diff --git a/connector/github/github.go b/connector/github/github.go
index ef8d418fa8b8e54e8cd4c5484e1abdcbd715db0e..933b23ff31cb3d408255c9d704abfa5f2444915b 100644
--- a/connector/github/github.go
+++ b/connector/github/github.go
@@ -3,25 +3,21 @@ package github
import (
"context"
- "crypto/tls"
- "crypto/x509"
"encoding/json"
"errors"
"fmt"
"io"
- "net"
"net/http"
- "os"
"regexp"
"strconv"
"strings"
- "time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/github"
"github.com/dexidp/dex/connector"
groups_pkg "github.com/dexidp/dex/pkg/groups"
+ "github.com/dexidp/dex/pkg/httpclient"
"github.com/dexidp/dex/pkg/log"
)
@@ -106,7 +102,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
g.rootCA = c.RootCA
var err error
- if g.httpClient, err = newHTTPClient(g.rootCA); err != nil {
+ if g.httpClient, err = httpclient.NewHTTPClient([]string{g.rootCA}, false); err != nil {
return nil, fmt.Errorf("failed to create HTTP client: %v", err)
}
}
@@ -208,34 +204,6 @@ func (e *oauth2Error) Error() string {
return e.error + ": " + e.errorDescription
}
-// newHTTPClient returns a new HTTP client that trusts the custom declared rootCA cert.
-func newHTTPClient(rootCA string) (*http.Client, error) {
- tlsConfig := tls.Config{RootCAs: x509.NewCertPool()}
- rootCABytes, err := os.ReadFile(rootCA)
- if err != nil {
- return nil, fmt.Errorf("failed to read root-ca: %v", err)
- }
- if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
- return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
- }
-
- return &http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tlsConfig,
- Proxy: http.ProxyFromEnvironment,
- DialContext: (&net.Dialer{
- Timeout: 30 * time.Second,
- KeepAlive: 30 * time.Second,
- DualStack: true,
- }).DialContext,
- MaxIdleConns: 100,
- IdleConnTimeout: 90 * time.Second,
- TLSHandshakeTimeout: 10 * time.Second,
- ExpectContinueTimeout: 1 * time.Second,
- },
- }, nil
-}
-
func (c *githubConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
q := r.URL.Query()
if errType := q.Get("error"); errType != "" {
@@ -356,9 +324,11 @@ func formatTeamName(org string, team string) string {
// groupsForOrgs enforces org and team constraints on user authorization
// Cases in which user is authorized:
-// N orgs, no teams: user is member of at least 1 org
-// N orgs, M teams per org: user is member of any team from at least 1 org
-// N-1 orgs, M teams per org, 1 org with no teams: user is member of any team
+//
+// N orgs, no teams: user is member of at least 1 org
+// N orgs, M teams per org: user is member of any team from at least 1 org
+// N-1 orgs, M teams per org, 1 org with no teams: user is member of any team
+//
// from at least 1 org, or member of org with no teams
func (c *githubConnector) groupsForOrgs(ctx context.Context, client *http.Client, userName string) ([]string, error) {
groups := make([]string, 0)
diff --git a/connector/oauth/oauth.go b/connector/oauth/oauth.go
index 237d075e830543362207068a996883aafa055def..2fe39fd467dd7189b1eb5b7070a1b70f9a7981cc 100644
--- a/connector/oauth/oauth.go
+++ b/connector/oauth/oauth.go
@@ -2,21 +2,17 @@ package oauth
import (
"context"
- "crypto/tls"
- "crypto/x509"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
- "net"
"net/http"
- "os"
"strings"
- "time"
"golang.org/x/oauth2"
"github.com/dexidp/dex/connector"
+ "github.com/dexidp/dex/pkg/httpclient"
"github.com/dexidp/dex/pkg/log"
)
@@ -112,7 +108,7 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
emailVerifiedKey: emailVerifiedKey,
}
- oauthConn.httpClient, err = newHTTPClient(c.RootCAs, c.InsecureSkipVerify)
+ oauthConn.httpClient, err = httpclient.NewHTTPClient(c.RootCAs, c.InsecureSkipVerify)
if err != nil {
return nil, err
}
@@ -120,40 +116,6 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
return oauthConn, err
}
-func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
- pool, err := x509.SystemCertPool()
- if err != nil {
- return nil, err
- }
-
- tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
- for _, rootCA := range rootCAs {
- rootCABytes, err := os.ReadFile(rootCA)
- if err != nil {
- return nil, fmt.Errorf("failed to read root-ca: %v", err)
- }
- if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
- return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
- }
- }
-
- return &http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tlsConfig,
- Proxy: http.ProxyFromEnvironment,
- DialContext: (&net.Dialer{
- Timeout: 30 * time.Second,
- KeepAlive: 30 * time.Second,
- DualStack: true,
- }).DialContext,
- MaxIdleConns: 100,
- IdleConnTimeout: 90 * time.Second,
- TLSHandshakeTimeout: 10 * time.Second,
- ExpectContinueTimeout: 1 * time.Second,
- },
- }, nil
-}
-
func (c *oauthConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
if c.redirectURI != callbackURL {
return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index e345dca0b2fcc64596eb3b16d5b2736e07d94bf9..56aad4b37bd8a218884419cd29fe074e3d04c695 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -15,6 +15,7 @@ import (
"golang.org/x/oauth2"
"github.com/dexidp/dex/connector"
+ "github.com/dexidp/dex/pkg/httpclient"
"github.com/dexidp/dex/pkg/log"
)
@@ -34,7 +35,10 @@ type Config struct {
Scopes []string `json:"scopes"` // defaults to "profile" and "email"
- // Override the value of email_verified to true in the returned claims
+ // Certificates for SSL validation
+ RootCAs []string `json:"rootCAs"`
+
+ // Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
@@ -45,6 +49,9 @@ type Config struct {
// processing requests from this Client, with the values appearing in order of preference.
