Merge 559de6389d into 7ccaf0a21f

.gitignore

@@ -2,3 +2,4 @@ dist/
 .idea/
 VERSION
 .tmp/
+*.swp

cmd/grpcurl/grpcurl.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/fullstorydev/grpcurl/internal/certigo/lib"
 	"github.com/jhump/protoreflect/desc"
 	"github.com/jhump/protoreflect/grpcreflect"
 	"google.golang.org/grpc"
@@ -64,9 +65,16 @@ var (
 	cacert = flags.String("cacert", "", prettify(`
 		File containing trusted root certificates for verifying the server.
 		Ignored if -insecure is specified.`))
+	pCACertFormat = flags.String("cacert-format", string(lib.CertKeyFormatPEM), prettify(`
+		cacert Format of given input (PEM, DER; heuristic if missing).`))
 	cert = flags.String("cert", "", prettify(`
 		File containing client certificate (public key), to present to the
-		server. Not valid with -plaintext option. Must also provide -key option.`))
+		server. Not valid with -plaintext option. Must also provide -key option
+		when use PEM/DER certificate file.`))
+	pCertFormat = flags.String("cert-format", string(lib.CertKeyFormatPEM), prettify(`
+		cert Format of given input (PEM, DER, PKCS12; heuristic if missing).`))
+	certPass = flags.String("pass", "", prettify(`
+		Pass phrase for the PKCS12 cert`))
 	key = flags.String("key", "", prettify(`
 		File containing client private key, to present to the server. Not valid
 		with -plaintext option. Must also provide -cert option.`))
@@ -288,6 +296,9 @@ func main() {
 
 	// default behavior is to use tls
 	usetls := !*plaintext && !*usealts
+	cacertFormat := lib.NewCertificateKeyFormat(*pCACertFormat)
+	certFormat := lib.NewCertificateKeyFormat(*pCertFormat)
+	keyFormat := lib.CertKeyFormatPEM
 
 	// Do extra validation on arguments and figure out what user asked us to do.
 	if *connectTimeout < 0 {
@@ -314,9 +325,53 @@ func main() {
 	if *key != "" && !usetls {
 		fail(nil, "The -key argument can only be used with TLS.")
 	}
-	if (*key == "") != (*cert == "") {
+
-		fail(nil, "The -cert and -key arguments must be used together and both be present.")
+	if usetls {
+		if *cacert != "" {
+			guessFormat, err := lib.GuessFormatForFile(*cacert, cacertFormat)
+			if err != nil {
+				fail(nil, "Fail to guess file format of -key  err: %s", err)
+			}
+			switch guessFormat {
+			case lib.CertKeyFormatPEM, lib.CertKeyFormatDER:
+				cacertFormat = guessFormat
+			default:
+				fail(nil, "The -cacert-format %s not support.", cacertFormat)
+			}
+		}
+		if *cert != "" {
+			guessFormat, err := lib.GuessFormatForFile(*cert, certFormat)
+			if err != nil {
+				fail(nil, "Fail to guess file format of -cert err: %s", err)
+			}
+
+			switch guessFormat {
+			case lib.CertKeyFormatPEM, lib.CertKeyFormatDER:
+				if *cert == "" || *key == "" {
+					fail(nil, "The -cert and -key arguments must be used together and both be present.")
+				}
+				certFormat = guessFormat
+			case lib.CertKeyFormatPKCS12:
+				certFormat = guessFormat
+			default:
+				fail(nil, "The -cert-format %s not support.", certFormat)
+			}
+		}
+		if *certPass != "" {
+			switch certFormat {
+			case lib.CertKeyFormatPKCS12:
+			default:
+				fail(nil, "The -pass argument is only supported when -cert-type is PKCS12.")
+			}
+		}
+		if *key != "" {
+			if *cert == "" || *key == "" {
+				fail(nil, "The -cert and -key arguments must be used together and both be present.")
+			}
+		}
+
 	}
+
 	if *altsHandshakerServiceAddress != "" && !*usealts {
 		fail(nil, "The -alts-handshaker-service argument must be used with the -alts argument.")
 	}
@@ -451,7 +506,7 @@ func main() {
 			}
 			creds = alts.NewClientCreds(clientOptions)
 		} else if usetls {
-			tlsConf, err := grpcurl.ClientTLSConfig(*insecure, *cacert, *cert, *key)
+			tlsConf, err := lib.ClientTLSConfigV2(*insecure, *cacert, cacertFormat, *cert, certFormat, *key, keyFormat, *certPass)
 			if err != nil {
 				fail(err, "Failed to create TLS config")
 			}

