From 2ddac9352f48aa6ae386f8b1d001fe4b6c2ff2fd Mon Sep 17 00:00:00 2001
From: deepak1556 <hop2deep@gmail.com>
Date: Mon, 18 Apr 2016 21:53:44 +0530
Subject: [PATCH] add spec

---
 spec/api-app-spec.js                          |  61 +++++++++
 spec/fixtures/certificates/certs.cnf          |  68 ++++++++++
 spec/fixtures/certificates/client.p12         | Bin 0 -> 4149 bytes
 spec/fixtures/certificates/generate_certs.sh  | 127 ++++++++++++++++++
 spec/fixtures/certificates/intermediateCA.pem |  78 +++++++++++
 spec/fixtures/certificates/rootCA.pem         |  19 +++
 spec/fixtures/certificates/server.key         |  27 ++++
 spec/fixtures/certificates/server.pem         |  88 ++++++++++++
 8 files changed, 468 insertions(+)
 create mode 100644 spec/fixtures/certificates/certs.cnf
 create mode 100644 spec/fixtures/certificates/client.p12
 create mode 100755 spec/fixtures/certificates/generate_certs.sh
 create mode 100644 spec/fixtures/certificates/intermediateCA.pem
 create mode 100644 spec/fixtures/certificates/rootCA.pem
 create mode 100644 spec/fixtures/certificates/server.key
 create mode 100644 spec/fixtures/certificates/server.pem

diff --git a/spec/api-app-spec.js b/spec/api-app-spec.js
index c237ef1723..1f5452713b 100644
--- a/spec/api-app-spec.js
+++ b/spec/api-app-spec.js
@@ -1,5 +1,7 @@
 const assert = require('assert')
 const ChildProcess = require('child_process')
+const https = require('https')
+const fs = require('fs')
 const path = require('path')
 const remote = require('electron').remote
 
@@ -87,6 +89,65 @@ describe('app module', function () {
     })
   })
 
+  describe('app.importClientCertificate', function () {
+    if (process.platform !== 'linux')
+      return
+
+    this.timeout(5000)
+
+    var port
+    var w = null
+    var certPath = path.join(__dirname, 'fixtures', 'certificates')
+    var options = {
+      key: fs.readFileSync(path.join(certPath, 'server.key')),
+      cert: fs.readFileSync(path.join(certPath, 'server.pem')),
+      ca: [
+        fs.readFileSync(path.join(certPath, 'rootCA.pem')),
+        fs.readFileSync(path.join(certPath, 'intermediateCA.pem'))
+      ],
+      requestCert: true,
+      rejectUnauthorized: false
+    }
+
+    var server = https.createServer(options, function (req, res) {
+      if (req.client.authorized) {
+        res.writeHead(200);
+        res.end('authorized');
+      }
+    })
+    server.listen(0, '127.0.0.1', function () {
+      port = server.address().port
+    })
+
+    afterEach(function () {
+      if (w != null) {
+        w.destroy()
+      }
+      w = null
+    })
+
+    it('can import certificate into platform cert store', function (done) {
+      let options = {
+        clientCertificate: path.join(certPath, 'client.p12'),
+        password: 'electron'
+      }
+
+      w = new BrowserWindow({
+        show: false
+      })
+
+      w.webContents.on('did-finish-load', function () {
+        server.close()
+        done()
+      })
+
+      app.importClientCertificate(options, function (result) {
+        assert(!result)
+        w.loadURL(`https://127.0.0.1:${port}`)
+      })
+    })
+  })
+
   describe('BrowserWindow events', function () {
     var w = null
 
diff --git a/spec/fixtures/certificates/certs.cnf b/spec/fixtures/certificates/certs.cnf
new file mode 100644
index 0000000000..d8b5c66e13
--- /dev/null
+++ b/spec/fixtures/certificates/certs.cnf
@@ -0,0 +1,68 @@
+ID=1
+CA_DIR=out
+
+[ca]
+default_ca = ca_settings
+
+[ca_settings]
+dir             = ${ENV::CA_DIR}
+database        = $dir/${ENV::ID}-index.txt
+new_certs_dir   = $dir
+serial          = $dir/${ENV::ID}-serial
+certificate     = $dir/${ENV::ID}.pem
+private_key     = $dir/${ENV::ID}.key
+RANDFILE        = $dir/rand
+default_md      = sha256
+default_days    = 3650
+policy          = policy_anything
+preserve   = no
+
+[policy_anything]
+# Default signing policy
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+[req]
+default_bits       = 2048
+default_md         = sha256
+string_mask        = utf8only
+distinguished_name = req_env_dn
+prompt = no
+
+[user_cert]
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[server_cert]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ca_cert]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ca_intermediate_cert]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[req_env_dn]
+commonName = ${ENV::COMMON_NAME}
diff --git a/spec/fixtures/certificates/client.p12 b/spec/fixtures/certificates/client.p12
new file mode 100644
index 0000000000000000000000000000000000000000..7543c7d38904f15708eae001c285f1ab6be1e6e1
GIT binary patch
literal 4149
zcmV-55X$c`f)FtR0Ru3C5BCNMDuzgg_YDCD0ic2p=mdff<S>E{;4p#;mj($chDe6@
z4FLxRpn?jBFoFt%0s#Opf(m^G2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I={dO^%
zO7DWJ0s;sCfPxB85~{iQQg4MD%SLd$KTBn5^`^8|RScng^sFg%4Dy7xF+hPwBQDD?