AcrValues []string `json:"acrValues"`
+ // Disable certificate verification
+ InsecureSkipVerify bool `json:"insecureSkipVerify"`
+
// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
@@ -105,7 +112,13 @@ func knownBrokenAuthHeaderProvider(issuerURL string) bool {
// Open returns a connector which can be used to login users through an upstream
// OpenID Connect provider.
func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
+ httpClient, err := httpclient.NewHTTPClient(c.RootCAs, c.InsecureSkipVerify)
+ if err != nil {
+ return nil, err
+ }
+
ctx, cancel := context.WithCancel(context.Background())
+ ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
provider, err := oidc.NewProvider(ctx, c.Issuer)
if err != nil {
@@ -152,6 +165,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
),
logger: logger,
cancel: cancel,
+ httpClient: httpClient,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups,
acrValues: c.AcrValues,
@@ -178,6 +192,7 @@ type oidcConnector struct {
verifier *oidc.IDTokenVerifier
cancel context.CancelFunc
logger log.Logger
+ httpClient *http.Client
insecureSkipEmailVerified bool
insecureEnableGroups bool
acrValues []string
@@ -238,7 +253,10 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
if errType := q.Get("error"); errType != "" {
return identity, &oauth2Error{errType, q.Get("error_description")}
}
- token, err := c.oauth2Config.Exchange(r.Context(), q.Get("code"))
+
+ ctx := context.WithValue(r.Context(), oauth2.HTTPClient, c.httpClient)
+
+ token, err := c.oauth2Config.Exchange(ctx, q.Get("code"))
if err != nil {
return identity, fmt.Errorf("oidc: failed to get token: %v", err)
}
diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go
index 81d2b356332c3ea3e2ed17b680a13ad108cba9fe..35ee33afb7869d92396c5b5c105bac82eccf1859 100644
--- a/connector/openshift/openshift.go
+++ b/connector/openshift/openshift.go
@@ -2,21 +2,17 @@ package openshift
import (
"context"
- "crypto/tls"
- "crypto/x509"
"encoding/json"
"fmt"
"io"
- "net"
"net/http"
- "os"
"strings"
- "time"
"golang.org/x/oauth2"
"github.com/dexidp/dex/connector"
"github.com/dexidp/dex/pkg/groups"
+ "github.com/dexidp/dex/pkg/httpclient"
"github.com/dexidp/dex/pkg/log"
"github.com/dexidp/dex/storage/kubernetes/k8sapi"
)
@@ -67,7 +63,12 @@ type user struct {
// Open returns a connector which can be used to login users through an upstream
// OpenShift OAuth2 provider.
