VictoriaMetrics/lib/netutil/tls_test.go

package netutil

import (
	"crypto/tls"
	"errors"
	"fmt"
	"os"
	"reflect"
	"testing"
)

func TestCipherSuitesFromNamesSucces(t *testing.T) {
	f := func(cipherSuites []string, expectedSuites []uint16) {
		t.Helper()

		suites, err := cipherSuitesFromNames(cipherSuites)
		if err != nil {
			t.Fatalf("unexpected error: %s", err)
		}
		if !reflect.DeepEqual(suites, expectedSuites) {
			t.Fatalf("unexpected ciphersuites; got %d; want %d", suites, expectedSuites)
		}
	}

	// Empty ciphersuites
	f(nil, nil)

	// Supported ciphersuites uppercase
	f([]string{
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
	}, []uint16{
		0xc013,
		0xc014,
	})

	// Supported ciphersuites lowercase
	f([]string{
		"tls_ecdhe_rsa_with_aes_128_cbc_sha",
		"tls_ecdhe_rsa_with_aes_256_cbc_sha",
	}, []uint16{
		0xc013,
		0xc014,
	})

	// Correct ciphersuites via numbers
	f([]string{"0xC013", "0xC014"}, []uint16{0xc013, 0xc014})
	f([]string{"0xc013", "0xc014"}, []uint16{0xc013, 0xc014})
}

func TestCipherSuitesFromNamesFailure(t *testing.T) {
	f := func(cipherSuites []string) {
		t.Helper()
		_, err := cipherSuitesFromNames(cipherSuites)
		if err == nil {
			t.Fatalf("expecting non-nil error")
		}
	}

	// wrong ciphersuite
	f([]string{"non-existing-ciphersuite"})
	f([]string{"23432"})
	f([]string{"2343223432423"})

	// insecure ciphersuites
	f([]string{"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA"})

	// insecure ciphersuite numbers
	f([]string{"0x0005", "0x000a"})
}

func TestParseTLSVersionSuccess(t *testing.T) {
	f := func(s string, want uint16) {
		t.Helper()
		got, err := ParseTLSVersion(s)
		if err != nil {
			t.Fatalf("unexpected error for ParseTLSVersion(%q): %s", s, err)
		}
		if got != want {
			t.Fatalf("unexpected value got from ParseTLSVersion(%q); got %d; want %d", s, got, want)
		}
	}
	// lowercase tlsName
	f("tls10", tls.VersionTLS10)
	f("tls11", tls.VersionTLS11)
	f("tls12", tls.VersionTLS12)
	f("tls13", tls.VersionTLS13)
	// uppercase tlsName
	f("TLS10", tls.VersionTLS10)
	f("TLS11", tls.VersionTLS11)
	f("TLS12", tls.VersionTLS12)
	f("TLS13", tls.VersionTLS13)
	// empty tlsName
	f("", 0)
}

func TestParseTLSVersionFailure(t *testing.T) {
	f := func(s string) {
		t.Helper()
		_, err := ParseTLSVersion(s)
		if err == nil {
			t.Fatalf("expecting non-nil error for ParseTLSVersion(%q)", s)
		}
	}
	// incorrect tlsName
	f("123")
	// incorrect tlsName with correct prefix
	f("TLS1")
	// incorrect tls version in tlsName
	f("TLS14")
}

func TestGetServerTLSConfig(t *testing.T) {
	f := func(tlsCertFile, tlsKeyFile string, expectErr bool) {
		t.Helper()
		_, err := GetServerTLSConfig(tlsCertFile, tlsKeyFile, "", []string{})
		if !errors.Is(err, nil) != expectErr { // same as: if errors.Is(err, nil) == expectErr {
			t.Fatalf("expect err: %v, get error: %v", expectErr, err)
		}
	}

	mustCreateFile("test.crt", testCRT)
	mustCreateFile("test.key", testPK)
	defer func() {
		_ = os.Remove("test.crt")
		_ = os.Remove("test.key")
	}()

	// check cert file not exist
	f("/a", "./test.key", true)
	// check key file not exist
	f("./test.crt", "/b", true)
	// cert file and key file all exist
	f("./test.crt", "./test.key", false)
}

const (
	testCRT = `-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUKm1UQfHNrw+b2T+ARui1PJexOpswDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTAwMzQ1MzVaFw0yNzA3
MTAwMzQ1MzVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCgdbQ0yIk170LSfhPzrm6LuclwjxGSC31CmmF+BZUH
J19n33BrL++Rfrfz3kMr5JgfVgjeHWZ2PrLp9M9Jf9eXbcpPcPbPKm3rh1VsdNHX
o82BQ0+/pOimpWtA88A1F/XyWqC7b94531oaAOLuQzWWXeUFY4A9WlC6hkNgRj32
EIfuioEXl22pGvQqScgJOJY5nnSFLUvymKUviMTNllIQd8kdNFcz2uKKozoWl9q9
sNHxGZKTa0dfKjeok8X1pybOZK1E7JLUQBi4oPvI6YAKBFV0BTjkqu6ZBMZE1aPe
RxGdGx/fugVc2b3ON6+xfY/gaVjL1eyVG5zI6Z8xB0A3AgMBAAGjUzBRMB0GA1Ud
DgQWBBSetpW1wdKL3jKgHOj0BGX4TKRyHjAfBgNVHSMEGDAWgBSetpW1wdKL3jKg
HOj0BGX4TKRyHjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBU
gyYMzjtDq1/DF48tAnBRFomnzzUsAV2NnuMzPF6mN2kxJunyukFpCLMKYeE4d+Jn
iSDXehLY1pCzKHntTQuqavSOy4uvlboPGFbBuXuR2XYWNqH+wPRd55UtnMntAvBd
Ovec9+1MW5x0RNiiwZqZ3/oRH3CS7c3iRNMq/AXGNWomE1QXT9ujXR+86KuTBS4h
uQB6i6TyKuqzydD9nsqwuviOA7xrAthw6cqrAjgo8KBMJpFavsasnd/cZ+8YQqOW
fTEsNj4PXjYkQP6z6FW/pbNeJLkjuSIwmcs1m5t2bV5oF2kpx+NyqGW0TcYaw3KY
sWswtTQyQldPeQIkIz1p
-----END CERTIFICATE-----`
	testPK = `-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCgdbQ0yIk170LS
fhPzrm6LuclwjxGSC31CmmF+BZUHJ19n33BrL++Rfrfz3kMr5JgfVgjeHWZ2PrLp
9M9Jf9eXbcpPcPbPKm3rh1VsdNHXo82BQ0+/pOimpWtA88A1F/XyWqC7b94531oa
AOLuQzWWXeUFY4A9WlC6hkNgRj32EIfuioEXl22pGvQqScgJOJY5nnSFLUvymKUv
iMTNllIQd8kdNFcz2uKKozoWl9q9sNHxGZKTa0dfKjeok8X1pybOZK1E7JLUQBi4
oPvI6YAKBFV0BTjkqu6ZBMZE1aPeRxGdGx/fugVc2b3ON6+xfY/gaVjL1eyVG5zI
6Z8xB0A3AgMBAAECggEADG12rWc3YqiAcz9q5ILcMqaLM1RkBtIspkBruvAhaIzu
8Y4Xgw29jyC9Nujo00OgrpNMxjCJE4Zr9/0geC+rxHbZ5kjjAgzmDN8N9C5LZFle
R3EtrN5PsJHQ7+u7tWurflTw7E4lQYk1eBxydwQDPf1RXsH5QtyLB8ScqkkLxSdy
LztMqwu6w9c0TEuzkKMaVgz0xSj2+FLN6yzAQQJUKRCPLff+uKlQx769JA9sji1C
wxcbSJZXdy0EwkGW/4EjGEPxGxZKunSrlem5A5/RPsfFtDo0DWRzZNCt022TVD/X
QesFDt6iZXpo9QUmSPiw25pZn4QD/7bNqePyLxNhLQKBgQDBc+I5WXceSNl5tXOL
UTLkSJaG0R3tBdtQY+Rc0KEQsHi0we968O0BbdFgvdwJw3YWzqm3QtAflgn4GP4X
1pg7CiCy+8cQFY2TShDJpQ//Z0GwDNUeb9I8cevIsONxRsxVphXovRN7/UFc+Hpi
Gnibm/lC9w4F8nXouBCvFzQX3QKBgQDUVv39xUjlBY7qFgTayDY7VfH5HNXgbW+f
sU56EqHtl0VDsDwgI5+91q4uK/X6m0T7FdW1Ua8iKUf+keDzOJR8HeMF01OzpWJR
p/Wqns1P60KGZv/OWn52J7uYMIslU+VyMvCn58QrrRtchJE3QgVKZUcC5kqpWFul
SXax7h6hIwKBgG+OxTlvNzsWpZsDIXOIysFMfsmWFBzYUMXGJS3E/ezi52jNoa2S
/Anj62dPdXGH7zRtzv8on15npq4Us4rJrJX3XC369at30mHKx22RK22MfRvp+oiH
0YQb6e2c3Dw5qKIHmgDR8EeDH0te2yxxuXV6974/PC3/yTD/3FcsGVVdAoGAMeSK
46ECgsWukfRAicO3cnO8WoNbAdPVAZngzbApGjGMFd6IEikstKeH39N2hb8ME09L
GsKpuwYmI3vVdnDZ+tvu5wSDy1dV5cfoYoHTzi6CQCBdhPggdNTbMGRfnZK7+/xa
Lam4n2aaYj/H+0rpAVUQvW6tJmNbjVfYqvA/hC8CgYB8gqUIhP4yz15P2936g8bS
uhNX7Msd6fwLsq/5Hn1j+7oCQ3KfvxOnFUFRDIUQvpLsa38rfn1u06gSXkSoM/3m
WN7PV6auY4J9vhiJcDHLYKWU6IiDPXa2K0EsGarWy1ncJQdpjZPT1Urft2pNF9gP
YwXfJbKUZnJlv9XplwR7Dw==
-----END PRIVATE KEY-----`
)

func mustCreateFile(path, contents string) {
	if err := os.WriteFile(path, []byte(contents), 0600); err != nil {
		panic(fmt.Errorf("cannot create file %q with %d bytes contents: %w", path, len(contents), err))
	}
}
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`package netutil`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00
			`import (`
lib/{httpserver,netutil}: allow to define min and max TLS version of the http server (#3109) * lib/{httpserver,netutil}: allow to define min and max TLS version of the http server * lib/httpserver: added descriptions about tls supported versions * lib/netutil: check minimal tls version, added supported tls versions to error * wip Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-09-26 14:35:45 +00:00			`"crypto/tls"`
lib/netutil: validate TLS cert and key files immediately (#6621) Validate files specified via `-tlsKeyFile` and `-tlsCertFile` cmd-line flags on the process start-up. Previously, validation happened on the first connection accepted by HTTP server. https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6608 --------- Co-authored-by: hagen1778 <roman@victoriametrics.com> 2024-07-29 11:58:53 +00:00			`"errors"`
			`"fmt"`
			`"os"`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`"reflect"`
			`"testing"`
			`)`

all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00			`func TestCipherSuitesFromNamesSucces(t *testing.T) {`
			`f := func(cipherSuites []string, expectedSuites []uint16) {`
			`t.Helper()`

			`suites, err := cipherSuitesFromNames(cipherSuites)`
			`if err != nil {`
			`t.Fatalf("unexpected error: %s", err)`
			`}`
			`if !reflect.DeepEqual(suites, expectedSuites) {`
			`t.Fatalf("unexpected ciphersuites; got %d; want %d", suites, expectedSuites)`
			`}`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`}`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00
			`// Empty ciphersuites`
			`f(nil, nil)`