z;u-Z5EP*H{ecz)*=<VpIw_R!|a+1pp$8~fl5J&rK%|U(no%C-0s1B<D(DLtZ>F3F=
zrMuDyw~)Pkq#adbSV(Y%UB63E+6)h}f>+2?;YYypermyCaxN<2p&&1cl7kL+XSsN<
z+e6Ls9-OsIq1WTd*QkEiWo?SXhH>Em>lchy(B7e*fujcM8dCH#8LZ{t9n)&!g+)wk
z?}NBil+rq<$zgZL7S`@RY1?XZ8C_>ERVa0D;|2u!N}pQs3m2r^E4~Lx2-kcb?Axh|
zC;+s!kzZ~53{w54{3IAuOK2yn(FwSOB$qU}X8CkSBOj4X1k8E0gzXI>hD<x;=g#Ri
zz_V%S9N`)M-`B$UB724`ZQn5*{3f=;E*%H^2E=3dH*uGm6jizQw5(H<?t@{ve?N=w
zKy@^@;;CAR85A5)BJA+lgZYF&Y&Dh;m1xl?=Xv}-9dtHZ8ce_RTx_@+AjO}BPfP7(
zhC|c{(<Ntkbj%{8a^%Ct;joKJk3>2y45T^@`sA472*6o%ZEea212_5>qYA_6ho%C#
z7aTh~b&UXJroNwL-%5&YkPa5e%GTSw5GYHL-O<W)o}P{pEuhfN>AL$*XB@9c<QG#q
zO$oT>iJHKpqVRoth|ZvI^OAk&P2=D8Dl72|)3|y@gD>kJ;vk2sOe-7z<l7NW>R=zg
zt056nJ#HEV?6&}iE^s{rgzBg2Q<}JXr;*KVg;-KjEDda~==?G^(|w5CqXJ`9VbV7v
zaYPVc@fC>Ei|vxAN(3oAo!<fTfkpNDYxuc2{IvG?Dq{8EejDpP#AI&Sj#c1@e$TUT
z#fRg$h4fKG2U6c)@jaQ-L@KbtarGVg#WcV8h87FV+tm8+KeMgPe^%ck<-j33JSDR*
zISl9^FTQRW({mYT+1eX}rD1k}o?IdZeiiqB&!XEg&mf+Jsj(jwDK6N5;QrQ)C#N3o
zl^xz9PKs@bYVRLE>+IrQ;+2rNVonPDd=>t_0!n#Bolh`uA_x8hhgPaZgDtfIfpgE3
zD3MF#m1*04>{BvMHp1$AQB|<{DnnIQE6hX7u5~tR6Ro#lzVXa3RCezu>-5z==awi%
z3OgbvC2BU?*l8-Ca3voL;0y?JEzSkLSmVfJ3xn$(!J)x(>+1iEfTQv5w+)VvU@;zt
zuzp~|FEaJ!v>e<qWxqlK`Vc*7=QpOV#YTGl8dKR+m)uC<m{SLZ-C7`+-Yt5<<Pxv?
zhv#DJw!$RaTM3H9IUynK>tO;jfKU<x;QT8gS&K^9jFiL61m(B@&DP&5(`Qwz1+Zm$
zn*r|Szz6nfpC%2Hr;1hD76rksX<SKZ!<>H!4o(63t^}GrcAv$HY}Wq#(C$Saqk5u=
zSOs0A*_u_qSmnjEYA+$l;OIlk@`ofo{KUf#)y>bCM`(Jvh0CpjZvck@x|qfF7ZeWI
zC(G2wert-(Ix>8?`XS2oYJyDXiK|YHH;U=w98a{C0S#R11cYRPle^+z=1Df&V6!aU
z9%2VdDhy`n+gk%K*<aj-jzm&RWnX)r=O{s2L6@4fpaF?sw#^>V#tTA#lZ~8b1i#V}
zIbWHdm&YPMs(PIAyUN}USC^SoUzVXwPz#CrUzc56B!X(m-MzPi-lqA}n%$-Ow;?lO
zHsZ5M-lNjpQfTC7qT+mqM4O(rCbTTSIX_6D2-L9tEOD_3;^vI)Vg=1hP|qJS3#H<u
z5FeoA_42Dll47%MXUcvFQ4g#y0BF<K?g;rKe?p8ST+w69A0ewOd!t_j;acH*x8kA4
zj8*S{3iWBGYK(`d(U8QFjTvEEdCj+8%gp;U`4-OhV9LL9&S?6^S|Ge<ZG!_z+kBV_
zvfQrnoIBdC7gN(`v#+DcpdEoV_&D0au~tdZ)<JW)7QUq%Nf_j}RABLCSICmpTL1ro
zGM!B3CB)~CMA=Euz643Z<1UL0M}G)j-k@2BODCbi3|hdP{qB7()@Kn$0k+pD=Icd*
z#dF!`E*?#~lM96tcz9NRebr3sk#$nmlZ$|ax<{Vt$*(UURj^QK&*<{0mGq7o3IgFc
zUVeG&(W+-=%z9Jq@p4F)`<2+{u`*)CV@K}iXM&25r62i*$^PjjpATn!g?m11046X`
z>=3ZobI=kBB$u@m+t+;}{B3}s8?SvHs9*<N8x0w{KpE?YK3>CsbO#*~u6vO^hTs0u
zYtB8#r2PTRl-PS|@MyJ<Sa^Gr=hbX#o#2I2_3#XK)H(ulG1j`yR*W~BBK76uRWIJ-
z1Fb)3%|v9Z`R=!S_MpA)4U(MKkCuE&m7VF|_&t)yd4p1-@quZsnSdUZAc(P{CL?H5
zZAf=j!LW(|96Ms2_Gia|p2!FW19UVmXyk>vzJN1nM4eW@kk2awF7%QExl>A23CN+I
z#E`3|1*hbizIPds&K@|Wep(X^420H@kijXtuI*6=#kjrFj$T^cfu66H+x<SRh%cu!