func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
- httpClient, err := newHTTPClient(c.InsecureCA, c.RootCA)
+ var rootCAs []string
+ if c.RootCA != "" {
+ rootCAs = append(rootCAs, c.RootCA)
+ }
+
+ httpClient, err := httpclient.NewHTTPClient(rootCAs, c.InsecureCA)
if err != nil {
return nil, fmt.Errorf("failed to create HTTP client: %w", err)
}
@@ -262,36 +263,3 @@ func validateAllowedGroups(userGroups, allowedGroups []string) bool {
return len(matchingGroups) != 0
}
-
-// newHTTPClient returns a new HTTP client
-func newHTTPClient(insecureCA bool, rootCA string) (*http.Client, error) {
- tlsConfig := tls.Config{}
- if insecureCA {
- tlsConfig = tls.Config{InsecureSkipVerify: true}
- } else if rootCA != "" {
- tlsConfig = tls.Config{RootCAs: x509.NewCertPool()}
- rootCABytes, err := os.ReadFile(rootCA)
- if err != nil {
- return nil, fmt.Errorf("failed to read root-ca: %w", err)
- }
- if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
- return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
- }
- }
-
- return &http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tlsConfig,
- Proxy: http.ProxyFromEnvironment,
- DialContext: (&net.Dialer{
- Timeout: 30 * time.Second,
- KeepAlive: 30 * time.Second,
- DualStack: true,
- }).DialContext,
- MaxIdleConns: 100,
- IdleConnTimeout: 90 * time.Second,
- TLSHandshakeTimeout: 10 * time.Second,
- ExpectContinueTimeout: 1 * time.Second,
- },
- }, nil
-}
diff --git a/connector/openshift/openshift_test.go b/connector/openshift/openshift_test.go
index 6280b831deac678c3adfe3aa255e36e7d1d8b1a4..1a2c7a4840a9750a1b02945a3c0955bd74147cdb 100644
--- a/connector/openshift/openshift_test.go
+++ b/connector/openshift/openshift_test.go
@@ -15,6 +15,7 @@ import (
"golang.org/x/oauth2"
"github.com/dexidp/dex/connector"
+ "github.com/dexidp/dex/pkg/httpclient"
"github.com/dexidp/dex/storage/kubernetes/k8sapi"
)
@@ -70,7 +71,7 @@ func TestGetUser(t *testing.T) {
_, err = http.NewRequest("GET", hostURL.String(), nil)
expectNil(t, err)
- h, err := newHTTPClient(true, "")
+ h, err := httpclient.NewHTTPClient(nil, true)
expectNil(t, err)
@@ -128,7 +129,7 @@ func TestVerifyGroup(t *testing.T) {
_, err = http.NewRequest("GET", hostURL.String(), nil)
expectNil(t, err)
- h, err := newHTTPClient(true, "")
+ h, err := httpclient.NewHTTPClient(nil, true)
expectNil(t, err)
@@ -164,7 +165,7 @@ func TestCallbackIdentity(t *testing.T) {
req, err := http.NewRequest("GET", hostURL.String(), nil)
expectNil(t, err)
- h, err := newHTTPClient(true, "")
+ h, err := httpclient.NewHTTPClient(nil, true)
expectNil(t, err)
@@ -198,7 +199,7 @@ func TestRefreshIdentity(t *testing.T) {
})
defer s.Close()
- h, err := newHTTPClient(true, "")
+ h, err := httpclient.NewHTTPClient(nil, true)
expectNil(t, err)
oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{
@@ -237,7 +238,7 @@ func TestRefreshIdentityFailure(t *testing.T) {
})
defer s.Close()
- h, err := newHTTPClient(true, "")