go.mod

@@ -5,6 +5,8 @@ go 1.18
 require (
 	github.com/golang/protobuf v1.5.3
 	github.com/jhump/protoreflect v1.15.3
+	github.com/square/certigo v1.16.0
+	golang.org/x/crypto v0.16.0
 	google.golang.org/grpc v1.57.1
 	google.golang.org/protobuf v1.31.0
 )
@@ -22,8 +24,8 @@ require (
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 // indirect

go.sum

@@ -4,6 +4,11 @@ cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IK
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/bufbuild/protocompile v0.6.0 h1:Uu7WiSQ6Yj9DbkdnOe7U4mNKp58y9WDMKDn28/ZlunY=
 github.com/bufbuild/protocompile v0.6.0/go.mod h1:YNP35qEYoYGme7QMtz5SBCoN4kL4g12jTtjuzRNdjpE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -17,13 +22,16 @@ github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XP
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k=
 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f h1:7T++XKzy4xg7PKy+bM+Sa9/oe1OC88yz2hXQUISoXfA=
 github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.10.1 h1:c0g45+xCJhdgFGw7a5QAfdS4byAbud7miNWJ1WwEVf8=
 github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -36,16 +44,35 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/jhump/protoreflect v1.15.3 h1:6SFRuqU45u9hIZPJAoZ8c28T3nK64BNdp9w6jFonzls=
 github.com/jhump/protoreflect v1.15.3/go.mod h1:4ORHmSBmlCW8fh3xHmJMGyul1zNqZK4Elxc8qKP+p1k=
+github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
+github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/mwitkow/go-http-dialer v0.0.0-20161116154839-378f744fb2b8/go.mod h1:ntWhh7pzdiiRKBMxUB5iG+Q2gmZBxGxpX1KyK6N8kX8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
+github.com/square/certigo v1.16.0 h1:8g9UgWssUcOMzeFJF0nSMGjmDVXBk6UTZNOMArxcrxM=
+github.com/square/certigo v1.16.0/go.mod h1:v9HqynkvfNbHR0aluXlxutyGsZbUpiNACLkYpHyxRlU=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -56,6 +83,7 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -68,12 +96,21 @@ golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -101,6 +138,12 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

grpcurl.go

@@ -21,6 +21,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/fullstorydev/grpcurl/internal/certigo/lib"
 	"github.com/golang/protobuf/proto" //lint:ignore SA1019 we have to import this because it appears in exported API
 	"github.com/jhump/protoreflect/desc"
 	"github.com/jhump/protoreflect/desc/protoprint"
@@ -528,36 +529,7 @@ func ClientTransportCredentials(insecureSkipVerify bool, cacertFile, clientCertF
 // verify the server certs. If clientCertFile is blank, the client will not use a client
 // certificate. If clientCertFile is not blank then clientKeyFile must not be blank.
 func ClientTLSConfig(insecureSkipVerify bool, cacertFile, clientCertFile, clientKeyFile string) (*tls.Config, error) {
-	var tlsConf tls.Config
+	return lib.ClientTLSConfigV2(insecureSkipVerify, cacertFile, lib.CertKeyFormatPEM, clientCertFile, lib.CertKeyFormatPEM, clientKeyFile, lib.CertKeyFormatPEM, "")
-
-	if clientCertFile != "" {
-		// Load the client certificates from disk
-		certificate, err := tls.LoadX509KeyPair(clientCertFile, clientKeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("could not load client key pair: %v", err)
-		}
-		tlsConf.Certificates = []tls.Certificate{certificate}
-	}
-
-	if insecureSkipVerify {
-		tlsConf.InsecureSkipVerify = true
-	} else if cacertFile != "" {
-		// Create a certificate pool from the certificate authority
-		certPool := x509.NewCertPool()
-		ca, err := ioutil.ReadFile(cacertFile)
-		if err != nil {
-			return nil, fmt.Errorf("could not read ca certificate: %v", err)
-		}
-
-		// Append the certificates from the CA
-		if ok := certPool.AppendCertsFromPEM(ca); !ok {
-			return nil, errors.New("failed to append ca certs")
-		}
-
-		tlsConf.RootCAs = certPool
-	}
-
-	return &tlsConf, nil
 }
 