			`// Supported ciphersuites uppercase`
			`f([]string{`
			`"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",`
			`"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",`
			`}, []uint16{`
			`0xc013,`
			`0xc014,`
			`})`

			`// Supported ciphersuites lowercase`
			`f([]string{`
			`"tls_ecdhe_rsa_with_aes_128_cbc_sha",`
			`"tls_ecdhe_rsa_with_aes_256_cbc_sha",`
			`}, []uint16{`
			`0xc013,`
			`0xc014,`
			`})`

			`// Correct ciphersuites via numbers`
			`f([]string{"0xC013", "0xC014"}, []uint16{0xc013, 0xc014})`
			`f([]string{"0xc013", "0xc014"}, []uint16{0xc013, 0xc014})`
			`}`

			`func TestCipherSuitesFromNamesFailure(t *testing.T) {`
			`f := func(cipherSuites []string) {`
			`t.Helper()`
			`_, err := cipherSuitesFromNames(cipherSuites)`
			`if err == nil {`
			`t.Fatalf("expecting non-nil error")`
			`}`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`}`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00
			`// wrong ciphersuite`
			`f([]string{"non-existing-ciphersuite"})`
			`f([]string{"23432"})`
			`f([]string{"2343223432423"})`

			`// insecure ciphersuites`
			`f([]string{"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA"})`

			`// insecure ciphersuite numbers`
			`f([]string{"0x0005", "0x000a"})`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`}`
lib/{httpserver,netutil}: allow to define min and max TLS version of the http server (#3109) * lib/{httpserver,netutil}: allow to define min and max TLS version of the http server * lib/httpserver: added descriptions about tls supported versions * lib/netutil: check minimal tls version, added supported tls versions to error * wip Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-09-26 14:35:45 +00:00
			`func TestParseTLSVersionSuccess(t *testing.T) {`
			`f := func(s string, want uint16) {`
			`t.Helper()`
			`got, err := ParseTLSVersion(s)`
			`if err != nil {`
			`t.Fatalf("unexpected error for ParseTLSVersion(%q): %s", s, err)`
			`}`
			`if got != want {`
			`t.Fatalf("unexpected value got from ParseTLSVersion(%q); got %d; want %d", s, got, want)`
			`}`
			`}`
			`// lowercase tlsName`
			`f("tls10", tls.VersionTLS10)`
			`f("tls11", tls.VersionTLS11)`
			`f("tls12", tls.VersionTLS12)`
			`f("tls13", tls.VersionTLS13)`
			`// uppercase tlsName`
			`f("TLS10", tls.VersionTLS10)`
			`f("TLS11", tls.VersionTLS11)`
			`f("TLS12", tls.VersionTLS12)`
			`f("TLS13", tls.VersionTLS13)`
			`// empty tlsName`
			`f("", 0)`
			`}`

			`func TestParseTLSVersionFailure(t *testing.T) {`
			`f := func(s string) {`
			`t.Helper()`
			`_, err := ParseTLSVersion(s)`
			`if err == nil {`
			`t.Fatalf("expecting non-nil error for ParseTLSVersion(%q)", s)`
			`}`
			`}`
			`// incorrect tlsName`
			`f("123")`
			`// incorrect tlsName with correct prefix`
			`f("TLS1")`
			`// incorrect tls version in tlsName`
			`f("TLS14")`
			`}`
lib/netutil: validate TLS cert and key files immediately (#6621) Validate files specified via `-tlsKeyFile` and `-tlsCertFile` cmd-line flags on the process start-up. Previously, validation happened on the first connection accepted by HTTP server. https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6608 --------- Co-authored-by: hagen1778 <roman@victoriametrics.com> 2024-07-29 11:58:53 +00:00
			`func TestGetServerTLSConfig(t *testing.T) {`
			`f := func(tlsCertFile, tlsKeyFile string, expectErr bool) {`
			`t.Helper()`
			`_, err := GetServerTLSConfig(tlsCertFile, tlsKeyFile, "", []string{})`
			`if !errors.Is(err, nil) != expectErr { // same as: if errors.Is(err, nil) == expectErr {`
			`t.Fatalf("expect err: %v, get error: %v", expectErr, err)`
			`}`
			`}`

			`mustCreateFile("test.crt", testCRT)`
			`mustCreateFile("test.key", testPK)`
			`defer func() {`
			`_ = os.Remove("test.crt")`
			`_ = os.Remove("test.key")`
			`}()`

			`// check cert file not exist`
			`f("/a", "./test.key", true)`
			`// check key file not exist`
			`f("./test.crt", "/b", true)`
			`// cert file and key file all exist`
			`f("./test.crt", "./test.key", false)`
			`}`

			`const (`
			testCRT = `-----BEGIN CERTIFICATE-----
			`MIIDazCCAlOgAwIBAgIUKm1UQfHNrw+b2T+ARui1PJexOpswDQYJKoZIhvcNAQEL`
			`BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM`
			`GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTAwMzQ1MzVaFw0yNzA3`
			`MTAwMzQ1MzVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw`
			`HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB`
			`AQUAA4IBDwAwggEKAoIBAQCgdbQ0yIk170LSfhPzrm6LuclwjxGSC31CmmF+BZUH`
			`J19n33BrL++Rfrfz3kMr5JgfVgjeHWZ2PrLp9M9Jf9eXbcpPcPbPKm3rh1VsdNHX`
			`o82BQ0+/pOimpWtA88A1F/XyWqC7b94531oaAOLuQzWWXeUFY4A9WlC6hkNgRj32`
			`EIfuioEXl22pGvQqScgJOJY5nnSFLUvymKUviMTNllIQd8kdNFcz2uKKozoWl9q9`
			`sNHxGZKTa0dfKjeok8X1pybOZK1E7JLUQBi4oPvI6YAKBFV0BTjkqu6ZBMZE1aPe`
			`RxGdGx/fugVc2b3ON6+xfY/gaVjL1eyVG5zI6Z8xB0A3AgMBAAGjUzBRMB0GA1Ud`
			`DgQWBBSetpW1wdKL3jKgHOj0BGX4TKRyHjAfBgNVHSMEGDAWgBSetpW1wdKL3jKg`
			`HOj0BGX4TKRyHjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBU`
			`gyYMzjtDq1/DF48tAnBRFomnzzUsAV2NnuMzPF6mN2kxJunyukFpCLMKYeE4d+Jn`
			`iSDXehLY1pCzKHntTQuqavSOy4uvlboPGFbBuXuR2XYWNqH+wPRd55UtnMntAvBd`
			`Ovec9+1MW5x0RNiiwZqZ3/oRH3CS7c3iRNMq/AXGNWomE1QXT9ujXR+86KuTBS4h`
			`uQB6i6TyKuqzydD9nsqwuviOA7xrAthw6cqrAjgo8KBMJpFavsasnd/cZ+8YQqOW`
			`fTEsNj4PXjYkQP6z6FW/pbNeJLkjuSIwmcs1m5t2bV5oF2kpx+NyqGW0TcYaw3KY`
			`sWswtTQyQldPeQIkIz1p`
			-----END CERTIFICATE-----`
			testPK = `-----BEGIN PRIVATE KEY-----
			`MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCgdbQ0yIk170LS`
			`fhPzrm6LuclwjxGSC31CmmF+BZUHJ19n33BrL++Rfrfz3kMr5JgfVgjeHWZ2PrLp`
			`9M9Jf9eXbcpPcPbPKm3rh1VsdNHXo82BQ0+/pOimpWtA88A1F/XyWqC7b94531oa`
			`AOLuQzWWXeUFY4A9WlC6hkNgRj32EIfuioEXl22pGvQqScgJOJY5nnSFLUvymKUv`
			`iMTNllIQd8kdNFcz2uKKozoWl9q9sNHxGZKTa0dfKjeok8X1pybOZK1E7JLUQBi4`
			`oPvI6YAKBFV0BTjkqu6ZBMZE1aPeRxGdGx/fugVc2b3ON6+xfY/gaVjL1eyVG5zI`
			`6Z8xB0A3AgMBAAECggEADG12rWc3YqiAcz9q5ILcMqaLM1RkBtIspkBruvAhaIzu`
			`8Y4Xgw29jyC9Nujo00OgrpNMxjCJE4Zr9/0geC+rxHbZ5kjjAgzmDN8N9C5LZFle`
			`R3EtrN5PsJHQ7+u7tWurflTw7E4lQYk1eBxydwQDPf1RXsH5QtyLB8ScqkkLxSdy`
			`LztMqwu6w9c0TEuzkKMaVgz0xSj2+FLN6yzAQQJUKRCPLff+uKlQx769JA9sji1C`
			`wxcbSJZXdy0EwkGW/4EjGEPxGxZKunSrlem5A5/RPsfFtDo0DWRzZNCt022TVD/X`
			`QesFDt6iZXpo9QUmSPiw25pZn4QD/7bNqePyLxNhLQKBgQDBc+I5WXceSNl5tXOL`
			`UTLkSJaG0R3tBdtQY+Rc0KEQsHi0we968O0BbdFgvdwJw3YWzqm3QtAflgn4GP4X`
			`1pg7CiCy+8cQFY2TShDJpQ//Z0GwDNUeb9I8cevIsONxRsxVphXovRN7/UFc+Hpi`
			`Gnibm/lC9w4F8nXouBCvFzQX3QKBgQDUVv39xUjlBY7qFgTayDY7VfH5HNXgbW+f`
			`sU56EqHtl0VDsDwgI5+91q4uK/X6m0T7FdW1Ua8iKUf+keDzOJR8HeMF01OzpWJR`
			`p/Wqns1P60KGZv/OWn52J7uYMIslU+VyMvCn58QrrRtchJE3QgVKZUcC5kqpWFul`
			`SXax7h6hIwKBgG+OxTlvNzsWpZsDIXOIysFMfsmWFBzYUMXGJS3E/ezi52jNoa2S`
			`/Anj62dPdXGH7zRtzv8on15npq4Us4rJrJX3XC369at30mHKx22RK22MfRvp+oiH`
			`0YQb6e2c3Dw5qKIHmgDR8EeDH0te2yxxuXV6974/PC3/yTD/3FcsGVVdAoGAMeSK`
			`46ECgsWukfRAicO3cnO8WoNbAdPVAZngzbApGjGMFd6IEikstKeH39N2hb8ME09L`
			`GsKpuwYmI3vVdnDZ+tvu5wSDy1dV5cfoYoHTzi6CQCBdhPggdNTbMGRfnZK7+/xa`
			`Lam4n2aaYj/H+0rpAVUQvW6tJmNbjVfYqvA/hC8CgYB8gqUIhP4yz15P2936g8bS`
			`uhNX7Msd6fwLsq/5Hn1j+7oCQ3KfvxOnFUFRDIUQvpLsa38rfn1u06gSXkSoM/3m`
			`WN7PV6auY4J9vhiJcDHLYKWU6IiDPXa2K0EsGarWy1ncJQdpjZPT1Urft2pNF9gP`
			`YwXfJbKUZnJlv9XplwR7Dw==`
			-----END PRIVATE KEY-----`
			`)`

			`func mustCreateFile(path, contents string) {`
			`if err := os.WriteFile(path, []byte(contents), 0600); err != nil {`
			`panic(fmt.Errorf("cannot create file %q with %d bytes contents: %w", path, len(contents), err))`
			`}`
			`}`