+ h, err := httpclient.NewHTTPClient(nil, true)
expectNil(t, err)
oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{
diff --git a/go.mod b/go.mod
index c1b1e79c0e7dd8892b66b87319099b9894b7ee93..e2503865aad464e84a5ac709204235e196bb634b 100644
--- a/go.mod
+++ b/go.mod
@@ -84,6 +84,7 @@ require (
go.uber.org/atomic v1.7.0 // indirect
go.uber.org/multierr v1.6.0 // indirect
go.uber.org/zap v1.17.0 // indirect
+ golang.org/x/exp v0.0.0-20221004215720-b9f4876ce741 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
golang.org/x/text v0.4.0 // indirect
diff --git a/pkg/httpclient/httpclient.go b/pkg/httpclient/httpclient.go
new file mode 100644
index 0000000000000000000000000000000000000000..04837a7da0b70c5840c64d9f8b3926d582527f71
--- /dev/null
+++ b/pkg/httpclient/httpclient.go
@@ -0,0 +1,45 @@
+package httpclient
+
+import (
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "net"
+ "net/http"
+ "os"
+ "time"
+)
+
+func NewHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
+ pool, err := x509.SystemCertPool()
+ if err != nil {
+ return nil, err
+ }
+
+ tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
+ for _, rootCA := range rootCAs {
+ rootCABytes, err := os.ReadFile(rootCA)
+ if err != nil {
+ return nil, fmt.Errorf("failed to read root-ca: %v", err)
+ }
+ if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
+ return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
+ }
+ }
+
+ return &http.Client{
+ Transport: &http.Transport{
+ TLSClientConfig: &tlsConfig,
+ Proxy: http.ProxyFromEnvironment,
+ DialContext: (&net.Dialer{
+ Timeout: 30 * time.Second,
+ KeepAlive: 30 * time.Second,
+ DualStack: true,
+ }).DialContext,
+ MaxIdleConns: 100,
+ IdleConnTimeout: 90 * time.Second,
+ TLSHandshakeTimeout: 10 * time.Second,
+ ExpectContinueTimeout: 1 * time.Second,
+ },
+ }, nil
+}
diff --git a/pkg/httpclient/httpclient_test.go b/pkg/httpclient/httpclient_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..07baea04eef566d771503d7bdfa437eabfd8343e
--- /dev/null
+++ b/pkg/httpclient/httpclient_test.go
@@ -0,0 +1,68 @@
+package httpclient_test
+
+import (
+ "crypto/tls"
+ "fmt"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+
+ "github.com/dexidp/dex/pkg/httpclient"
+)
+
+func TestRootCAs(t *testing.T) {
+ ts, err := NewLocalHTTPSTestServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ fmt.Fprint(w, "Hello, client")
+ }))
+ assert.Nil(t, err)
+ defer ts.Close()
+
+ rootCAs := []string{"testdata/rootCA.pem"}
+ testClient, err := httpclient.NewHTTPClient(rootCAs, false)
+ assert.Nil(t, err)
+
+ res, err := testClient.Get(ts.URL)
+ assert.Nil(t, err)
+
+ greeting, err := io.ReadAll(res.Body)
+ res.Body.Close()
+ assert.Nil(t, err)
+
+ assert.Equal(t, "Hello, client", string(greeting))
+}
+
+func TestInsecureSkipVerify(t *testing.T) {
+ ts, err := NewLocalHTTPSTestServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ fmt.Fprint(w, "Hello, client")
+ }))
+ assert.Nil(t, err)
+ defer ts.Close()
+
+ insecureSkipVerify := true
+
+ testClient, err := httpclient.NewHTTPClient(nil, insecureSkipVerify)
+ assert.Nil(t, err)
+
+ res, err := testClient.Get(ts.URL)
+ assert.Nil(t, err)
+
+ greeting, err := io.ReadAll(res.Body)
+ res.Body.Close()
+ assert.Nil(t, err)
+
+ assert.Equal(t, "Hello, client", string(greeting))
+}
+
+func NewLocalHTTPSTestServer(handler http.Handler) (*httptest.Server, error) {
+ ts := httptest.NewUnstartedServer(handler)
+ cert, err := tls.LoadX509KeyPair("testdata/server.crt", "testdata/server.key")
+ if err != nil {
+ return nil, err
+ }
+ ts.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
+ ts.StartTLS()
+ return ts, nil
+}
diff --git a/pkg/httpclient/readme.md b/pkg/httpclient/readme.md
new file mode 100644
index 0000000000000000000000000000000000000000..cc26252293908ed602ae6fd477976e4b9b067efa
--- /dev/null
+++ b/pkg/httpclient/readme.md
@@ -0,0 +1,44 @@
+# Regenerate testdata
+
+### server.csr.cnf
+
+```
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+
+[dn]
+C=US
+ST=RandomState
+L=RandomCity
+O=RandomOrganization
+OU=RandomOrganizationUnit
+emailAddress=hello@example.com
+CN = localhost
+```
+
+and
+
+### v3.ext
+```
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+```
+
+### Then enter the following commands:
+
+`openssl genrsa -out rootCA.key 2048`
+
+`openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem -config server.csr.cnf`
+
+`openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf`
+
+`openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext`
diff --git a/pkg/httpclient/testdata/rootCA.key b/pkg/httpclient/testdata/rootCA.key
new file mode 100644
index 0000000000000000000000000000000000000000..9c4eeee12a3eced98c6eb3fae165b2c4dc8004b1
--- /dev/null
+++ b/pkg/httpclient/testdata/rootCA.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA4dB5aQCjCmMsW71u9F0WNm1TYjXQBZ4p7oNT+BQwCc/MZ2xc
+5NexS2O86nbRkw5jwyfAAMSMKRr9s2FluVTHqiln78rg+XUgmrmNT3ZroLmW6QL6
+Ca8dbMPky+tQclZsvMd3HAeCyyrs4pf7wM1AyUJD7H0xAlVD1fsohkg7jhBFUfV+
+q2VMMdnsaV5vFrW/2vPBWz1SNPW/Xm+Ilny7xg9njQLcPMNtVtF+7EPB6sxD6qrj
+BC+Kj5zQ3bZOfdrh7yy63dbh/Kh+3NScgO+k+x92HlAjRIvj5y4KrbGZl7CmOth5
+y7fPywApVbDfZRWJChI1PVflOyDdnC+vhMLbHQIDAQABAoIBAEmjrrQrXP/6L3EL
+aa+O27uME3Enk1sBpTL+6Ncx3iiU91eS4whNvqeTMvxTGy0VuDrgL6EQd5TAFJP2
+4zF5EFPRhO+R/aPcKnHKqOaM+7RCUZBTRC78SGA70dUeO/HNdVBqy9D8Mg8HRJDw
+d0z8om//iB8LBHx6SdDyQtjnnWRKFTzQRurBBoyLe2vPMFtINKtNUkahjc8HE4GO
+aIv1LICJUzf4ZnkntKd5cFHZ42R2Tmfj0Y9G9DyJbuSA3+0u5IhYB39Uy6jFxLi8
+I5PoIVhgYZ0aivsVBIviShwQ9kgv6807YBxt22eSNovBDrSp+cAnIF9+p0b3MnkU
+aCHSiBECgYEA84lssi6AqfCEsSiQMSM9kMCXJ4KQI/l7pmrIA50+V5HSEby9lg2Y
+N6XJ4V4q46t8FcZBjmMvzn9fwiPMRw5e995cVNBQ31a1FX/1Hy6RNtEiLZRnkHI5
+WznY9IxQ+c9JXJeFY1sO0BfO0TS3WvOf1rwqOb92q+cQaItnPQ+4Ya8CgYEA7V7e
+IqW3PpO4H+c5hH9egM0BjAxH71C9YpYzZpF9uiPIkuMnJ8nm9bB6RiuDaYCxvrfE
+A0h/SQewoYJKL4OfKGjrbG7U4zLMZHIWlf8Za55Zik5BNjvgBqFFrrSgLUGxdRTX
+N0+TlWlW1bvJblWpdjIbJbg/6kCU98TzK852fvMCgYAWYa/apElw1MjtGyQ9T9bN
+odWCbQ5gMAJ8Jd4h7uaW17DtrmHiE3fEzXjDPItGhzENMz49HsJ7ANvFFNMmSJzT
+vNzRcp+sFuTnh+34Iqh32DqC49usu8KnrqZQu0CJ5NICL26z1d+DolyAf47GThOH
+gZ2D1yPJ4p9wbDddtj8kwwKBgCFKB68mPG+rOcxHmjppvnAj0A66/i+izBySYf0F
+dHNxZ0SqVKhw2VIlgNBsc86M/OB5VyT6utccG/paklrdg6mgJTwcwwBl9GI12dMJ
+ZqBAIeCSnvSjKwTjAynALSKLrv5zgMdCArmWf1YUMuilXNG1rzb4AwawLfQdi9jd
+6KJfAoGBALFl6ldywl3sGPk9K2xCDYYhb1TNQyheA5YvoZzZ6XCo1q0Lbwy/FamZ
+0TSWkoEmGB/Hck3HgtZDRo3CTI1vYfbpAtgI7oD1NA1zMaLulNQxKjH3iVvyb+R7
+ZcIT7EVPZgkUwr0bsp22yVDekh/CHoB6FZPCyoAb8WnfJfooTBzB
+-----END RSA PRIVATE KEY-----
diff --git a/pkg/httpclient/testdata/rootCA.pem b/pkg/httpclient/testdata/rootCA.pem
new file mode 100644
index 0000000000000000000000000000000000000000..c03bdac0c02deefa4159c8a7847163412d2a9e68
--- /dev/null
+++ b/pkg/httpclient/testdata/rootCA.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr4CCQCG4JBeSi6cDjANBgkqhkiG9w0BAQsFADCBrDELMAkGA1UEBhMC
+VVMxFDASBgNVBAgMC1JhbmRvbVN0YXRlMRMwEQYDVQQHDApSYW5kb21DaXR5MRsw
+GQYDVQQKDBJSYW5kb21Pcmdhbml6YXRpb24xHzAdBgNVBAsMFlJhbmRvbU9yZ2Fu
+aXphdGlvblVuaXQxIDAeBgkqhkiG9w0BCQEWEWhlbGxvQGV4YW1wbGUuY29tMRIw
+EAYDVQQDDAlsb2NhbGhvc3QwHhcNMjIxMDA3MjIwNjQwWhcNMzIxMDA0MjIwNjQw
+WjCBrDELMAkGA1UEBhMCVVMxFDASBgNVBAgMC1JhbmRvbVN0YXRlMRMwEQYDVQQH
+DApSYW5kb21DaXR5MRswGQYDVQQKDBJSYW5kb21Pcmdhbml6YXRpb24xHzAdBgNV
+BAsMFlJhbmRvbU9yZ2FuaXphdGlvblVuaXQxIDAeBgkqhkiG9w0BCQEWEWhlbGxv
+QGV4YW1wbGUuY29tMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDh0HlpAKMKYyxbvW70XRY2bVNiNdAFninug1P4FDAJ
+z8xnbFzk17FLY7zqdtGTDmPDJ8AAxIwpGv2zYWW5VMeqKWfvyuD5dSCauY1Pdmug
+uZbpAvoJrx1sw+TL61ByVmy8x3ccB4LLKuzil/vAzUDJQkPsfTECVUPV+yiGSDuO
+EEVR9X6rZUwx2expXm8Wtb/a88FbPVI09b9eb4iWfLvGD2eNAtw8w21W0X7sQ8Hq
+zEPqquMEL4qPnNDdtk592uHvLLrd1uH8qH7c1JyA76T7H3YeUCNEi+PnLgqtsZmX
+sKY62HnLt8/LAClVsN9lFYkKEjU9V+U7IN2cL6+EwtsdAgMBAAEwDQYJKoZIhvcN
+AQELBQADggEBAN6g0qit/3R2X+KdR0LgRXF/h4qQFgcV6cxnhRAmLIDNJlxKSHqN
+IE5+bxzCbkblzGfr/jNPqW0s+yaN4CyMgKNYSzkLBPE4FF+19Uv+dyYfFms3mDJ7
+0rGjS5bCscThWhpaSw20LcwQcr/+X+/fGzJ01dVFK1UOjBKg4d4dMwxklbIkZqIq
+siRW0GMy26mgVZ/BSjeh5kEjs6h6H3cJsGl7xYT+BI7wnxHwGeT9tkBgiyT5FwaS
+vtdZkBpQ9q8f7FwsEm3woLHdWuOnrtUtVpY/oc6WFGdROQdGzjSk0D3kHs9YhueC
+GSzZKrqX+TSIgpPrLYNHX4uxlo5TAwP/5GM=
+-----END CERTIFICATE-----
diff --git a/pkg/httpclient/testdata/rootCA.srl b/pkg/httpclient/testdata/rootCA.srl
new file mode 100644
index 0000000000000000000000000000000000000000..214ae68bf1fa74314b890df15d55174090fb4b12
--- /dev/null
+++ b/pkg/httpclient/testdata/rootCA.srl
@@ -0,0 +1 @@
+C1B35F0051A641BB
diff --git a/pkg/httpclient/testdata/server.crt b/pkg/httpclient/testdata/server.crt
new file mode 100644
index 0000000000000000000000000000000000000000..9b0f12ec584a82f490a299678e7acb9b4510185a
--- /dev/null
+++ b/pkg/httpclient/testdata/server.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5TCCA82gAwIBAgIJAMGzXwBRpkG7MA0GCSqGSIb3DQEBCwUAMIGsMQswCQYD
+VQQGEwJVUzEUMBIGA1UECAwLUmFuZG9tU3RhdGUxEzARBgNVBAcMClJhbmRvbUNp
+dHkxGzAZBgNVBAoMElJhbmRvbU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWUmFuZG9t
+T3JnYW5pemF0aW9uVW5pdDEgMB4GCSqGSIb3DQEJARYRaGVsbG9AZXhhbXBsZS5j
+b20xEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMjEwMDcyMjA3MDhaFw0zMjEwMDQy
+MjA3MDhaMIGsMQswCQYDVQQGEwJVUzEUMBIGA1UECAwLUmFuZG9tU3RhdGUxEzAR
+BgNVBAcMClJhbmRvbUNpdHkxGzAZBgNVBAoMElJhbmRvbU9yZ2FuaXphdGlvbjEf
+MB0GA1UECwwWUmFuZG9tT3JnYW5pemF0aW9uVW5pdDEgMB4GCSqGSIb3DQEJARYR
+aGVsbG9AZXhhbXBsZS5jb20xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMuKdpXP87Q7Kg3iafXzvBuVIyV1K5UmMYiN
+koztkC5XrCzHaQRS/CoIb7/nUqmtAxx7RL0jzhZ93zBN4HY/Zcnrd9tXoPPxi0mG
+ZZWfFU6nN8nOkMHWzEbHVBmhxpfGtwmLcajQ4HrK1TZwJUn6GqclHQRy/gjxkiw5
+KPqzfVOVlA6ht4KdKstKazQkWZ5gdWT4d8yrEy/IT4oaW05xALBMQ7YGjkzWKsSF
+6ygXI7xqF9rg9jCnUsPYg4f8ut3N0c00KjsfKOOj2dF/ZyjedQ5c0u4hHmxSo3Ka
+0ZTmIrMfbVXgGjxRG2HZXLpPvQKoCf/fOX8Irdr+lahFVKASxN0CAwEAAaOCAQYw
+ggECMIHLBgNVHSMEgcMwgcChgbKkga8wgawxCzAJBgNVBAYTAlVTMRQwEgYDVQQI
+DAtSYW5kb21TdGF0ZTETMBEGA1UEBwwKUmFuZG9tQ2l0eTEbMBkGA1UECgwSUmFu
+ZG9tT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZSYW5kb21Pcmdhbml6YXRpb25Vbml0
+MSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BleGFtcGxlLmNvbTESMBAGA1UEAwwJbG9j
+YWxob3N0ggkAhuCQXkounA4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwGgYDVR0R
+BBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCWmh5ebpkm
+v2B1yQgarSCSSkLZ5DZSAJjrPgW2IJqCW2q2D1HworbW1Yn5jqrM9FKGnJfjCyve
+zBB5AOlGp+0bsZGgMRMCavgv4QhTThXUoJqqHcfEu4wHndcgrqSadxmV5aisSR4u
+gXnjW43o3akby+h1K40RR3vVkpzPaoC3/bgk7WVpfpPiP32E24a01gETozRb/of/
+ATN3JBe0xh+e63CrPX1sago5+u3UETIoOr0fW8M/gU9GApmJiFAXwHag6j54hLCG
+23EtVDwmlarG8Pj+i0yru8s22QqzAJi5E0OwR4aB8tqicLKYBVfzyLCOielIBUrK
+OkuFKp+VjxQX
+-----END CERTIFICATE-----
diff --git a/pkg/httpclient/testdata/server.csr b/pkg/httpclient/testdata/server.csr
new file mode 100644
index 0000000000000000000000000000000000000000..f422a853c370273e9724a933b9d0ee45969f1e1a
--- /dev/null
+++ b/pkg/httpclient/testdata/server.csr
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC8jCCAdoCAQAwgawxCzAJBgNVBAYTAlVTMRQwEgYDVQQIDAtSYW5kb21TdGF0
+ZTETMBEGA1UEBwwKUmFuZG9tQ2l0eTEbMBkGA1UECgwSUmFuZG9tT3JnYW5pemF0
+aW9uMR8wHQYDVQQLDBZSYW5kb21Pcmdhbml6YXRpb25Vbml0MSAwHgYJKoZIhvcN
+AQkBFhFoZWxsb0BleGFtcGxlLmNvbTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy4p2lc/ztDsqDeJp9fO8G5UjJXUr
+lSYxiI2SjO2QLlesLMdpBFL8Kghvv+dSqa0DHHtEvSPOFn3fME3gdj9lyet321eg
+8/GLSYZllZ8VTqc3yc6QwdbMRsdUGaHGl8a3CYtxqNDgesrVNnAlSfoapyUdBHL+
+CPGSLDko+rN9U5WUDqG3gp0qy0prNCRZnmB1ZPh3zKsTL8hPihpbTnEAsExDtgaO
+TNYqxIXrKBcjvGoX2uD2MKdSw9iDh/y63c3RzTQqOx8o46PZ0X9nKN51DlzS7iEe
+bFKjcprRlOYisx9tVeAaPFEbYdlcuk+9AqgJ/985fwit2v6VqEVUoBLE3QIDAQAB
+oAAwDQYJKoZIhvcNAQELBQADggEBADjuujIFoDJllR6Xo/w7j5vfNOeHO5GSgxF2
+XnuuDOI9Tomi7vURFZNbz3VAYiehpxRxYqLwFoQUwFtux2qRuGyg0P9fP1iQXPUE
+QUfFXmvB80uf2bG4lkbUwnmlZLFOEwhGZyPxpvsrxp2Ei2ppkUopCkzOMsSk3m0X
+MC50ZsTHOxfkA3r1WmS7oE2c0p0Fvyx+UJw0URAXFvDS1X0ONgww3FxqbBbm9W37
+5N4FZzGAK6j1wzuynKKXrn20YDCANXYH55PZyupfCeSZT0H0AZifWL7rz/G9uqme
+RzbIYc/CNQQTympjinBegQdVeB3yjVNZIvpGOuPSKQqhwFtmDFo=
+-----END CERTIFICATE REQUEST-----
diff --git a/pkg/httpclient/testdata/server.csr.cnf b/pkg/httpclient/testdata/server.csr.cnf
new file mode 100644
index 0000000000000000000000000000000000000000..6ff57d1a35ef8e5cd929074d997d848efdd338d4
--- /dev/null
+++ b/pkg/httpclient/testdata/server.csr.cnf
@@ -0,0 +1,14 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+
+[dn]
+C=US
+ST=RandomState
+L=RandomCity
+O=RandomOrganization
+OU=RandomOrganizationUnit
+emailAddress=hello@example.com
+CN = localhost
diff --git a/pkg/httpclient/testdata/server.key b/pkg/httpclient/testdata/server.key
new file mode 100644
index 0000000000000000000000000000000000000000..9708e1e6ea41fb448c6e89fb349ab6528936eee5
--- /dev/null
+++ b/pkg/httpclient/testdata/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLinaVz/O0OyoN
+4mn187wblSMldSuVJjGIjZKM7ZAuV6wsx2kEUvwqCG+/51KprQMce0S9I84Wfd8w
+TeB2P2XJ63fbV6Dz8YtJhmWVnxVOpzfJzpDB1sxGx1QZocaXxrcJi3Go0OB6ytU2
+cCVJ+hqnJR0Ecv4I8ZIsOSj6s31TlZQOobeCnSrLSms0JFmeYHVk+HfMqxMvyE+K
+GltOcQCwTEO2Bo5M1irEhesoFyO8ahfa4PYwp1LD2IOH/LrdzdHNNCo7Hyjjo9nR
+f2co3nUOXNLuIR5sUqNymtGU5iKzH21V4Bo8URth2Vy6T70CqAn/3zl/CK3a/pWo
+RVSgEsTdAgMBAAECggEAU6cxu7q+54kVbKVsdThaTF/MFR4F7oPHAd9lpuQQSOuh
+iLngMHXGy6OyAgYZlEDWMYN8KdwoXFgZPaoUIaVGuWk8Vnq6XOgeHfbNk2PRhwT0
+yc1K80/Lnx9XMj2p+EEkgxi7eu12BSGN5ZTLzo6rG50GQwjb3WMjd2d6rybL0GjC
+wg2arcBk3sSMYmvZOqlAsaQmtgwkJhvhVkVfEQSD3VKF7g0dh/h3LIPyM0Ff4M67
+KpLMPPwzUJ/0Z4ewAP06mMKUA86R93M+dWs2eh1oBGnRkVQdhCJLXJpuGHZ6BTiB
+Ry0AeorHfnVXPbtpUeAq6m5/BBl6qX0ooB08BIFwAQKBgQDqJpTZS/ZzqL6Kcs14
+MyFu+7DungSxQ5oK9ju7EFSosanSk4UEa/lw992kM6nsIMwgSVQgba5zKcVMeSmk
+AVbpznegQD1BYCwOGwbGvkJ8jbhPy+WLbbRjWT/E6AItZgUK+fyTIcNvSehcQqsT
+fhgWsK7ueZCmLQfVhK1AxtvY3QKBgQDeiKuo8plsH/7IxDn7KVHBOHKPC2ZPzg03
+i7La6zomiRckwwPnhicRSYsjtfCCW6Ms+uzjTEItgFM+5PdrXheeku+z/sExRtZu
+emqPqDomixlXDRQ6RN3gnBSk4RU+ROB1u1uBLWXqRz8Gp2zJGRxhHfYt2zefBv4w
+/cIuPC3cAQKBgD2UsAkGJWb9tj8LOmama+CYaUwYWvuT3+uKHuNvxBQpxZQQICet
+jgjb53rL66Cib4z+PBXbQsoe7jjSlNUBVS5gkq2et31+IZgEG6AhYbMIQrUZ1uD4
+lTybuF289vWhoynj3T2E37VhJq89CWky/HrbNOabKiPKLAlHv5kNs7wxAoGBANEJ
+XQbU7J2O6Iy7FyQBSlTQq3wHX1Iz4mJ9DcNrFzK/sEfOEMrZT7WDefpPm984KW3F
+P+S766ZGVuxLtMbcmh9RM23HLr8VJbSdtZ/AjO9L1r/Y/1lE+49TzmibLpNRq++r
+0WbkuEl8J44ek6fLuMbZmDi3JeZycTCgDlnUGdgBAoGAYdliovtURZCm46t1uE3F
+idCLCXCccjkt1hcNGNjck/b0trHA7wOEqICIguoWDlEBTc0PDvHEq6PfKyqptGkj
+AgaZTMF/aZiGqlT7VRpBuzxM/uV5xzCg+i2ViaW/p3xq0z2PRljVZiEfe5aWcjiM
+ouTtnC3TgmcjhTgGmb48QQE=
+-----END PRIVATE KEY-----
diff --git a/pkg/httpclient/testdata/v3.ext b/pkg/httpclient/testdata/v3.ext
new file mode 100644
index 0000000000000000000000000000000000000000..68e35be863079ed5860d3b3048650f8563c22950
--- /dev/null
+++ b/pkg/httpclient/testdata/v3.ext
@@ -0,0 +1,8 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+IP.1 = 127.0.0.1