 // ServerTransportCredentials builds transport credentials for a gRPC server using the

internal/certigo/lib/cert_key_format.go

@@ -0,0 +1,45 @@
+package lib
+
+import (
+	"strings"
+)
+
+func NewCertificateKeyFormat(fileFormat string) CertificateKeyFormat {
+	fileFormat = strings.ToUpper(fileFormat)
+	switch fileFormat {
+	case "":
+		return CertKeyFormatNONE
+	case "PEM":
+		return CertKeyFormatPEM
+	case "DER":
+		return CertKeyFormatDER
+	case "JCEKS":
+		return CertKeyFormatJCEKS
+	case "PKCS12", "P12":
+		return CertKeyFormatPKCS12
+	default:
+		return CertKeyFormatNONE
+	}
+}
+
+type CertificateKeyFormat string
+
+const (
+	CertKeyFormatNONE CertificateKeyFormat = ""
+	// The file contains plain-text PEM data
+	CertKeyFormatPEM CertificateKeyFormat = "PEM"
+	// The file contains X.509 DER encoded data
+	CertKeyFormatDER CertificateKeyFormat = "DER"
+	// The file contains JCEKS keystores
+	CertKeyFormatJCEKS CertificateKeyFormat = "JCEKS"
+	// The file contains PFX data describing PKCS#12
+	CertKeyFormatPKCS12 CertificateKeyFormat = "PKCS12"
+)
+
+func (f *CertificateKeyFormat) Set(fileFormat string) {
+	*f = NewCertificateKeyFormat(fileFormat)
+}
+
+func (f CertificateKeyFormat) IsNone() bool {
+	return f == CertKeyFormatNONE
+}

internal/certigo/lib/certs.go

@@ -0,0 +1,542 @@
+/*-
+ * Copyright 2016 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package lib
+
+import (
+	"bufio"
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/binary"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+
+	"github.com/square/certigo/jceks"
+	"github.com/square/certigo/pkcs7"
+	"golang.org/x/crypto/pkcs12"
+)
+
+const (
+	// nameHeader is the PEM header field for the friendly name/alias of the key in the key store.
+	nameHeader = "friendlyName"
+
+	// fileHeader is the origin file where the key came from (as in file on disk).
+	fileHeader = "originFile"
+)
+
+var fileExtToFormat = map[string]CertificateKeyFormat{
+	".pem":   CertKeyFormatPEM,
+	".crt":   CertKeyFormatPEM,
+	".p7b":   CertKeyFormatPEM,
+	".p7c":   CertKeyFormatPEM,
+	".p12":   CertKeyFormatPKCS12,
+	".pfx":   CertKeyFormatPKCS12,
+	".jceks": CertKeyFormatJCEKS,
+	".jks":   CertKeyFormatJCEKS, // Only partially supported
+	".der":   CertKeyFormatDER,
+}
+
+//var badSignatureAlgorithms = [...]x509.SignatureAlgorithm{
+//	x509.MD2WithRSA,
+//	x509.MD5WithRSA,
+//	x509.SHA1WithRSA,
+//	x509.DSAWithSHA1,
+//	x509.ECDSAWithSHA1,
+//}
+
+//func errorFromErrors(errs []error) error {
+//	if len(errs) == 0 {
+//		return nil
+//	}
+//	if len(errs) == 1 {
+//		return errs[0]
+//	}
+//	buffer := new(bytes.Buffer)
+//	buffer.WriteString("encountered multiple errors:\n")
+//	for _, err := range errs {
+//		buffer.WriteString("* ")
+//		buffer.WriteString(strings.TrimSuffix(err.Error(), "\n"))
+//		buffer.WriteString("\n")
+//	}
+//	return errors.New(buffer.String())
+//}
+
+// ClientTLSConfigV2 builds transport-layer config for a gRPC client using the
+// given properties. Support certificate file both PEM and P12.
+func ClientTLSConfigV2(insecureSkipVerify bool, cacertFile string, cacertFormat CertificateKeyFormat, clientCertFile string, certFormat CertificateKeyFormat, clientKeyFile string, keyFormat CertificateKeyFormat, clientPass string) (*tls.Config, error) {
+	var tlsConf tls.Config
+
+	if clientCertFile != "" {
+		// Load the client certificates
+		pemCertBytes, err := readAsPEMEx(clientCertFile, certFormat, clientPass)
+		if err != nil {
+			return nil, fmt.Errorf("could not load client cert: %v", err)
+		}
+		pemKeyBytes := pemCertBytes // allow clientCertFile include both certificate and key file (JCEKS/PKCS12/PEM)
+
+		// Load the client key
+		if clientKeyFile != "" {
+			pemBytes, err := readAsPEMEx(clientKeyFile, keyFormat, clientPass)
+			if err != nil {
+				return nil, fmt.Errorf("could not load client key: %v", err)
+			}
+			pemKeyBytes = pemBytes
+		}
+
+		// Load tls.Certificate
+		certificate, err := tls.X509KeyPair(pemCertBytes, pemKeyBytes)
+		if err != nil {
+			return nil, fmt.Errorf("could not load client key pair: %v", err)
+		}
+		tlsConf.Certificates = []tls.Certificate{certificate}
+	}
+
+	if insecureSkipVerify {
+		tlsConf.InsecureSkipVerify = true
+	} else if cacertFile != "" {
+		// Create a certificate pool from the certificate authority
+		pemCACertBytes, err := readAsPEMEx(cacertFile, cacertFormat, "")
+		if err != nil {
+			return nil, fmt.Errorf("could not load cacert : %v", err)
+		}
+		// Append the certificates from the CA
+		certPool := x509.NewCertPool()
+		if ok := certPool.AppendCertsFromPEM(pemCACertBytes); !ok {
+			return nil, errors.New("failed to append ca certs")
+		}
+
+		tlsConf.RootCAs = certPool
+	}
+
+	return &tlsConf, nil
+}
+
+func GuessFormatForFile(filename string, format CertificateKeyFormat) (CertificateKeyFormat, error) {
+	// First, honor --format flag we got from user
+	if !format.IsNone() {
+		return format, nil
+	}
+
+	// Second, attempt to guess based on extension
+	guess, ok := fileExtToFormat[strings.ToLower(filepath.Ext(filename))]
+	if ok {
+		return guess, nil
+	}
+
+	file, err := os.Open(filename)
+	if err != nil {
+		return CertKeyFormatNONE, fmt.Errorf("unable to open file: %v", err)
+	}
+	defer file.Close()
+	reader := bufio.NewReaderSize(file, 4)
+
+	// Third, attempt to guess based on first 4 bytes of input
+	data, err := reader.Peek(4)
+	if err != nil {
+		return CertKeyFormatNONE, fmt.Errorf("unable to read file: %v", err)
+	}
+
+	// Heuristics for guessing -- best effort.
+	magic := binary.BigEndian.Uint32(data)
+	if magic == 0xCECECECE || magic == 0xFEEDFEED {
+		// JCEKS/JKS files always start with this prefix
+		return CertKeyFormatJCEKS, nil
+	}
+	if magic == 0x2D2D2D2D {
+		// Starts with '----'
+		return CertKeyFormatPEM, nil
+	}
+	if magic == 0x434f4e4e {
+		// Starts with 'CONN' (what s_client prints...)
+		return CertKeyFormatPEM, nil
+	}
+	if magic == 0x43657274 {
+		// Starts with 'Cert' (what openssl x509 -text -in tls/client.crt prints...)
+		return CertKeyFormatPEM, nil
+	}
+	if magic&0xFFFF0000 == 0x30820000 {
+		// Looks like the input is DER-encoded, so it's either PKCS12 or X.509.
+		if magic&0x0000FF00 == 0x0300 {
+			// Probably X.509
+			return CertKeyFormatDER, nil
+		}
+		return CertKeyFormatPKCS12, nil
+	}
+
+	return CertKeyFormatNONE, fmt.Errorf("unable to guess format for %v magic 0x%0x", filename, magic)
+}
+
+func readAsPEMEx(filename string, format CertificateKeyFormat, password string) ([]byte, error) {
+	var pembuf bytes.Buffer
+	pembufFunc := func(block *pem.Block, format CertificateKeyFormat) error {
+		return pem.Encode(&pembuf, block)
+	}
+	passwordFunc := func(promet string) string {
+		return password
+	}
+
+	rawFile, err := os.Open(filename)
+	if err != nil {
+		return nil, fmt.Errorf("unable to open file: %v", err)
+	}
+	defer rawFile.Close()
+
+	err = readCertsFromStream(rawFile, "", format, passwordFunc, pembufFunc)
+	if err != nil {
+		return nil, fmt.Errorf("could not read file: %v", err)
+	}
+	return pembuf.Bytes(), nil
+}
+
+// // ReadAsPEMFromFiles will read PEM blocks from the given set of inputs. Input
+// // data may be in plain-text PEM files, DER-encoded certificates or PKCS7
+// // envelopes, or PKCS12/JCEKS keystores. All inputs will be converted to PEM
+// // blocks and passed to the callback.
+//
+//	func ReadAsPEMFromFiles(files []*os.File, format string, password func(string) string, callback func(*pem.Block, string) error) error {
+//		var errs []error
+//		for _, file := range files {
+//			reader := bufio.NewReaderSize(file, 4)
+//			format, err := formatForFile(reader, file.Name(), format)
+//			if err != nil {
+//				return fmt.Errorf("unable to guess file type for file %s", file.Name())
+//			}
+//
+//			err = readCertsFromStream(reader, file.Name(), format, password, callback)
+//			if err != nil {
+//				errs = append(errs, err)
+//			}
+//		}
+//		return errorFromErrors(errs)
+//	}
+//
+
+//// ReadAsPEM will read PEM blocks from the given set of inputs. Input data may
+//// be in plain-text PEM files, DER-encoded certificates or PKCS7 envelopes, or
+//// PKCS12/JCEKS keystores. All inputs will be converted to PEM blocks and
+//// passed to the callback.
+//func ReadAsPEM(readers []io.Reader, format string, password func(string) string, callback func(*pem.Block, string) error) error {
+//	errs := []error{}
+//	for _, r := range readers {
+//		reader := bufio.NewReaderSize(r, 4)
+//		format, err := formatForFile(reader, "", format)
+//		if err != nil {
+//			return fmt.Errorf("unable to guess format for input stream")
+//		}
+//
+//		err = readCertsFromStream(reader, "", format, password, callback)
+//		if err != nil {
+//			errs = append(errs, err)
+//		}
+//	}
+//	return errorFromErrors(errs)
+//}
+
+//// ReadAsX509FromFiles will read X.509 certificates from the given set of
+//// inputs. Input data may be in plain-text PEM files, DER-encoded certificates
+//// or PKCS7 envelopes, or PKCS12/JCEKS keystores. All inputs will be converted
+//// to X.509 certificates (private keys are skipped) and passed to the callback.
+//func ReadAsX509FromFiles(files []*os.File, format string, password func(string) string, callback func(*x509.Certificate, string, error) error) error {
+//	errs := []error{}
+//	for _, file := range files {
+//		reader := bufio.NewReaderSize(file, 4)
+//		format, err := formatForFile(reader, file.Name(), format)
+//		if err != nil {
+//			return fmt.Errorf("unable to guess file type for file %s, try adding --format flag", file.Name())
+//		}
+//
+//		err = readCertsFromStream(reader, file.Name(), format, password, pemToX509(callback))
+//		if err != nil {
+//			errs = append(errs, err)
+//		}
+//	}
+//	return errorFromErrors(errs)
+//}
+//
+//// ReadAsX509 will read X.509 certificates from the given set of inputs. Input
+//// data may be in plain-text PEM files, DER-encoded certificates or PKCS7
+//// envelopes, or PKCS12/JCEKS keystores. All inputs will be converted to X.509
+//// certificates (private keys are skipped) and passed to the callback.
+//func ReadAsX509(readers []io.Reader, format string, password func(string) string, callback func(*x509.Certificate, string, error) error) error {
+//	errs := []error{}
+//	for _, r := range readers {
+//		reader := bufio.NewReaderSize(r, 4)
+//		format, err := formatForFile(reader, "", format)
+//		if err != nil {
+//			return fmt.Errorf("unable to guess format for input stream")
+//		}
+//
+//		err = readCertsFromStream(reader, "", format, password, pemToX509(callback))
+//		if err != nil {
+//			errs = append(errs, err)
+//		}
+//	}
+//	return errorFromErrors(errs)
+//}
+//
+//func pemToX509(callback func(*x509.Certificate, string, error) error) func(*pem.Block, string) error {
+//	return func(block *pem.Block, format string) error {
+//		switch block.Type {
+//		case "CERTIFICATE":
+//			cert, err := x509.ParseCertificate(block.Bytes)
+//			return callback(cert, format, err)
+//		case "PKCS7":
+//			certs, err := pkcs7.ExtractCertificates(block.Bytes)
+//			if err == nil {
+//				for _, cert := range certs {
+//					return callback(cert, format, nil)
+//				}
+//			} else {
+//				return callback(nil, format, err)
+//			}
+//		case "CERTIFICATE REQUEST":
+//			fmt.Println("warning: certificate requests are not supported")
+//		}
+//		return nil
+//	}
+//}
+//
+//func ReadCertsFromStream(reader io.Reader, filename string, format string, password string, callback func(*pem.Block, string) error) error {
+//	passwordFunc := func(promet string) string {
+//		return password
+//	}
+//	return readCertsFromStream(reader, filename, format, passwordFunc, callback)
+//}
+
+// readCertsFromStream takes some input and converts it to PEM blocks.
+func readCertsFromStream(reader io.Reader, filename string, format CertificateKeyFormat, password func(string) string, callback func(*pem.Block, CertificateKeyFormat) error) error {
+	headers := map[string]string{}
+	if filename != "" && filename != os.Stdin.Name() {
+		headers[fileHeader] = filename
+	}
+
+	switch format {
+	case CertKeyFormatPEM:
+		scanner := pemScanner(reader)
+		for scanner.Scan() {
+			block, _ := pem.Decode(scanner.Bytes())
+			block.Headers = mergeHeaders(block.Headers, headers)
+			err := callback(block, format)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	case CertKeyFormatDER:
+		data, err := ioutil.ReadAll(reader)
+		if err != nil {
+			return fmt.Errorf("unable to read input: %v", err)
+		}
+		x509Certs, err0 := x509.ParseCertificates(data)
+		if err0 == nil {
+			for _, cert := range x509Certs {
+				err := callback(encodeX509ToPEM(cert, headers), format)
+				if err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+		p7bBlocks, err1 := pkcs7.ParseSignedData(data)
+		if err1 == nil {
+			for _, block := range p7bBlocks {
+				err := callback(pkcs7ToPem(block, headers), format)
+				if err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+		return fmt.Errorf("unable to parse certificates from DER data X.509 parser gave: [%v] PKCS7 parser gave: [%v]", err0, err1)
+	case CertKeyFormatPKCS12:
+		data, err := ioutil.ReadAll(reader)
+		if err != nil {
+			return fmt.Errorf("unable to read input: %v", err)
+		}
+		blocks, err := pkcs12.ToPEM(data, password(""))
+		if err != nil || len(blocks) == 0 {
+			return fmt.Errorf("keystore appears to be empty or password was incorrect")
+		}
+		for _, block := range blocks {
+			block.Headers = mergeHeaders(block.Headers, headers)
+			err := callback(block, format)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	case CertKeyFormatJCEKS:
+		keyStore, err := jceks.LoadFromReader(reader, []byte(password("")))
+		if err != nil {
+			return fmt.Errorf("unable to parse keystore: %v", err)
+		}
+		for _, alias := range keyStore.ListCerts() {
+			cert, _ := keyStore.GetCert(alias)
+			err := callback(encodeX509ToPEM(cert, mergeHeaders(headers, map[string]string{nameHeader: alias})), format)
+			if err != nil {
+				return err
+			}
+		}
+		for _, alias := range keyStore.ListPrivateKeys() {
+			key, certs, err := keyStore.GetPrivateKeyAndCerts(alias, []byte(password(alias)))
+			if err != nil {
+				return fmt.Errorf("unable to parse keystore: %v", err)
+			}
+
+			mergedHeaders := mergeHeaders(headers, map[string]string{nameHeader: alias})
+
+			block, err := keyToPem(key, mergedHeaders)
+			if err != nil {
+				return fmt.Errorf("problem reading key: %v", err)
+			}
+
+			if err := callback(block, format); err != nil {
+				return err
+			}
+
+			for _, cert := range certs {
+				if err = callback(encodeX509ToPEM(cert, mergedHeaders), format); err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	}
+	return fmt.Errorf("unknown file type '%s'", format)
+}
+
+func mergeHeaders(baseHeaders, extraHeaders map[string]string) (headers map[string]string) {
+	headers = map[string]string{}
+	for k, v := range baseHeaders {
+		headers[k] = v
+	}
+	for k, v := range extraHeaders {
+		headers[k] = v
+	}
+	return
+}
+
+// encodeX509ToPEM converts an X.509 certificate into a PEM block for output.
+func encodeX509ToPEM(cert *x509.Certificate, headers map[string]string) *pem.Block {
+	return &pem.Block{
+		Type:    "CERTIFICATE",
+		Bytes:   cert.Raw,
+		Headers: headers,
+	}
+}
+
+// Convert a PKCS7 envelope into a PEM block for output.
+func pkcs7ToPem(block *pkcs7.SignedDataEnvelope, headers map[string]string) *pem.Block {
+	return &pem.Block{
+		Type:    "PKCS7",
+		Bytes:   block.Raw,
+		Headers: headers,
+	}
+}
+
+// Convert a key into one or more PEM blocks for output.
+func keyToPem(key crypto.PrivateKey, headers map[string]string) (*pem.Block, error) {
+	switch k := key.(type) {
+	case *rsa.PrivateKey:
+		return &pem.Block{
+			Type:    "RSA PRIVATE KEY",
+			Bytes:   x509.MarshalPKCS1PrivateKey(k),
+			Headers: headers,
+		}, nil
+	case *ecdsa.PrivateKey:
+		raw, err := x509.MarshalECPrivateKey(k)
+		if err != nil {
+			return nil, fmt.Errorf("error marshaling key: %s", reflect.TypeOf(key))
+		}
+		return &pem.Block{
+			Type:    "EC PRIVATE KEY",
+			Bytes:   raw,
+			Headers: headers,
+		}, nil
+	}
+	return nil, fmt.Errorf("unknown key type: %s", reflect.TypeOf(key))
+}
+
+//// formatForFile returns the file format (either from flags or
+//// based on file extension).
+//func formatForFile(file *bufio.Reader, filename, format string) (string, error) {
+//	// First, honor --format flag we got from user
+//	if format != "" {
+//		return format, nil
+//	}
+//
+//	// Second, attempt to guess based on extension
+//	guess, ok := fileExtToFormat[strings.ToLower(filepath.Ext(filename))]
+//	if ok {
+//		return string(guess), nil
+//	}
+//
+//	// