51bbxivbO/Nve4KD
-r12ymjFNF4stXCfJnNqKoZ50BHmEEUDu5Wb0fpVn82XrGw7CYc4iug==
------END RSA PRIVATE KEY-----`),
-		plainDER: `
-MIIBPAIBAAJBAPASZe+tCPU6p80AjHhDkVsLYa51D35e/YGa8QcZyooeZM8EHozo
-KD0fNiKI+53bHdy07N+81VQ8/ejPcRoXPlsCAwEAAQJBAMTxIuSq27VpR+zZ7WJf
-c6fvv1OBvpMZ0/d1pxL/KnOAgq2rD5hDtk9b0LGhTPgQAmrrMTKuSeGoIuYE+gKQ
-QvkCIQD+GC1m+/do+QRurr0uo46Kx1LzLeSCrjBk34wiOp2+dwIhAPHfTLRXS2fv
-7rljm0bYa4+eDZpz+E8RcXEgzhhvcQQ9AiAI5eHZJGOyml3MXnQjiPi55WcDOw0w
-glcRgT6QCEtz2wIhANSyqaFtosIkHKqrDUGfz/bb5tqMYTAnBruVPaf/WEOBAiEA
-9xORWeRG1tRpso4+dYy4KdDkuLPIO01KY6neYGm3BCM=`,
-	},
-	{
-		kind:     PEMCipher3DES,
-		password: []byte("asdf"),
-		pemData: []byte(`
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,C1F4A6A03682C2C7
-
-0JqVdBEH6iqM7drTkj+e2W/bE3LqakaiWhb9WUVonFkhyu8ca/QzebY3b5gCvAZQ
-YwBvDcT/GHospKqPx+cxDHJNsUASDZws6bz8ZXWJGwZGExKzr0+Qx5fgXn44Ms3x
-8g1ENFuTXtxo+KoNK0zuAMAqp66Llcds3Fjl4XR18QaD0CrVNAfOdgATWZm5GJxk
-Fgx5f84nT+/ovvreG+xeOzWgvtKo0UUZVrhGOgfKLpa57adumcJ6SkUuBtEFpZFB
-ldw5w7WC7d13x2LsRkwo8ZrDKgIV+Y9GNvhuCCkTzNP0V3gNeJpd201HZHR+9n3w
-3z0VjR/MGqsfcy1ziEWMNOO53At3zlG6zP05aHMnMcZoVXadEK6L1gz++inSSDCq
-gI0UJP4e3JVB7AkgYymYAwiYALAkoEIuanxoc50njJk=
------END RSA PRIVATE KEY-----`),
-		plainDER: `
-MIIBOwIBAAJBANOCXKdoNS/iP/MAbl9cf1/SF3P+Ns7ZeNL27CfmDh0O6Zduaax5
-NBiumd2PmjkaCu7lQ5JOibHfWn+xJsc3kw0CAwEAAQJANX/W8d1Q/sCqzkuAn4xl
-B5a7qfJWaLHndu1QRLNTRJPn0Ee7OKJ4H0QKOhQM6vpjRrz+P2u9thn6wUxoPsef
-QQIhAP/jCkfejFcy4v15beqKzwz08/tslVjF+Yq41eJGejmxAiEA05pMoqfkyjcx
-fyvGhpoOyoCp71vSGUfR2I9CR65oKh0CIC1Msjs66LlfJtQctRq6bCEtFCxEcsP+
-eEjYo/Sk6WphAiEAxpgWPMJeU/shFT28gS+tmhjPZLpEoT1qkVlC14u0b3ECIQDX
-tZZZxCtPAm7shftEib0VU77Lk8MsXJcx2C4voRsjEw==`,
-	},
-	{
-		kind:     PEMCipherAES128,
-		password: []byte("asdf"),
-		pemData: []byte(`
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,D4492E793FC835CC038A728ED174F78A
-
-EyfQSzXSjv6BaNH+NHdXRlkHdimpF9izWlugVJAPApgXrq5YldPe2aGIOFXyJ+QE
-ZIG20DYqaPzJRjTEbPNZ6Es0S2JJ5yCpKxwJuDkgJZKtF39Q2i36JeGbSZQIuWJE
-GZbBpf1jDH/pr0iGonuAdl2PCCZUiy+8eLsD2tyviHUkFLOB+ykYoJ5t8ngZ/B6D
-33U43LLb7+9zD4y3Q9OVHqBFGyHcxCY9+9Qh4ZnFp7DTf6RY5TNEvE3s4g6aDpBs
-3NbvRVvYTgs8K9EPk4K+5R+P2kD8J8KvEIGxVa1vz8QoCJ/jr7Ka2rvNgPCex5/E
-080LzLHPCrXKdlr/f50yhNWq08ZxMWQFkui+FDHPDUaEELKAXV8/5PDxw80Rtybo
-AVYoCVIbZXZCuCO81op8UcOgEpTtyU5Lgh3Mw5scQL0=
------END RSA PRIVATE KEY-----`),
-		plainDER: `
-MIIBOgIBAAJBAMBlj5FxYtqbcy8wY89d/S7n0+r5MzD9F63BA/Lpl78vQKtdJ5dT
-cDGh/rBt1ufRrNp0WihcmZi7Mpl/3jHjiWECAwEAAQJABNOHYnKhtDIqFYj1OAJ3
-k3GlU0OlERmIOoeY/cL2V4lgwllPBEs7r134AY4wMmZSBUj8UR/O4SNO668ElKPE
-cQIhAOuqY7/115x5KCdGDMWi+jNaMxIvI4ETGwV40ykGzqlzAiEA0P9oEC3m9tHB
-kbpjSTxaNkrXxDgdEOZz8X0uOUUwHNsCIAwzcSCiGLyYJTULUmP1ESERfW1mlV78
-XzzESaJpIM/zAiBQkSTcl9VhcJreQqvjn5BnPZLP4ZHS4gPwJAGdsj5J4QIhAOVR
-B3WlRNTXR2WsJ5JdByezg9xzdXzULqmga0OE339a`,
-	},
-	{
-		kind:     PEMCipherAES192,
-		password: []byte("asdf"),
-		pemData: []byte(`
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,E2C9FB02BCA23ADE1829F8D8BC5F5369
-
-cqVslvHqDDM6qwU6YjezCRifXmKsrgEev7ng6Qs7UmDJOpHDgJQZI9fwMFUhIyn5
-FbCu1SHkLMW52Ld3CuEqMnzWMlhPrW8tFvUOrMWPYSisv7nNq88HobZEJcUNL2MM
-Y15XmHW6IJwPqhKyLHpWXyOCVEh4ODND2nV15PCoi18oTa475baxSk7+1qH7GuIs
-Rb7tshNTMqHbCpyo9Rn3UxeFIf9efdl8YLiMoIqc7J8E5e9VlbeQSdLMQOgDAQJG
-ReUtTw8exmKsY4gsSjhkg5uiw7/ZB1Ihto0qnfQJgjGc680qGkT1d6JfvOfeYAk6
-xn5RqS/h8rYAYm64KnepfC9vIujo4NqpaREDmaLdX5MJPQ+SlytITQvgUsUq3q/t
-Ss85xjQEZH3hzwjQqdJvmA4hYP6SUjxYpBM+02xZ1Xw=
------END RSA PRIVATE KEY-----`),
-		plainDER: `
-MIIBOwIBAAJBAMGcRrZiNNmtF20zyS6MQ7pdGx17aFDl+lTl+qnLuJRUCMUG05xs
-OmxmL/O1Qlf+bnqR8Bgg65SfKg21SYuLhiMCAwEAAQJBAL94uuHyO4wux2VC+qpj
-IzPykjdU7XRcDHbbvksf4xokSeUFjjD3PB0Qa83M94y89ZfdILIqS9x5EgSB4/lX
-qNkCIQD6cCIqLfzq/lYbZbQgAAjpBXeQVYsbvVtJrPrXJAlVVQIhAMXpDKMeFPMn
-J0g2rbx1gngx0qOa5r5iMU5w/noN4W2XAiBjf+WzCG5yFvazD+dOx3TC0A8+4x3P
-uZ3pWbaXf5PNuQIgAcdXarvhelH2w2piY1g3BPeFqhzBSCK/yLGxR82KIh8CIQDD
-+qGKsd09NhQ/G27y/DARzOYtml1NvdmCQAgsDIIOLA==`,
-	},
-	{
-		kind:     PEMCipherAES256,
-		password: []byte("asdf"),
-		pemData: []byte(`
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,8E7ED5CD731902CE938957A886A5FFBD
-
-4Mxr+KIzRVwoOP0wwq6caSkvW0iS+GE2h2Ov/u+n9ZTMwL83PRnmjfjzBgfRZLVf
-JFPXxUK26kMNpIdssNnqGOds+DhB+oSrsNKoxgxSl5OBoYv9eJTVYm7qOyAFIsjr
-DRKAcjYCmzfesr7PVTowwy0RtHmYwyXMGDlAzzZrEvaiySFFmMyKKvtoavwaFoc7
-Pz3RZScwIuubzTGJ1x8EzdffYOsdCa9Mtgpp3L136+23dOd6L/qK2EG2fzrJSHs/
-2XugkleBFSMKzEp9mxXKRfa++uidQvMZTFLDK9w5YjrRvMBo/l2BoZIsq0jAIE1N
-sv5Z/KwlX+3MDEpPQpUwGPlGGdLnjI3UZ+cjgqBcoMiNc6HfgbBgYJSU6aDSHuCk
-clCwByxWkBNgJ2GrkwNrF26v+bGJJJNR4SKouY1jQf0=
------END RSA PRIVATE KEY-----`),
-		plainDER: `
-MIIBOgIBAAJBAKy3GFkstoCHIEeUU/qO8207m8WSrjksR+p9B4tf1w5k+2O1V/GY
-AQ5WFCApItcOkQe/I0yZZJk/PmCqMzSxrc8CAwEAAQJAOCAz0F7AW9oNelVQSP8F
-Sfzx7O1yom+qWyAQQJF/gFR11gpf9xpVnnyu1WxIRnDUh1LZwUsjwlDYb7MB74id
-oQIhANPcOiLwOPT4sIUpRM5HG6BF1BI7L77VpyGVk8xNP7X/AiEA0LMHZtk4I+lJ
-nClgYp4Yh2JZ1Znbu7IoQMCEJCjwKDECIGd8Dzm5tViTkUW6Hs3Tlf73nNs65duF
-aRnSglss8I3pAiEAonEnKruawgD8RavDFR+fUgmQiPz4FnGGeVgfwpGG1JECIBYq
-PXHYtPqxQIbD2pScR5qum7iGUh11lEUPkmt+2uqS`,
-	},
-	{
-		// generated with:
-		// openssl genrsa -aes128 -passout pass:asdf -out server.orig.key 128
-		kind:     PEMCipherAES128,
-		password: []byte("asdf"),
-		pemData: []byte(`
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,74611ABC2571AF11B1BF9B69E62C89E7
-
-6ei/MlytjE0FFgZOGQ+jrwomKfpl8kdefeE0NSt/DMRrw8OacHAzBNi3pPEa0eX3
-eND9l7C9meCirWovjj9QWVHrXyugFuDIqgdhQ8iHTgCfF3lrmcttVrbIfMDw+smD
-hTP8O1mS/MHl92NE0nhv0w==
------END RSA PRIVATE KEY-----`),
-		plainDER: `
-MGMCAQACEQC6ssxmYuauuHGOCDAI54RdAgMBAAECEQCWIn6Yv2O+kBcDF7STctKB
-AgkA8SEfu/2i3g0CCQDGNlXbBHX7kQIIK3Ww5o0cYbECCQDCimPb0dYGsQIIeQ7A
-jryIst8=`,
-	},
-}
-
-const incompleteBlockPEM = `
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,74611ABC2571AF11B1BF9B69E62C89E7
-
-6L8yXK2MTQUWBk4ZD6OvCiYp+mXyR1594TQ1K38MxGvDw5pwcDME2Lek8RrR5fd40P2XsL2Z4KKt
-ai+OP1BZUetfK6AW4MiqB2FDyIdOAJ8XeWuZy21Wtsh8wPD6yYOFM/w7WZL8weX3Y0TSeG/T
------END RSA PRIVATE KEY-----`
-
-func TestIncompleteBlock(t *testing.T) {
-	// incompleteBlockPEM contains ciphertext that is not a multiple of the
-	// block size. This previously panicked. See #11215.
-	block, _ := pem.Decode([]byte(incompleteBlockPEM))
-	_, err := DecryptPEMBlock(block, []byte("foo"))
-	if err == nil {
-		t.Fatal("Bad PEM data decrypted successfully")
-	}
-	const expectedSubstr = "block size"
-	if e := err.Error(); !strings.Contains(e, expectedSubstr) {
-		t.Fatalf("Expected error containing %q but got: %q", expectedSubstr, e)
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/pkcs8_test.go

@@ -1,109 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"encoding/hex"
-	"reflect"
-	"testing"
-)
-
-// Generated using:
-//   openssl genrsa 1024 | openssl pkcs8 -topk8 -nocrypt
-var pkcs8RSAPrivateKeyHex = `30820278020100300d06092a864886f70d0101010500048202623082025e02010002818100cfb1b5bf9685ffa97b4f99df4ff122b70e59ac9b992f3bc2b3dde17d53c1a34928719b02e8fd17839499bfbd515bd6ef99c7a1c47a239718fe36bfd824c0d96060084b5f67f0273443007a24dfaf5634f7772c9346e10eb294c2306671a5a5e719ae24b4de467291bc571014b0e02dec04534d66a9bb171d644b66b091780e8d020301000102818100b595778383c4afdbab95d2bfed12b3f93bb0a73a7ad952f44d7185fd9ec6c34de8f03a48770f2009c8580bcd275e9632714e9a5e3f32f29dc55474b2329ff0ebc08b3ffcb35bc96e6516b483df80a4a59cceb71918cbabf91564e64a39d7e35dce21cb3031824fdbc845dba6458852ec16af5dddf51a8397a8797ae0337b1439024100ea0eb1b914158c70db39031dd8904d6f18f408c85fbbc592d7d20dee7986969efbda081fdf8bc40e1b1336d6b638110c836bfdc3f314560d2e49cd4fbde1e20b024100e32a4e793b574c9c4a94c8803db5152141e72d03de64e54ef2c8ed104988ca780cd11397bc359630d01b97ebd87067c5451ba777cf045ca23f5912f1031308c702406dfcdbbd5a57c9f85abc4edf9e9e29153507b07ce0a7ef6f52e60dcfebe1b8341babd8b789a837485da6c8d55b29bbb142ace3c24a1f5b54b454d01b51e2ad03024100bd6a2b60dee01e1b3bfcef6a2f09ed027c273cdbbaf6ba55a80f6dcc64e4509ee560f84b4f3e076bd03b11e42fe71a3fdd2dffe7e0902c8584f8cad877cdc945024100aa512fa4ada69881f1d8bb8ad6614f192b83200aef5edf4811313d5ef30a86cbd0a90f7b025c71ea06ec6b34db6306c86b1040670fd8654ad7291d066d06d031`
-
-// Generated using:
-//   openssl ecparam -genkey -name secp224r1 | openssl pkcs8 -topk8 -nocrypt
-var pkcs8P224PrivateKeyHex = `3078020100301006072a8648ce3d020106052b810400210461305f020101041cca3d72b3e88fed2684576dad9b80a9180363a5424986900e3abcab3fa13c033a0004f8f2a6372872a4e61263ed893afb919576a4cacfecd6c081a2cbc76873cf4ba8530703c6042b3a00e2205087e87d2435d2e339e25702fae1`
-
-// Generated using:
-//   openssl ecparam -genkey -name secp256r1 | openssl pkcs8 -topk8 -nocrypt
-var pkcs8P256PrivateKeyHex = `308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b0201010420dad6b2f49ca774c36d8ae9517e935226f667c929498f0343d2424d0b9b591b43a14403420004b9c9b90095476afe7b860d8bd43568cab7bcb2eed7b8bf2fa0ce1762dd20b04193f859d2d782b1e4cbfd48492f1f533113a6804903f292258513837f07fda735`
-
-// Generated using:
-//   openssl ecparam -genkey -name secp384r1 | openssl pkcs8 -topk8 -nocrypt
-var pkcs8P384PrivateKeyHex = `3081b6020100301006072a8648ce3d020106052b8104002204819e30819b02010104309bf832f6aaaeacb78ce47ffb15e6fd0fd48683ae79df6eca39bfb8e33829ac94aa29d08911568684c2264a08a4ceb679a164036200049070ad4ed993c7770d700e9f6dc2baa83f63dd165b5507f98e8ff29b5d2e78ccbe05c8ddc955dbf0f7497e8222cfa49314fe4e269459f8e880147f70d785e530f2939e4bf9f838325bb1a80ad4cf59272ae0e5efe9a9dc33d874492596304bd3`
-
-// Generated using:
-//   openssl ecparam -genkey -name secp521r1 | openssl pkcs8 -topk8 -nocrypt
-//
-// Note that OpenSSL will truncate the private key if it can (i.e. it emits it
-// like an integer, even though it's an OCTET STRING field). Thus if you
-// regenerate this you may, randomly, find that it's a byte shorter than
-// expected and the Go test will fail to recreate it exactly.
-var pkcs8P521PrivateKeyHex = `3081ee020100301006072a8648ce3d020106052b810400230481d63081d3020101044200cfe0b87113a205cf291bb9a8cd1a74ac6c7b2ebb8199aaa9a5010d8b8012276fa3c22ac913369fa61beec2a3b8b4516bc049bde4fb3b745ac11b56ab23ac52e361a1818903818600040138f75acdd03fbafa4f047a8e4b272ba9d555c667962b76f6f232911a5786a0964e5edea6bd21a6f8725720958de049c6e3e6661c1c91b227cebee916c0319ed6ca003db0a3206d372229baf9dd25d868bf81140a518114803ce40c1855074d68c4e9dab9e65efba7064c703b400f1767f217dac82715ac1f6d88c74baf47a7971de4ea`
-
-func TestPKCS8(t *testing.T) {
-	tests := []struct {
-		name    string
-		keyHex  string
-		keyType reflect.Type
-		curve   elliptic.Curve
-	}{
-		{
-			name:    "RSA private key",
-			keyHex:  pkcs8RSAPrivateKeyHex,
-			keyType: reflect.TypeOf(&rsa.PrivateKey{}),
-		},
-		{
-			name:    "P-224 private key",
-			keyHex:  pkcs8P224PrivateKeyHex,
-			keyType: reflect.TypeOf(&ecdsa.PrivateKey{}),
-			curve:   elliptic.P224(),
-		},
-		{
-			name:    "P-256 private key",
-			keyHex:  pkcs8P256PrivateKeyHex,
-			keyType: reflect.TypeOf(&ecdsa.PrivateKey{}),
-			curve:   elliptic.P256(),
-		},
-		{
-			name:    "P-384 private key",
-			keyHex:  pkcs8P384PrivateKeyHex,
-			keyType: reflect.TypeOf(&ecdsa.PrivateKey{}),
-			curve:   elliptic.P384(),
-		},
-		{
-			name:    "P-521 private key",
-			keyHex:  pkcs8P521PrivateKeyHex,
-			keyType: reflect.TypeOf(&ecdsa.PrivateKey{}),
-			curve:   elliptic.P521(),
-		},
-	}
-
-	for _, test := range tests {
-		derBytes, err := hex.DecodeString(test.keyHex)
-		if err != nil {
-			t.Errorf("%s: failed to decode hex: %s", test.name, err)
-			continue
-		}
-		privKey, err := ParsePKCS8PrivateKey(derBytes)
-		if err != nil {
-			t.Errorf("%s: failed to decode PKCS#8: %s", test.name, err)
-			continue
-		}
-		if reflect.TypeOf(privKey) != test.keyType {
-			t.Errorf("%s: decoded PKCS#8 returned unexpected key type: %T", test.name, privKey)
-			continue
-		}
-		if ecKey, isEC := privKey.(*ecdsa.PrivateKey); isEC && ecKey.Curve != test.curve {
-			t.Errorf("%s: decoded PKCS#8 returned unexpected curve %#v", test.name, ecKey.Curve)
-			continue
-		}
-		reserialised, err := MarshalPKCS8PrivateKey(privKey)
-		if err != nil {
-			t.Errorf("%s: failed to marshal into PKCS#8: %s", test.name, err)
-			continue
-		}
-		if !bytes.Equal(derBytes, reserialised) {
-			t.Errorf("%s: marshalled PKCS#8 didn't match original: got %x, want %x", test.name, reserialised, derBytes)
-			continue
-		}
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/root_darwin_test.go

@@ -1,80 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-import (
-	"runtime"
-	"testing"
-	"time"
-)
-
-func TestSystemRoots(t *testing.T) {
-	switch runtime.GOARCH {
-	case "arm", "arm64":
-		t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
-	}
-
-	switch runtime.GOOS {
-	case "darwin":
-		t.Skipf("skipping on %s/%s until cgo part of golang.org/issue/16532 has been implemented.", runtime.GOOS, runtime.GOARCH)
-	}
-
-	t0 := time.Now()
-	sysRoots := systemRootsPool() // actual system roots
-	sysRootsDuration := time.Since(t0)
-
-	t1 := time.Now()
-	execRoots, err := execSecurityRoots() // non-cgo roots
-	execSysRootsDuration := time.Since(t1)
-
-	if err != nil {
-		t.Fatalf("failed to read system roots: %v", err)
-	}
-
-	t.Logf("    cgo sys roots: %v", sysRootsDuration)
-	t.Logf("non-cgo sys roots: %v", execSysRootsDuration)
-
-	for _, tt := range []*CertPool{sysRoots, execRoots} {
-		if tt == nil {
-			t.Fatal("no system roots")
-		}
-		// On Mavericks, there are 212 bundled certs, at least
-		// there was at one point in time on one machine.
-		// (Maybe it was a corp laptop with extra certs?)
-		// Other OS X users report
-		// 135, 142, 145...  Let's try requiring at least 100,
-		// since this is just a sanity check.
-		t.Logf("got %d roots", len(tt.certs))
-		if want, have := 100, len(tt.certs); have < want {
-			t.Fatalf("want at least %d system roots, have %d", want, have)
-		}
-	}
-
-	// Check that the two cert pools are roughly the same;
-	// |A∩B| > max(|A|, |B|) / 2 should be a reasonably robust check.
-
-	isect := make(map[string]bool, len(sysRoots.certs))
-	for _, c := range sysRoots.certs {
-		isect[string(c.Raw)] = true
-	}
-
-	have := 0
-	for _, c := range execRoots.certs {
-		if isect[string(c.Raw)] {
-			have++
-		}
-	}
-
-	var want int
-	if nsys, nexec := len(sysRoots.certs), len(execRoots.certs); nsys > nexec {
-		want = nsys / 2
-	} else {
-		want = nexec / 2
-	}
-
-	if have < want {
-		t.Errorf("insufficient overlap between cgo and non-cgo roots; want at least %d, have %d", want, have)
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/root_unix_test.go

@@ -1,127 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build dragonfly freebsd linux netbsd openbsd solaris
-
-package x509
-
-import (
-	"fmt"
-	"os"
-	"testing"
-)
-
-const (
-	testDir     = "testdata"
-	testDirCN   = "test-dir"
-	testFile    = "test-file.crt"
-	testFileCN  = "test-file"
-	testMissing = "missing"
-)
-
-func TestEnvVars(t *testing.T) {
-	testCases := []struct {
-		name    string
-		fileEnv string
-		dirEnv  string
-		files   []string
-		dirs    []string
-		cns     []string
-	}{
-		{
-			// Environment variables override the default locations preventing fall through.
-			name:    "override-defaults",
-			fileEnv: testMissing,
-			dirEnv:  testMissing,
-			files:   []string{testFile},
-			dirs:    []string{testDir},
-			cns:     nil,
-		},
-		{
-			// File environment overrides default file locations.
-			name:    "file",
-			fileEnv: testFile,
-			dirEnv:  "",
-			files:   nil,
-			dirs:    nil,
-			cns:     []string{testFileCN},
-		},
-		{
-			// Directory environment overrides default directory locations.
-			name:    "dir",
-			fileEnv: "",
-			dirEnv:  testDir,
-			files:   nil,
-			dirs:    nil,
-			cns:     []string{testDirCN},
-		},
-		{
-			// File & directory environment overrides both default locations.
-			name:    "file+dir",
-			fileEnv: testFile,
-			dirEnv:  testDir,
-			files:   nil,
-			dirs:    nil,
-			cns:     []string{testFileCN, testDirCN},
-		},
-		{
-			// Environment variable empty / unset uses default locations.
-			name:    "empty-fall-through",
-			fileEnv: "",
-			dirEnv:  "",
-			files:   []string{testFile},
-			dirs:    []string{testDir},
-			cns:     []string{testFileCN, testDirCN},
-		},
-	}
-
-	// Save old settings so we can restore before the test ends.
-	origCertFiles, origCertDirectories := certFiles, certDirectories
-	origFile, origDir := os.Getenv(certFileEnv), os.Getenv(certDirEnv)
-	defer func() {
-		certFiles = origCertFiles
-		certDirectories = origCertDirectories
-		os.Setenv(certFileEnv, origFile)
-		os.Setenv(certDirEnv, origDir)
-	}()
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if err := os.Setenv(certFileEnv, tc.fileEnv); err != nil {
-				t.Fatalf("setenv %q failed: %v", certFileEnv, err)
-			}
-			if err := os.Setenv(certDirEnv, tc.dirEnv); err != nil {
-				t.Fatalf("setenv %q failed: %v", certDirEnv, err)
-			}
-
-			certFiles, certDirectories = tc.files, tc.dirs
-
-			r, err := loadSystemRoots()
-			if err != nil {
-				t.Fatal("unexpected failure:", err)
-			}
-
-			if r == nil {
-				if tc.cns == nil {
-					// Expected nil
-					return
-				}
-				t.Fatal("nil roots")
-			}
-
-			// Verify that the returned certs match, otherwise report where the mismatch is.
-			for i, cn := range tc.cns {
-				if i >= len(r.certs) {
-					t.Errorf("missing cert %v @ %v", cn, i)
-				} else if r.certs[i].Subject.CommonName != cn {
-					fmt.Printf("%#v\n", r.certs[0].Subject)
-					t.Errorf("unexpected cert common name %q, want %q", r.certs[i].Subject.CommonName, cn)
-				}
-			}
-			if len(r.certs) > len(tc.cns) {
-				t.Errorf("got %v certs, which is more than %v wanted", len(r.certs), len(tc.cns))
-			}
-		})
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/sec1_test.go

@@ -1,44 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-import (
-	"bytes"
-	"encoding/hex"
-	"testing"
-)
-
-var ecKeyTests = []struct {
-	derHex            string
-	shouldReserialize bool
-}{
-	// Generated using:
-	//   openssl ecparam -genkey -name secp384r1 -outform PEM
-	{"3081a40201010430bdb9839c08ee793d1157886a7a758a3c8b2a17a4df48f17ace57c72c56b4723cf21dcda21d4e1ad57ff034f19fcfd98ea00706052b81040022a16403620004feea808b5ee2429cfcce13c32160e1c960990bd050bb0fdf7222f3decd0a55008e32a6aa3c9062051c4cba92a7a3b178b24567412d43cdd2f882fa5addddd726fe3e208d2c26d733a773a597abb749714df7256ead5105fa6e7b3650de236b50", true},
-	// This key was generated by GnuTLS and has illegal zero-padding of the
-	// private key. See https://golang.org/issues/13699.
-	{"3078020101042100f9f43a04b9bdc3ab01f53be6df80e7a7bc3eaf7b87fc24e630a4a0aa97633645a00a06082a8648ce3d030107a1440342000441a51bc318461b4c39a45048a16d4fc2a935b1ea7fe86e8c1fa219d6f2438f7c7fd62957d3442efb94b6a23eb0ea66dda663dc42f379cda6630b21b7888a5d3d", false},
-	// This was generated using an old version of OpenSSL and is missing a
-	// leading zero byte in the private key that should be present.
-	{"3081db0201010441607b4f985774ac21e633999794542e09312073480baa69550914d6d43d8414441e61b36650567901da714f94dffb3ce0e2575c31928a0997d51df5c440e983ca17a00706052b81040023a181890381860004001661557afedd7ac8d6b70e038e576558c626eb62edda36d29c3a1310277c11f67a8c6f949e5430a37dcfb95d902c1b5b5379c389873b9dd17be3bdb088a4774a7401072f830fb9a08d93bfa50a03dd3292ea07928724ddb915d831917a338f6b0aecfbc3cf5352c4a1295d356890c41c34116d29eeb93779aab9d9d78e2613437740f6", false},
-}
-
-func TestParseECPrivateKey(t *testing.T) {
-	for i, test := range ecKeyTests {
-		derBytes, _ := hex.DecodeString(test.derHex)
-		key, err := ParseECPrivateKey(derBytes)
-		if err != nil {
-			t.Fatalf("#%d: failed to decode EC private key: %s", i, err)
-		}
-		serialized, err := MarshalECPrivateKey(key)
-		if err != nil {
-			t.Fatalf("#%d: failed to encode EC private key: %s", i, err)
-		}
-		matches := bytes.Equal(serialized, derBytes)
-		if matches != test.shouldReserialize {
-			t.Fatalf("#%d: when serializing key: matches=%t, should match=%t: original %x, reserialized %x", i, matches, test.shouldReserialize, serialized, derBytes)
-		}
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/sha2_windows_test.go

@@ -1,19 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-import "syscall"
-
-func init() {
-	v, err := syscall.GetVersion()
-	if err != nil {
-		return
-	}
-	if major := byte(v); major < 6 {
-		// Windows XP SP2 and Windows 2003 do not support SHA2.
-		// http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
-		supportSHA2 = false
-	}
-}

vendor/github.com/google/certificate-transparency-go/x509/testdata/test-dir.crt

@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIJAL8a/lsnspOqMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
-BAYTAlVLMRMwEQYDVQQIDApUZXN0LVN0YXRlMRUwEwYDVQQKDAxHb2xhbmcgVGVz
-dHMxETAPBgNVBAMMCHRlc3QtZGlyMB4XDTE3MDIwMTIzNTAyN1oXDTI3MDEzMDIz
-NTAyN1owTDELMAkGA1UEBhMCVUsxEzARBgNVBAgMClRlc3QtU3RhdGUxFTATBgNV
-BAoMDEdvbGFuZyBUZXN0czERMA8GA1UEAwwIdGVzdC1kaXIwggIiMA0GCSqGSIb3
-DQEBAQUAA4ICDwAwggIKAoICAQDzBoi43Yn30KN13PKFHu8LA4UmgCRToTukLItM
-WK2Je45grs/axg9n3YJOXC6hmsyrkOnyBcx1xVNgSrOAll7fSjtChRIX72Xrloxu
-XewtWVIrijqz6oylbvEmbRT3O8uynu5rF82Pmdiy8oiSfdywjKuPnE0hjV1ZSCql
-MYcXqA+f0JFD8kMv4pbtxjGH8f2DkYQz+hHXLrJH4/MEYdVMQXoz/GDzLyOkrXBN
-hpMaBBqg1p0P+tRdfLXuliNzA9vbZylzpF1YZ0gvsr0S5Y6LVtv7QIRygRuLY4kF
-k+UYuFq8NrV8TykS7FVnO3tf4XcYZ7r2KV5FjYSrJtNNo85BV5c3xMD3fJ2XcOWk
-+oD1ATdgAM3aKmSOxNtNItKKxBe1mkqDH41NbWx7xMad78gDznyeT0tjEOltN2bM
-uXU1R/jgR/vq5Ec0AhXJyL/ziIcmuV2fSl/ZxT4ARD+16tgPiIx+welTf0v27/JY
-adlfkkL5XsPRrbSguISrj7JeaO/gjG3KnDVHcZvYBpDfHqRhCgrosfe26TZcTXx2
-cRxOfvBjMz1zJAg+esuUzSkerreyRhzD7RpeZTwi6sxvx82MhYMbA3w1LtgdABio
-9JRqZy3xqsIbNv7N46WO/qXL1UMRKb1UyHeW8g8btboz+B4zv1U0Nj+9qxPBbQui
-dgL9LQIDAQABo1AwTjAdBgNVHQ4EFgQUy0/0W8nwQfz2tO6AZ2jPkEiTzvUwHwYD
-VR0jBBgwFoAUy0/0W8nwQfz2tO6AZ2jPkEiTzvUwDAYDVR0TBAUwAwEB/zANBgkq
-hkiG9w0BAQsFAAOCAgEAvEVnUYsIOt87rggmLPqEueynkuQ+562M8EDHSQl82zbe
-xDCxeg3DvPgKb+RvaUdt1362z/szK10SoeMgx6+EQLoV9LiVqXwNqeYfixrhrdw3
-ppAhYYhymdkbUQCEMHypmXP1vPhAz4o8Bs+eES1M+zO6ErBiD7SqkmBElT+GixJC
-6epC9ZQFs+dw3lPlbiZSsGE85sqc3VAs0/JgpL/pb1/Eg4s0FUhZD2C2uWdSyZGc
-g0/v3aXJCp4j/9VoNhI1WXz3M45nysZIL5OQgXymLqJElQa1pZ3Wa4i/nidvT4AT
-Xlxc/qijM8set/nOqp7hVd5J0uG6qdwLRILUddZ6OpXd7ZNi1EXg+Bpc7ehzGsDt
-3UFGzYXDjxYnK2frQfjLS8stOQIqSrGthW6x0fdkVx0y8BByvd5J6+JmZl4UZfzA
-m99VxXSt4B9x6BvnY7ktzcFDOjtuLc4B/7yg9fv1eQuStA4cHGGAttsCg1X/Kx8W
-PvkkeH0UWDZ9vhH9K36703z89da6MWF+bz92B0+4HoOmlVaXRkvblsNaynJnL0LC
-Ayry7QBxuh5cMnDdRwJB3AVJIiJ1GVpb7aGvBOnx+s2lwRv9HWtghb+cbwwktx1M
-JHyBf3GZNSWTpKY7cD8V+NnBv3UuioOVVo+XAU4LF/bYUjdRpxWADJizNtZrtFo=
------END CERTIFICATE-----