Convert certificates without using openssl

This implements PEM-encoded X.509 certificate parsing using Go crypto,
and exports the result using SSLMate's go-pkcs12 package (or rather,
cert-manager's fork of go-pkcs12 which adds support for encoding with
a friendly name; see SSLMate/go-pkcs12#67 for
details).

Signed-off-by: Stephen Kitt <skitt@redhat.com>

Author: skitt

go.mod

@@ -31,6 +31,7 @@ require (
 	sigs.k8s.io/knftables v0.0.19
 	sigs.k8s.io/mcs-api v0.3.0
 	sigs.k8s.io/structured-merge-diff/v4 v4.7.0
+	software.sslmate.com/src/go-pkcs12 v0.6.0
 )
 
 require (
@@ -102,3 +103,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace software.sslmate.com/src/go-pkcs12 => github.com/cert-manager/go-pkcs12 v0.0.0-20250730101253-8f67713f0d8f

go.sum

@@ -17,6 +17,8 @@ github.com/cenkalti/hub v1.0.1 h1:UMtjc6dHSaOQTO15SVA50MBIR9zQwvsukQupDrkIRtg=
 github.com/cenkalti/hub v1.0.1/go.mod h1:tcYwtS3a2d9NO/0xDXVJWx3IedurUjYCqFCmpi0lpHs=
 github.com/cenkalti/rpc2 v0.0.0-20210604223624-c1acbc6ec984 h1:CNwZyGS6KpfaOWbh2yLkSy3rSTUh3jub9CzpFpP6PVQ=
 github.com/cenkalti/rpc2 v0.0.0-20210604223624-c1acbc6ec984/go.mod h1:v2npkhrXyk5BCnkNIiPdRI23Uq6uWPUQGL2hnRcRr/M=
+github.com/cert-manager/go-pkcs12 v0.0.0-20250730101253-8f67713f0d8f h1:FwCDR5Jrbj6wp/SDFVQoeBIOJYhWfLzUmxl/fSNdDOk=
+github.com/cert-manager/go-pkcs12 v0.0.0-20250730101253-8f67713f0d8f/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=

pkg/cable/libreswan/certificate_handler.go

@@ -22,6 +22,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"os/exec"
@@ -32,6 +34,7 @@ import (
 	"github.com/submariner-io/admiral/pkg/command"
 	"github.com/submariner-io/admiral/pkg/log"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 var certLogger = log.Logger{Logger: logf.Log.WithName("CertHandler")}
@@ -93,55 +96,61 @@ func (c *CertificateHandler) loadCertificate(ctx context.Context, certData []byt
 	return errors.Wrapf(err, "failed to load certificate %q", nickname)
 }
 
-//nolint:gosec // openssl/pk12util args are from trusted config
+//nolint:gosec // pk12util args are from trusted config
 func (c *CertificateHandler) loadPrivateKey(ctx context.Context, certData, keyData []byte, nickname string) error {
-	// Write cert and key to temporary files
-	certFile, err := os.CreateTemp(RootDir, "submariner-cert-*.crt")
-	if err != nil {
-		return errors.Wrap(err, "failed to create temporary cert file")
-	}
-	defer os.Remove(certFile.Name())
-
-	if _, err := certFile.Write(certData); err != nil {
-		return errors.Wrap(err, "failed to write certificate to temporary file")
-	}
-
-	certFile.Close()
-
-	keyFile, err := os.CreateTemp(RootDir, "submariner-key-*.key")
-	if err != nil {
-		return errors.Wrap(err, "failed to create temporary key file")
+	// Parse certificate data
+	var parsedCert *x509.Certificate
+	var err error
+
+	for block, rest := pem.Decode(certData); block != nil; block, rest = pem.Decode(rest) {
+		switch block.Type {
+		case "CERTIFICATE":
+			parsedCert, err = x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return errors.Wrap(err, "error parsing certificate data")
+			}
+		default:
+			return fmt.Errorf("unexpected block type %q in certificate data", block.Type)
+		}
 	}
-	defer os.Remove(keyFile.Name())
 
-	if _, err := keyFile.Write(keyData); err != nil {
-		return errors.Wrap(err, "failed to write key to temporary file")
+	// Parse key data
+	var parsedKey any
+
+	for block, rest := pem.Decode(keyData); block != nil; block, rest = pem.Decode(rest) {
+		switch block.Type {
+		case "PRIVATE KEY":
+			parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err != nil {
+				return errors.Wrap(err, "error parsing key data")
+			}
+		default:
+			return fmt.Errorf("unexpected block type %q in key data", block.Type)
+		}
 	}
 
-	keyFile.Close()
-
-	// Create PKCS#12 file with openssl
+	// Export PKCS#12 file
 	p12File, err := os.CreateTemp(RootDir, "submariner-client-*.p12")
 	if err != nil {
 		return errors.Wrap(err, "failed to create temporary pkcs12 file")
 	}
 
 	defer os.Remove(p12File.Name())
-	p12File.Close()
 
 	// Use empty password for PKCS#12
 	pkcs12Password := ""
 
-	opensslCmd := exec.CommandContext(ctx, "openssl", "pkcs12", "-export",
-		"-in", certFile.Name(),
-		"-inkey", keyFile.Name(),
-		"-out", p12File.Name(),
-		"-name", nickname,
-		"-passout", "pass:"+pkcs12Password)
-	if err := execWithOutput(command.New(opensslCmd)); err != nil {
-		return errors.Wrap(err, "failed to create PKCS#12 file")
+	pkcsData, err := pkcs12.Modern.EncodeWithFriendlyName(nickname, parsedKey, parsedCert, []*x509.Certificate{}, pkcs12Password)
+	if err != nil {
+		return errors.Wrap(err, "error encoding to PKCS#12")
+	}
+
+	if _, err := p12File.Write(pkcsData); err != nil {
+		return errors.Wrap(err, "error writing PKCS#12 file")
 	}
 
+	p12File.Close()
+
 	// Import PKCS#12 into NSS using pk12util
 	pk12Cmd := exec.CommandContext(ctx, "pk12util", "-i", p12File.Name(), "-d", "sql:"+c.nssDBDir, "-W", pkcs12Password)
 	err = execWithOutput(command.New(pk12Cmd))

pkg/cable/libreswan/certificate_handler_test.go

@@ -20,6 +20,7 @@ package libreswan_test
 
 import (
 	"context"
+	_ "embed"
 	"maps"
 	"os"
 	"os/exec"
@@ -33,11 +34,39 @@ import (
 	"github.com/submariner-io/submariner/pkg/cable/libreswan"
 )
 
+//go:generate openssl req -x509 -newkey rsa:4096 -keyout certs/ca.key -out certs/ca.crt -sha256 -days 3650 -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=CA"
+//go:embed certs/ca.crt
+var caCertContent []byte
+
+//go:generate openssl req -new -newkey rsa:4096 -keyout certs/test.key -out certs/test.csr -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=test"
+//go:generate openssl x509 -req -in certs/test.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/test.crt -days 3650
+//go:embed certs/test.crt
+var testCertContent []byte
+
+//go:embed certs/test.key
+var testKeyContent []byte
+
+//go:generate openssl req -new -newkey rsa:4096 -keyout certs/mock.key -out certs/mock.csr -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=mock"
+//go:generate openssl x509 -req -in certs/mock.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/mock.crt -days 3650
+//go:embed certs/mock.crt
+var mockCertContent []byte
+
+//go:embed certs/mock.key
+var mockKeyContent []byte
+
+//go:generate openssl req -new -newkey rsa:4096 -keyout certs/new.key -out certs/new.csr -nodes -subj "/C=XX/ST=State/L=City/O=Company/OU=Organisation/CN=new"
+//go:generate openssl x509 -req -in certs/new.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/new.crt -days 3650
+//go:embed certs/new.crt
+var newCertContent []byte
+
+//go:embed certs/new.key
+var newKeyContent []byte
+
 var _ = Describe("CertificateHandler", func() {
 	certData := map[string][]byte{
-		certificate.CADataKey:         []byte("-----BEGIN CERTIFICATE-----\nMOCK_CA_CERT\n-----END CERTIFICATE-----"),
-		certificate.TLSDataKey:        []byte("-----BEGIN CERTIFICATE-----\nMOCK_CLIENT_CERT\n-----END CERTIFICATE-----"),
-		certificate.PrivateKeyDataKey: []byte("-----BEGIN PRIVATE KEY-----\nMOCK_CLIENT_KEY\n-----END PRIVATE KEY-----"),
+		certificate.CADataKey:         caCertContent,
+		certificate.TLSDataKey:        testCertContent,
+		certificate.PrivateKeyDataKey: testKeyContent,
 	}
 