zmiObK8kNK+3l}3bxx)F9eq!dlYHK*KVzwo^iQ!PqxofREXnGdgRSKNhz3lam5;p5B
zqF}mF?0-F%`s0RId_@{3nCzOVo)AUf0o6?%W|)^7U6<-;;YYVC_oXDeau+I}0=ExQ
zP~UsRVi4=3o_Qw9bEP{Yu>C4-O622G#dguYNyN;biZ;*)&&H%P^!m#T59hD~-=!+c
zxZOxy#sLY5PnTHdPh+%c8)Hx&ck80v&J@Q1BwZ-bzt_DF=)S_0VLAy$-J1i1*1!aJ
zI`B&5wDs*sKgRIAeB#?!XdOqW3@PuP0e<ht#PWZPKHaaF=^ZbFRzJT|0Vfne7>sQ>
zX9&wYN~}98A1%=AY?l!09Xkj|Hrxv;*VP6)ITD+Afpjjy=K~sxfsZTSyFYR~txkG!
zh|e3%0=?Fs>k*Ou!4~RuE+T@|4&l?gh)m`{T6c=Mj8G_95@D;QN;7|OlxRC))#+pH
z2o*2KSl;B{oSZ;A+#JJP#%=f0Mv#YB=&uA3r4)Yi_MUBnC%QSrZe4n0K;k(gv}o6>
zpk>3qg7{VpA3ZwKHUXR74pY{kT+MO(+xAPEATo<MX`58s#V)S&Gi|)m=CP|B^_g8&
zu@x$!|IZY}bw&beV}5+Yw~co)oYQXQuKzh8?JW!uD(3-|icbRP(&EMone81cix<Py
zr7S7XhhK8LahGXo_g!_NDyOaT+oq@}I-G95(t6(!OlVD4(m=4=s#}6|%%f@zMAVEA
zU&yI3@L`T~)N^eveTYJljN#(%IiUFMMYz}%i|1O+w3EhbIQ`Pvnzh9d`QUe1p(rKx
z(|uqC;GP?JgirfW6dZ@orw@|9i~yr9HU&nHueOA}w(&~?6!%mOGy;kvD@Ge)F&l%*
zDxlB#89NlZp~IL$YuXuNeIA+d2!C<4H_l-3Zi%C{%4(^CLQ34u^%E|=l55{Xk)iZV
zFoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?
zFdPO7Duzgg_YDCI0Ru1&1PGYL39s<(L{b6*2ml0v1jq-m!lV*INv0irP5EFT=%t(P
ztKJK%Y@M(*^wZmt#n>Kp6Pi^FD$P3Fi?OyZYbezlXv^f$?3z{m3aiG#2rl8ouugO*
zQYs5CT~wtC3Ot2W%thvfckvV}$+4p$<jx3p7|OVr{BT$t^^-tPD-s~>EOb08US5h1
zz3yqKHxK-m56o&ZAb?UE5Rt+YEFuSOnCTe&AevZ7pnCcjs3b=kiu`=tnBuBhh!N`9
z9R(J9h471>P_paPON$I>5loSmmM85b(*WOLDiwE)DA?(GC`R}!I&rf0Yc)DTBPxKC
z=uqK19;q^VPqGOmdFOc#8>kvkWwE^9FXH3x@7w<t8yIqcW(bxNTK?6KnhF&aD|>=2
z6DDu>eAM|Z%Sf|g6Y-f&)m3_WQ^dJjPe7po&D8{@1M(GFI-1;THI@MMecA(WfRf3f
zLGW_?-8q<SVE>sa5;1gkL9~q?3UKuYk+9{Ok!+l~5Rzp1o`Sgd>IY_d^@g8vS%)+q
z0*URWNp2tE<^R_)%#V)ycU#*KCKUq^dR!?wSH7`^x4YK!a~^D`5$!swtI4=mjfcNq
zv=?Fz80Zr7<hYiU6EtD?c|ACtbSp?c>pXZ@>C{x3Wv@NNU{4L5WBL$LkG3^EN)#z0
z=4>sCn5!SBJ+|SfV&@T|9E3C4bJyTaGMdDOa_x9MI>2(@-xynmt8U#8_pYw?M&9aN
zU6FUL$hhlMbmC1X91%l0dGapPmtsXtVr_yamKbb7*w*3BpL|nk@mX-4-;S#;%Lnv=
zPsNabwpH`wRm_XGsF=I$WR2`YUDmB28j`ffR|kh`<4~fM+{qd{w?w8v#cz6Q$Erhx
z!JLOo!`XkWKH|~YGVN%6bqQ+aB|kcpJ`J-csOTxYl!mGht3DIGO~_f|W@m`T<qU$O
zbY!1jG9?;943~j<*Zs$V;PbpPV$a@O4R9_>mr#6RI<4Bw4~jT|l++n;ecj`%>P%<C
zIj!O0`m#{XHgq)+qApISJeUTC84lR0ov^iBJP3?qdKT6+*d)s>6n_{8wU(vT^9~kE
zHwpcuLy1S%X0@2W-ou5*Ed8oXUNVPdD3%;^p1Q{K0<=Ctcmze&+_9(O2J5(otJp?C
z*|c`bW^7+i;qQ!(joO9W++koYlK``1rz@D<DI6}C_TnQu*gfC0(n|+!#P(D}HVo-v
zZ2*|&2%KZ?3BQVCOVz0Y>gU)crV#M-Sq7vnXG^qger%!&2LG3I!lhBm&3@t6*}QAA
zKfRYWMvfRx=Wai4>hLm7^li2$9th`-zBy*pUBNeoV|A6;TU-a%FQblv`u};DsTQ^+
zFq5B5Yz}S0i<i_)@E`e@sD_cra&Mb`asOiL%x^KhDH9vD&e?XukmIr{mfL=x|I2W5
zq_ZiDq;_<nn_Ut)HPI}wm%$AW9vF`Xh`^sYKcyRC=Tu-nt^|DqkIx`*|KllIpl0!9
za!vCm9`S=OEadD<yZK7Q1~T^^%R_v2{x0w1Q&9M9?$;>@m$~19<2hlw>kk<4X4bb|
zcJUWZRB3q);`E^S(#0h%S;<yW=|;qz?E}oh!@o5{C@FRqi)|_5Yc0kyD3zh6>0&YH
zivvjX{?rw0OCm8PFe3&DDuzgg_YDCF6)_eB6p+0r>6Y%e<D=e70SmF{Ej`h)IWRFW
zAutIB1uG5%0vZJX1Qar&{P6fEGO176)s{F!+td`S)!+mOZ+17JHw$d_0s;sCUDfbC

literal 0
HcmV?d00001

diff --git a/spec/fixtures/certificates/generate_certs.sh b/spec/fixtures/certificates/generate_certs.sh
new file mode 100755
index 0000000000..c8e6217e66
--- /dev/null
+++ b/spec/fixtures/certificates/generate_certs.sh
@@ -0,0 +1,127 @@
+#!/bin/bash
+# This script generates certificates that can be used to test SSL client
+# authentication.
+#
+#   1. A (end-entity) -> B -> C (self-signed root)
+#   2. D (end-entity) -> B -> C (self-signed root)
+
+try () {
+  echo "$@"
+  "$@" || exit 1
+}
+
+try mkdir out
+
+echo Create the serial number files and indices.
+serial=1000
+for i in B C
+do
+  try /bin/sh -c "echo $serial > out/$i-serial"
+  serial=$(expr $serial + 1)
+  touch out/$i-index.txt
+  touch out/$i-index.txt.attr
+done
+
+echo Generate the keys.
+for i in A B C D
+do
+  try openssl genrsa -out out/$i.key 2048
+done
+
+echo Generate the C CSR
+COMMON_NAME="Root CA" \
+  CA_DIR=out \
+  ID=C \
+  try openssl req \
+    -new \
+    -key out/C.key \
+    -out out/C.csr \
+    -config certs.cnf
+
+echo C signs itself.
+COMMON_NAME="Root CA" \
+  CA_DIR=out \
+  ID=C \
+  try openssl x509 \
+    -req -days 3650 \
+    -in out/C.csr \
+    -extensions ca_cert \
+    -extfile certs.cnf \
+    -signkey out/C.key \
+    -out out/C.pem
+
+echo Generate the intermediates
+COMMON_NAME="Intermediate CA" \
+  CA_DIR=out \
+  ID=B \
+  try openssl req \
+    -new \
+    -key out/B.key \
+    -out out/B.csr \
+    -config certs.cnf
+
+COMMON_NAME="Root CA" \
+  CA_DIR=out \
+  ID=C \
+  try openssl ca \
+    -batch \
+    -extensions ca_intermediate_cert \
+    -in out/B.csr \
+    -out out/B.pem \
+    -config certs.cnf
+
+echo Generate the leaf certs
+COMMON_NAME="Client Cert" \
+  ID=A \
+  try openssl req \
+    -new \
+    -key out/A.key \
+    -out out/A.csr \
+    -config certs.cnf
+
+echo B signs A
+COMMON_NAME="Intermediate CA" \
+  CA_DIR=out \
+  ID=B \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -in out/A.csr \
+    -out out/A.pem \
+    -config certs.cnf
+
+COMMON_NAME="localhost" \
+  ID=D \
+  try openssl req \
+    -new \
+    -key out/D.key \
+    -out out/D.csr \
+    -config certs.cnf
+
+echo B signs D
+COMMON_NAME="Intermediate CA" \
+  CA_DIR=out \
+  ID=B \
+  try openssl ca \
+    -batch \
+    -extensions server_cert \
+    -in out/D.csr \
+    -out out/D.pem \
+    -config certs.cnf
+
+echo Package the client cert and private key into PKCS12 file
+try /bin/sh -c "cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem"
+
+try openssl pkcs12 \
+  -in out/A-chain.pem \
+  -out client.p12 \
+  -export \
+  -passout pass:electron
+
+echo Package the certs
+try cp out/C.pem rootCA.pem
+try cp out/B.pem intermediateCA.pem
+try cp out/D.key server.key
+try cp out/D.pem server.pem
+
+try rm -rf out
diff --git a/spec/fixtures/certificates/intermediateCA.pem b/spec/fixtures/certificates/intermediateCA.pem
new file mode 100644
index 0000000000..58293f76da
--- /dev/null
+++ b/spec/fixtures/certificates/intermediateCA.pem
@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4097 (0x1001)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root CA
+        Validity
+            Not Before: Apr 18 16:14:29 2016 GMT
+            Not After : Apr 16 16:14:29 2026 GMT
+        Subject: CN=Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:42:02:13:25:40:13:a6:05:99:69:da:0c:c9:
+                    a8:bf:86:3b:fc:c6:51:ba:64:65:7e:33:11:31:d5:
+                    03:45:30:4c:ca:49:d2:96:42:52:2f:f9:e6:6c:9a:
+                    50:1c:fe:fa:e2:e8:63:36:14:47:f7:49:9f:78:28:
+                    5e:1f:0b:9d:9e:f8:d3:33:77:06:4d:6d:14:c0:57:
+                    01:83:2b:ef:99:06:48:21:ec:c1:d7:05:48:2c:ea:
+                    83:06:6a:20:df:73:ce:8a:a5:e4:81:00:41:84:cf:
+                    89:81:78:2e:3a:bd:1b:fd:3e:96:08:8d:44:1b:00:
+                    c8:d6:4e:7a:6a:75:c0:9b:3c:e0:fa:aa:3a:82:5b:
+                    3c:39:32:ca:4a:ba:82:bc:60:47:6f:e4:4a:fd:dc:
+                    a0:72:8a:1b:fe:cd:2e:10:f4:27:4c:08:4e:d1:ed:
+                    dc:08:b0:f8:1f:e4:fc:45:72:43:58:6e:dd:05:37:
+                    8c:04:a1:fb:64:f4:3f:90:bb:85:f2:4c:97:46:fd:
+                    1f:29:e5:19:d0:0f:24:fd:d1:00:c5:b6:be:da:84:
+                    62:77:be:db:67:f6:ec:98:5d:97:f5:df:0a:bd:b8:
+                    07:7f:0a:d5:92:29:1f:c4:b0:97:4f:e4:87:d7:a9:
+                    00:c9:61:d5:6c:cd:6a:fc:56:c3:f3:b7:ca:53:70:
+                    02:3f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                A9:75:99:CF:9C:92:54:A4:4B:65:CD:3D:FC:93:98:8D:9E:09:1F:47
+            X509v3 Authority Key Identifier: 
+                keyid:E3:51:87:E3:CD:7A:B3:26:9F:8F:EC:62:D1:0E:15:0C:39:36:47:4F
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         55:69:d6:1d:33:ad:ab:40:46:fd:34:02:c1:43:50:7b:90:ea:
+         f3:5f:4f:b6:2c:28:aa:72:e0:4b:36:2e:8f:44:93:15:52:14:
+         f6:61:b3:50:e0:ba:43:91:ba:a9:5d:ac:43:b7:52:ca:91:a3:
+         d7:0e:ac:a7:9e:ee:28:7f:2d:0f:93:b5:d9:23:35:68:54:29:
+         2a:e7:3a:4c:41:24:d0:5e:2d:f3:1e:b9:52:f1:3e:16:76:93:
+         89:6d:a1:4c:63:f5:4a:cc:08:36:61:29:0a:29:5f:f4:5a:55:
+         98:10:b3:de:b3:90:f9:03:e5:bd:1b:61:01:a7:22:03:ae:0f:
+         77:c4:a8:bf:31:b4:af:c8:c7:e3:25:a1:2b:b9:43:37:3b:08:
+         ea:c4:46:60:b8:5f:ee:2a:0d:ce:18:75:63:ba:32:28:84:f4:
+         56:95:1b:c5:f9:46:7e:14:2e:83:5e:a9:ff:b2:80:ca:25:fd:
+         22:90:b5:de:bd:e6:f1:0c:ee:7e:09:71:0d:82:6a:ca:2f:9c:
+         96:45:73:3a:65:bc:d8:9d:e0:61:01:5d:a8:de:de:61:8c:82:
+         52:0c:ef:97:39:b3:13:c6:7d:d0:c0:f5:6d:c8:70:5b:96:e8:
+         99:31:d8:75:3a:21:58:ab:01:21:9e:38:8e:53:ff:f8:48:a7:
+         af:01:9a:93
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfagAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v
+dCBDQTAeFw0xNjA0MTgxNjE0MjlaFw0yNjA0MTYxNjE0MjlaMBoxGDAWBgNVBAMM
+D0ludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALZCAhMlQBOmBZlp2gzJqL+GO/zGUbpkZX4zETHVA0UwTMpJ0pZCUi/55myaUBz+
++uLoYzYUR/dJn3goXh8LnZ740zN3Bk1tFMBXAYMr75kGSCHswdcFSCzqgwZqIN9z
+zoql5IEAQYTPiYF4Ljq9G/0+lgiNRBsAyNZOemp1wJs84PqqOoJbPDkyykq6grxg
+R2/kSv3coHKKG/7NLhD0J0wITtHt3Aiw+B/k/EVyQ1hu3QU3jASh+2T0P5C7hfJM
+l0b9HynlGdAPJP3RAMW2vtqEYne+22f27Jhdl/XfCr24B38K1ZIpH8Swl0/kh9ep
+AMlh1WzNavxWw/O3ylNwAj8CAwEAAaNmMGQwHQYDVR0OBBYEFKl1mc+cklSkS2XN
+PfyTmI2eCR9HMB8GA1UdIwQYMBaAFONRh+PNerMmn4/sYtEOFQw5NkdPMBIGA1Ud
+EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IB
+AQBVadYdM62rQEb9NALBQ1B7kOrzX0+2LCiqcuBLNi6PRJMVUhT2YbNQ4LpDkbqp
+XaxDt1LKkaPXDqynnu4ofy0Pk7XZIzVoVCkq5zpMQSTQXi3zHrlS8T4WdpOJbaFM
+Y/VKzAg2YSkKKV/0WlWYELPes5D5A+W9G2EBpyIDrg93xKi/MbSvyMfjJaEruUM3
+OwjqxEZguF/uKg3OGHVjujIohPRWlRvF+UZ+FC6DXqn/soDKJf0ikLXevebxDO5+
+CXENgmrKL5yWRXM6ZbzYneBhAV2o3t5hjIJSDO+XObMTxn3QwPVtyHBbluiZMdh1
+OiFYqwEhnjiOU//4SKevAZqT
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/certificates/rootCA.pem b/spec/fixtures/certificates/rootCA.pem
new file mode 100644
index 0000000000..5c77fe61cd
--- /dev/null
+++ b/spec/fixtures/certificates/rootCA.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCjCCAfKgAwIBAgIJAOcWbv0WHll0MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB1Jvb3QgQ0EwHhcNMTYwNDE4MTYxNDI5WhcNMjYwNDE2MTYxNDI5WjASMRAw
+DgYDVQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+0iZvelv6MjxqdmQsAmKqIfc5gvQjYB3CqWlEH3g5czPFBMMtmOI9czlk+0jc1VEf
+t1SKst7zwe1rpxFArgudV45NBHQH3ZlzkLeO7Ol2kPzlyMHNJ70vT3CBitKnLl4B
+bg7xf6kDQQlC3/QeWxvbR5cvp131uwcpXKdJ9k4dwpfS2BKiRb5Uk46DgX5kGaka
+q/tQ2F7b6AlAoTq608tZBuOInkg2tTbGe9PDWSL8oMZRwCSbF543SAR45zjWBa0k
+ymY31VvlYbEd/3lfE5Mrn/JwZQpTKOfcOI//kUkcClJVpSMObh4eiy1oNjqcJ4KR
+/4hkY7oTQCA7zWD34jQpkQIDAQABo2MwYTAdBgNVHQ4EFgQU41GH4816syafj+xi
+0Q4VDDk2R08wHwYDVR0jBBgwFoAU41GH4816syafj+xi0Q4VDDk2R08wDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBADrt
+1bSbOYxDmB1x9KaHNFVSzs0XsipsbZW/XTqtNMPMFXh+I57NVptVanCwcfU5zmOF
+AjL+R8v0NkPU9+6nSM2PYqWxEavf0f6pkxIj+ThFwtVwXEKocPG9RFUvZNZv+rSH
+yAnzuAzFI71EsT9VgJGHI0pgPjrGbSlNfb0OJFOlwtbGWGofmg+N6hHcx5nVKlgL
+ZWLtYT+/mT2pSGuIpJtdnuUv0vcrRa4mxAa8NPF4+Qpi6yErkfogE+T4RYf2L4rp
+CaRIFicLoNUmwK0nCerJaPFLwGkiNGNX81CHnw3+xLisSPvxze2ZRA0DhUWUGInq
+grjWDMO9P1hPWu5jmbo=
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/certificates/server.key b/spec/fixtures/certificates/server.key
new file mode 100644
index 0000000000..719bfc8797
--- /dev/null
+++ b/spec/fixtures/certificates/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuByk7Ib6anz0xOFRqyogGsTTEAAGduquIckVFajDHrk7vdq+
+TflkDp+UhbISqu1rj0OuaqODxiPSSw5fHClqNKpjhHS1ry86knS847BGwrByY0oa
+zBdN0UgtWiXOK+iCuSI9p0KSIORJ3Y70pUZmm12EHRwb0tANv4ogYxjAxwnyqYgn
+PnrDsoyCh/Cb4Fu8XucrnepYbInXi6yOdwTuivTx9qy7tlQzvYJ2LLEUIJdBtCUZ
+dZkxky9CJUbfu5rm6PFvbLII5YCSlpXLxg9bumZCR1z9IXE6rLYcJIp3HIquR2cN
+tAs9M8OHuR5V6vhUG51bP3aTkg3asJVdUe10dwIDAQABAoIBAQCJGINSwZv86blW
+VbX7r+2iIUhNVMd7i3tJGzQBId7RpPswf49P/tIb9YaiG5y8/PgoAS0CqWn5hDkW
+vMfj747vUqWyPzn/DjseTaFOJrg6RyuWddsIeJ3wpj9nLlmc5pFZDH8+alrn9TZv
+rgDMhWTocjVre7/YNibWpyNAx3DdhG5DzNVLnu1R68d5k3JutQVqm01xCAV9ne9n
+xE1RB5Z1xLvpQfW2qLYT0yFB7Xxw8awGyzVesPhGW1aa5F4urQjdCt2baa06Xolu
+T3wXJ6wA9BuF2KOCi8DxELDaXoB//+82HafgWbOWIhJFOzEZaMNqZkfS/GbCgpEr
+mE2r8zGBAoGBAOHNcUPgnIIeGdgFZZvL3Ge3Hp5mi2Vd2KBkAPNCjVSXeCu57yRC
+SetlYuZlIhd7o+wdxUmWtg73DU19eDXJsOjXgNAoJfT9Zsyi4RClmJ0FRcSzvFU/
+m/TKrBbnFFAI+1pKwDnQ7envuRiTECFSsvKqdr8hddx0cPCgDtbe+75BAoGBANC7
+4ozkgsUTtdojz0DYBYBwUjN1gUETIhl91tt+48hmmEedROWDQDCT9gJfpAVFe1I6
+RyKKJnBcgNDJ7mqPUB1f5xb5rtaZS1owPNYTi3GrdVVg3lAf0j5ch8XoRJn/plnL
+M0Sj5lLMviHJjyk8CPHbnE2k2vERAW4/SgzfA3S3AoGAHx55Jamm6CfN1/+maTpH
+PeP2zE3FmEq+uBwQJXZek/HsFdqiIpUgKtjmMGpvsFzR0pCnx+SFYrqZkrxf/Mm3
+H9/TWNyvnnvt1vX7npez2LAJVXqP0g/aJnpoDR/7pKwYN/FlXJJ2t27aS5C5AF6t
+WtQzWVP7Mk654e+tG9/PQgECgYEAiTCT7EpccK9NvLwAgfv5UbuBK3U1qNGsfdip
+mMZDa/mSaK9DEx462DLHZDP8F8LdFORc0KTAMuV5fMDbxInA/C2GMyGT+lPypKpD
+sehSpDku+xiZxUvE4VvrmPXZ8OWILkhRv/GBdjY/WPGi+FUPA/d1Ocr6Y6rrp8xN
+HTyOhu0CgYBKxTSH6RCQsm8Q8uqmcP7cwe6fciTC0c2CRRqlzuXeseG72MBRDk/8
+P1jtOIlIsax/8NwNm5ReAiLgVn/h6/YgN4fpMkV1XIaH4j7HiGf5CWgOTWxS9jWA
+cV09H22BaNkT0fZ71IlXQI11cVRodX0g4cJXeuyTxY9OkMd6cGs8+A==
+-----END RSA PRIVATE KEY-----
diff --git a/spec/fixtures/certificates/server.pem b/spec/fixtures/certificates/server.pem
new file mode 100644
index 0000000000..117be807e5
--- /dev/null
+++ b/spec/fixtures/certificates/server.pem
@@ -0,0 +1,88 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4097 (0x1001)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Intermediate CA
+        Validity
+            Not Before: Apr 18 16:14:29 2016 GMT
+            Not After : Apr 16 16:14:29 2026 GMT
+        Subject: CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b8:1c:a4:ec:86:fa:6a:7c:f4:c4:e1:51:ab:2a:
+                    20:1a:c4:d3:10:00:06:76:ea:ae:21:c9:15:15:a8:
+                    c3:1e:b9:3b:bd:da:be:4d:f9:64:0e:9f:94:85:b2:
+                    12:aa:ed:6b:8f:43:ae:6a:a3:83:c6:23:d2:4b:0e:
+                    5f:1c:29:6a:34:aa:63:84:74:b5:af:2f:3a:92:74:
+                    bc:e3:b0:46:c2:b0:72:63:4a:1a:cc:17:4d:d1:48:
+                    2d:5a:25:ce:2b:e8:82:b9:22:3d:a7:42:92:20:e4:
+                    49:dd:8e:f4:a5:46:66:9b:5d:84:1d:1c:1b:d2:d0:
+                    0d:bf:8a:20:63:18:c0:c7:09:f2:a9:88:27:3e:7a:
+                    c3:b2:8c:82:87:f0:9b:e0:5b:bc:5e:e7:2b:9d:ea:
+                    58:6c:89:d7:8b:ac:8e:77:04:ee:8a:f4:f1:f6:ac:
+                    bb:b6:54:33:bd:82:76:2c:b1:14:20:97:41:b4:25:
+                    19:75:99:31:93:2f:42:25:46:df:bb:9a:e6:e8:f1:
+                    6f:6c:b2:08:e5:80:92:96:95:cb:c6:0f:5b:ba:66:
+                    42:47:5c:fd:21:71:3a:ac:b6:1c:24:8a:77:1c:8a:
+                    ae:47:67:0d:b4:0b:3d:33:c3:87:b9:1e:55:ea:f8:
+                    54:1b:9d:5b:3f:76:93:92:0d:da:b0:95:5d:51:ed:
+                    74:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                OpenSSL Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                1D:60:82:FA:3A:EC:27:91:BA:8D:F5:ED:B2:E3:85:0B:22:5A:8E:38
+            X509v3 Authority Key Identifier: 
+                keyid:A9:75:99:CF:9C:92:54:A4:4B:65:CD:3D:FC:93:98:8D:9E:09:1F:47
+                DirName:/CN=Root CA
+                serial:10:01
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: sha256WithRSAEncryption
+         89:90:3d:2c:b8:0d:36:63:68:9a:cd:f9:14:56:94:d9:18:11:
+         b5:08:35:af:f9:34:cd:70:db:7d:66:06:e3:57:9b:06:8f:11:
+         d6:ea:ac:a6:07:db:ae:a2:c0:66:69:84:d8:2d:3c:cc:d7:4d:
+         3c:75:60:4f:98:fc:56:df:30:39:c6:55:2c:73:92:9e:0c:b5:
+         7c:75:40:5d:21:aa:01:c1:8a:03:86:eb:d7:02:7d:f5:7b:12:
+         cc:18:90:23:ad:8f:d7:05:18:6d:f0:11:a8:6b:27:fd:4c:07:
+         07:53:f5:7f:f7:a2:e5:18:1e:4e:90:1b:10:5f:f3:5c:cb:c7:
+         37:63:d0:d5:1d:3a:65:66:24:ee:0e:ce:7f:b1:fb:ee:17:d0:
+         b5:4d:64:2f:5a:9c:bc:7a:1c:c0:b4:0f:32:c9:a9:5c:cb:57:
+         26:fd:49:39:8d:f2:89:54:c4:92:b5:35:ec:fe:cf:87:07:a6:
+         84:01:98:00:e4:2a:44:26:b7:48:00:11:d3:e4:5a:c1:ad:46:
+         36:53:f9:28:b7:e4:c5:bb:66:88:ab:8e:cc:30:d0:96:aa:3e:
+         c1:12:6a:8f:fa:6d:19:15:f4:90:66:54:62:84:97:06:2d:5c:
+         b9:18:71:90:f4:ca:4c:8c:a5:8b:32:14:93:89:f1:93:f4:00:
+         bd:1d:42:4f
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAmqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPSW50
+ZXJtZWRpYXRlIENBMB4XDTE2MDQxODE2MTQyOVoXDTI2MDQxNjE2MTQyOVowFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuByk7Ib6anz0xOFRqyogGsTTEAAGduquIckVFajDHrk7vdq+TflkDp+UhbIS
+qu1rj0OuaqODxiPSSw5fHClqNKpjhHS1ry86knS847BGwrByY0oazBdN0UgtWiXO
+K+iCuSI9p0KSIORJ3Y70pUZmm12EHRwb0tANv4ogYxjAxwnyqYgnPnrDsoyCh/Cb
+4Fu8XucrnepYbInXi6yOdwTuivTx9qy7tlQzvYJ2LLEUIJdBtCUZdZkxky9CJUbf
+u5rm6PFvbLII5YCSlpXLxg9bumZCR1z9IXE6rLYcJIp3HIquR2cNtAs9M8OHuR5V
+6vhUG51bP3aTkg3asJVdUe10dwIDAQABo4HXMIHUMAkGA1UdEwQCMAAwEQYJYIZI
+AYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBT
+ZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFB1ggvo67CeRuo317bLjhQsiWo44
+MDsGA1UdIwQ0MDKAFKl1mc+cklSkS2XNPfyTmI2eCR9HoRakFDASMRAwDgYDVQQD
+DAdSb290IENBggIQATAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwDQYJKoZIhvcNAQELBQADggEBAImQPSy4DTZjaJrN+RRWlNkYEbUINa/5NM1w
+231mBuNXmwaPEdbqrKYH266iwGZphNgtPMzXTTx1YE+Y/FbfMDnGVSxzkp4MtXx1
+QF0hqgHBigOG69cCffV7EswYkCOtj9cFGG3wEahrJ/1MBwdT9X/3ouUYHk6QGxBf
+81zLxzdj0NUdOmVmJO4Ozn+x++4X0LVNZC9anLx6HMC0DzLJqVzLVyb9STmN8olU
+xJK1Nez+z4cHpoQBmADkKkQmt0gAEdPkWsGtRjZT+Si35MW7Zoirjsww0JaqPsES
+ao/6bRkV9JBmVGKElwYtXLkYcZD0ykyMpYsyFJOJ8ZP0AL0dQk8=
+-----END CERTIFICATE-----