 	var (
@@ -69,16 +98,15 @@ var _ = Describe("CertificateHandler", func() {
 			cmdExecutor.AwaitCommand(ContainSubstring("certutil"), "-N", "-d", "sql:"+handler.NSSDatabaseDir())
 			assertCmdStdIn(cmdExecutor.AwaitCommand(ContainSubstring("certutil"), "-A", libreswan.CACertName,
 				"-d", "sql:"+handler.NSSDatabaseDir()), certData[certificate.CADataKey])
-			cmdExecutor.AwaitCommand(ContainSubstring("openssl"), "pkcs12", "-export", "-name", libreswan.ClientCertName)
 			cmdExecutor.AwaitCommand(ContainSubstring("pk12util"), "-d", "sql:"+handler.NSSDatabaseDir())
 			cmdExecutor.Clear()
 
 			By("Invoking OnSignedCallback with new cert data")
 
 			newCertData := map[string][]byte{
-				certificate.CADataKey:         []byte("NEW_CA_CERT"),
-				certificate.TLSDataKey:        []byte("NEW_CLIENT_CERT"),
-				certificate.PrivateKeyDataKey: []byte("NEW_CLIENT_KEY"),
+				certificate.CADataKey:         caCertContent,
+				certificate.TLSDataKey:        newCertContent,
+				certificate.PrivateKeyDataKey: newKeyContent,
 			}
 			Expect(handler.OnSignedCallback(newCertData)).To(Succeed())
 
@@ -132,7 +160,7 @@ var _ = Describe("CertificateHandler", func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			newCertData := maps.Clone(certData)
-			newCertData[certificate.CADataKey] = []byte("NEW_CA_CERT")
+			newCertData[certificate.CADataKey] = caCertContent
 			Expect(handler.OnSignedCallback(newCertData)).To(Succeed())
 
 			cmdExecutor.EnsureNoCommand(ContainSubstring("certutil"), "-N")
@@ -159,9 +187,9 @@ func (m *mockSigningRequestor) Issue(_ context.Context, _ string, sanIPs []strin
 	}
 
 	certData := map[string][]byte{
-		certificate.TLSDataKey:        []byte("mock-tls-cert"),
-		certificate.PrivateKeyDataKey: []byte("mock-tls-key"),
-		certificate.CADataKey:         []byte("mock-ca-cert"),
+		certificate.TLSDataKey:        mockCertContent,
+		certificate.PrivateKeyDataKey: mockKeyContent,
+		certificate.CADataKey:         caCertContent,
 	}
 
 	return onSigned(certData)

pkg/cable/libreswan/certs/.gitignore

@@ -0,0 +1,3 @@
+*.csr
+*.srl
+

pkg/cable/libreswan/certs/ca.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpTCCA42gAwIBAgIUIH1PJfzEFashELD7QMDo8P0nGqYwDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdDb21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xCzAJBgNV
+BAMMAkNBMB4XDTI1MTAxMDA5MzcwN1oXDTM1MTAwODA5MzcwN1owYjELMAkGA1UE
+BhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdD
+b21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xCzAJBgNVBAMMAkNBMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA04xSWeVHgbRAV7pJeKowchTXErLl
+HH6Ml9dxrB5DpaTQVFLv74e0x5ejb5GYYHA0ZBsBo0SPD6O7VvBZ5t/BQwx4VSDR
+qf89jQpW9Cc51zJkxAIbnpyhqRjm7ANruvZ2gNUZ+9/QvE//3WGie7VqArIWl8O0
+Klu030LpeVhP5BRqJLjQPl795U8r8+7vF4S7wq4z/mkuNzfbh+Gthy3WzH78rtXc
+u0P4PJ805asiEWC516OIXmun78WTTo2rN2AKwfXUhE8OVq6vrWCLnLiMhPotxUqJ
+ybct6JqV0A401iQI51YgKIgg2iU7kI+tmHHd6ayOjmOzqebx6tYutu/dr4tN6T5g
+v1SaA87B9STBMyJV7UhryRSrjg4chystsChZzbMHkevh505VMq8k+DxN0OgzLh11
+3Nyn5yZuxI35tMioI73hNqe3/u1iFa8+o4xLH75g/1Z2cyRTBwlpd6BsEjNpbWai
+jjrRFiXHGAlCX6VTj0pSqZLR6KHbg70W5t64bvLGmE/povFE+29fxf+ig9Pg3bEz
+VInR4HCq0fajxnJT6gSA2lho+f7v1dhbZi3LZInn9If8BY4LePhHK2ZuiUEV2449
+RhM1kQEVPla0hbGtSVdVwK6xWw4ohkCaQ6unxiaySjg3Lvoy606qkSZNjROOWae/
+ANXUDDOy4lDQJJsCAwEAAaNTMFEwHQYDVR0OBBYEFGoj9w1fiPCe59ecWFxtDHJn
+McVaMB8GA1UdIwQYMBaAFGoj9w1fiPCe59ecWFxtDHJnMcVaMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAAd+Txs4xf/Me6F8uM5cGYltsk89+Q8X
+4Tf+NckDVq8ZjvySg7fu0OwdSIcc8Du0tOGj18ZpbFWnc9JeJ4tVVV6EoqLJsdJf
+e9sceUDMNN/KKpl5dYQbDFlt2HsL5+ff0DypO49iAn1GQ3MTj2/eoVXoJMwNnKyd
+t1OUdSI5zqozAQcS+zaYB7Q2QC2ZHFIXzHYiv5i4GStTI0C8+3aA6K+lSi6HRNWY
+rpucTgxPxT72lYWkYGNGKsowYFB4C4PZFJZ/U8HRxUaB8zvAfXHdNl9lFtlcTIiJ
+Bs1JaYiT05InTxTuLrWzxZCrVYUxJv+i+kOTWWpjBeE1grq7hxFt4ff5v6GD1mFS
+T7afEoYmxMiI4aukbSRzLAoeMi0B+dQmpZOwiLiTn52Lu1UftpAoq7wi53oYOJGW
+pFxA7EqdnqNeSm6b0AMjC5jEv8EH5AMc9qCq0+sWoJQw1G4/be5Tc/+V3lQotSSQ
+izhhqGg97oeUTKCciC9t7jZi9clirc2GoecnlbgzIaPyBBTctXNXbFEal/3PMNZD
+IhXEnUOc8XOVvMUSWOMjLgG/8VKzJXx4ZTfx6ZdNR58utRkn8XrojpgC6tx89Z/5
+VWxHPO68T3AIvFIfbVKFLcFtHXycs1x07Ut+Jt7nS87A6IHO6O5M5e3KitUuoJQl
+Y6I9F0UbRIwD
+-----END CERTIFICATE-----

pkg/cable/libreswan/certs/ca.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDTjFJZ5UeBtEBX
+ukl4qjByFNcSsuUcfoyX13GsHkOlpNBUUu/vh7THl6NvkZhgcDRkGwGjRI8Po7tW
+8Fnm38FDDHhVINGp/z2NClb0JznXMmTEAhuenKGpGObsA2u69naA1Rn739C8T//d
+YaJ7tWoCshaXw7QqW7TfQul5WE/kFGokuNA+Xv3lTyvz7u8XhLvCrjP+aS43N9uH
+4a2HLdbMfvyu1dy7Q/g8nzTlqyIRYLnXo4hea6fvxZNOjas3YArB9dSETw5Wrq+t
+YIucuIyE+i3FSonJty3ompXQDjTWJAjnViAoiCDaJTuQj62Ycd3prI6OY7Op5vHq
+1i62792vi03pPmC/VJoDzsH1JMEzIlXtSGvJFKuODhyHKy2wKFnNsweR6+HnTlUy
+ryT4PE3Q6DMuHXXc3KfnJm7Ejfm0yKgjveE2p7f+7WIVrz6jjEsfvmD/VnZzJFMH
+CWl3oGwSM2ltZqKOOtEWJccYCUJfpVOPSlKpktHooduDvRbm3rhu8saYT+mi8UT7
+b1/F/6KD0+DdsTNUidHgcKrR9qPGclPqBIDaWGj5/u/V2FtmLctkief0h/wFjgt4
++EcrZm6JQRXbjj1GEzWRARU+VrSFsa1JV1XArrFbDiiGQJpDq6fGJrJKODcu+jLr
+TqqRJk2NE45Zp78A1dQMM7LiUNAkmwIDAQABAoICAANEQ3FH7Ra/pc60/bVzS1Q3
+piqPwKH0Ak/F7+dsgDbqmJz0uufD/LKoUMnEQcobcXOqRxgyUtM3AAmTpI/AHMfg
+RWtrGlG5s0WeR0F16Zq9GHk+XxbP7F8kF0zFsMAuVh4fLEuLZTnDMnxEqbGnV3+7
+KEYnq3yL9fsMmXZaOsGW3xy6Dd0oslr8If2eTuraDdwvvHXNQf1wS1+JyJgxyQNX
+YqeAfewWXJrzCmoRfnEuQTBnQg/TMcCuGFw6K86rGP9twF5aqioEgIn4168P2nuj
+MVm+kOogfgD9ghq4XXCBFfIcjlqR34/+yzCsR033VCnrlDf2qiuReWLa89W3VoD8
+QbmpZsB+oaWdNlNti/BeLmIumBsMRceFHKuGjomgLAkRrwrTh+Gkxq3/s3B5Q++u
+9bXMr0X5WhBqzy3i/0pS6cYmHDjCfm2Uqx4PJ8bFcJBTEe6qbh3rUFLDqv1OCSeu
+HAVFUyx1/yTfNdrVIgzqIFaVFWXi7HMOAF6MEZYGMxVmVywdiKkyi5dOFgXCKKju
+nytLjH9EHM6nk2tgRkeWOOwKPgui+OvT24QiHswZtqIQxUvn8O7LUIi41rfZEjeM
+3OVufCNMIW/AahJktde26ArZfFhi6gO8RVgVwzRlnU68RamJdyyXh9/b8BhJWBQr
+ybRDZfmes/aPX52MfRRBAoIBAQDqzDjlmBVJ6DhQj9NtVSpGXyqemRYx9XPSSCT9
+38PheQTbXa3dfqDJnAuoghWgVsIWW2aw/VO1rosDNz5yYxB4C3Res9sweO9j8lVX
+hZSiAUMSvyi3XDBsCnH+yzrToJYTvW22hSKfc+YN+UiKJkb9u3gVmPXZ10EwD8uW
+ZbhCoRpvcIWuY60kcjQQKf8EZeScx+CXy+2RCG5gURGdZzvpYohrNDy1ttrAIHOB
+ff44pF2KmdhUlx4iygRZfyyoW8+xM2VfIuGqkxuNsyl8zs5VE252ZZn72l+1ax3L
+BljXDWtq0JQh4ziPreftprpTIxlGbNjcbmcu3pd7TdPyQrapAoIBAQDmpqRs6pZ3
+bvM+dsauebdf0j3c2V3LOrVUEO8FUeyacSqOyB4X0khgNu7Fg3kyoM9aF1V9Zqlf
+oOF7WcA+tKnUIPhBO88ker3OEPVlbK57JwM2spnRf1unhsqsElrleBQWpA+JjUjo
+XXlc7q9fhM/BleM91ktrfK7rXUm/cu3ns0HweN3V8Ym7bBz0oRLTKaBopyz7Gcn6
+ysTwdVYuUdNC/vmWv34CrmDRsgrn1L/cLSeHDjEi/gOwO2AJKvvCnC4oj+u3To7W
+vc8JsEvMrvfuXrkZzklKAtVUa1uH+I6LUWmDHfcRFrsLSXfKQoSAGeEdmum/nkFy
+9B/kXb1k+H+jAoIBAFulEqAq2ERcq35mZPPLxhBpnM0Cm7MsRuTQ2/9rk50yCz9E
+NVS61C9dBP/kpmRK+L6ZNl/mwQGs+v1qVql3GTqB3g4IzYkB6w5ry/u5W+ZP78ol
+atMG3K+O9CerU26+w1U5HtWa6YSrTCQwJKwnfJYU0i474doBNqR3xdMSKPV4xESy
++rqylSYgnUmh2rPwwWagbX1ST4vIaqyVd/akELJrjyuo2/lhQciz4eGtN8kL/qbW
+naWGxnB1wXTdOqUMEOjtUqfriYF2oc6RG6RnZAm45+i2h3/SIIFDKgHQnGR0DHVI
+rEj901nhWyFbbmZ80KS4X3zKauPUZfPu0MdCWuECggEAdQChtjKGI43fzJb6EHXk
+BLKk+Qw23Sop47w3U86MJIg1m3p+cX0Vg+E53G3mJD2ZEc12a4eRcdYtq6IKuIRz
+Bg23gXfyi0HMWOUXZtzr4cMXiT6ucqyVdPUWiJVDENaJ8jZFP3SxQFZygyb9RYoc
+zcnYHX1AgwUbwn9vMrP9ZST01SSq+6VsRewBAENZRk7+dTggxDv/zr3fi08qaZLO
+hVTMjaEULg4BRT5488NjlDA/te4IFQUgH9zuyZfJYJ5Td/YSD8nFAcAFb5fDy9AS
+KxRX93RCj03Co/FV3DLFNH0W9hFUTJHoTkB1iN+XUVhPbvIvkymXb9XQ+8plkfvQ
+2wKCAQEAxBvshBLeXFOAx4D5017RsPa2B8hd3tmY4gtvAnsL+1jXwrd7aNkM0lX9
+7qCj8TMSWbi7Nv7Bp3X+B+LLTo5usHdf8Uw11Yuv6wbmLrd5I81NJilZAmCkgl4c
+NBdtauOVUNdOuRxXME/tcGBZlqml/d+MUgfJTgk5YyKeK11yEiNAHL9Q48CCJgKG
+uUzuun3RitRLDPTBqSXqd0cvaTW71Z9KJdY+n6PHoWmVdIp/8xFct8kebhIlRWVP
+sH4dlIT8oZz95o7N+5MJDqHZqolXTt6nDDc8gODIIOeczmtAu7KlUHDPHS3p2iCr
+oJls5WrQwkYQBzHgRhZlOHQJA26GHg==
+-----END PRIVATE KEY-----

pkg/cable/libreswan/certs/mock.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFljCCA36gAwIBAgIUR2qWeJD0U82PiiinQDJkD0TYX/EwDQYJKoZIhvcNAQEL
+BQAwYjELMAkGA1UEBhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MRAwDgYDVQQKDAdDb21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xCzAJBgNV
+BAMMAkNBMB4XDTI1MTAxMDA5MzcwN1oXDTM1MTAwODA5MzcwN1owZDELMAkGA1UE
+BhMCWFgxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdD
+b21wYW55MRUwEwYDVQQLDAxPcmdhbmlzYXRpb24xDTALBgNVBAMMBG1vY2swggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCp5i95yhfNUqPl0NFpHdaH31DX
+QeHfY6UTFBvKNR+pBlyUXg7x+dGYw+sFxjofpk8Quz2HEEXgszXKYw0NFfdxJG4H
+Gz+Qzx9B653XZIVoqwbUf9aakXjarTLeUG/kdlIkPwFCOy1Nn7AO2x//Sl7ic+W3
+LkjbsedEKTg2ejQzVFGEnipPGuTQ/EQdl4JmHLCNi5TM9CTCu3b6dPJLZCgYAryR
+nkvklvZjiUo7bVldbzL+oMufBDVna3etGnUcrMJpekSEDQ5zdvUPVzukqmRbWgpK
+FhffMlZWswrrP8osyu4ytQWWMDU6KJJH7lf1GsK2gxjaGwBRwoSXi1KaYvDRTGL9
+YC97OoIylQHdmN7AW5+MnLQKfsQEWzcNt3n4F6G50PbVVgIR3DKu9yItUdkxIi4V
+CYUNaOrUpAPd4jxl7SENckh2bhgewBswPQqovBtDksE2wnsrIja7UO0lVKNmfsBF
+zHGum1w1K3w5AVylgB4tJ5+CXCVZDWqs9Ul8PWciD2m/M6yDG592/ox9tXeeYg8m
+7PbBnc/1+1kBiMbgokwoOeCNjjshoqwnj3J7Tk7oCIRTA+0ZvdE8OJlDGvmAEU71
+9jsndrzDpKUSu1d/MaySlpV/wPhrxcjsVxVW1W1/8KuhVRLgBkQqk8IcvKyaAdDf
+5OTZ9k65rT9tPbncNwIDAQABo0IwQDAdBgNVHQ4EFgQUv5ugMb8KgpTSJBuK198U
+JZnqOJkwHwYDVR0jBBgwFoAUaiP3DV+I8J7n15xYXG0McmcxxVowDQYJKoZIhvcN
+AQELBQADggIBAC8dfxz3YV35HbA7gZ2vvasRNCEeJI4m8dtkpkRFpEK7PcvFykn3
+xOXFewIvVSIJ3dqN+2jHnbuntQsDNXcbk8KOXyTlEb10Ve3AYndYxp+Udu+ZHAfi
+tWWN2WPILiKot9X2dTFjTAsDekSrsPl6ySh9SxbWa9UYCnejV3c4+81joFdN7Yli
+6Dl4iUM1JRiyb2hJP1tQYy+0InanGM8aT9yAbRY79ceAJ+2IU7pPHtYpp2X+YvoE
+j7Z9lIsERkhf8tINA7yUDEZiPwn63Iy1yKDSjr9FYAVE0tExhvrldOF4813pE30r
+Gl8m3IfzHwXRRKRsR0KVDoPz2kT6DFUCDUuKIjopzCgi0rKfSkQwaTXM4V2+2Dwj
+NU+Q5cjsV0OtIMTq2Fv0o1feI6qYdPf2KE+tvFmlruHCVyY7Hd5k6aaVvtnQgyN4
+yjDXcaC6vJC3mfDy/b8O0A3uLY97mssBEg+DvpHXCCvf/mfe1xKtjpKdLL2broW4
+DeCtYc6k9/Rl9gTLDP9iZlngEiZmsbIH5aLngdsIANV1Qz6ew00xDGfGP3EjGrhg
+yDgCbmSMy58uwbJVTNqxu1+6PGdtc8lBu6hEhcTyl/aOVMrCIN57xIcVnu9ff9hK
+D5fmDfC3gu8ithl3+XFXQ7wcsiLTfzxPl32vke2i5hYsG2dOJwYPnI6b
+-----END CERTIFICATE-----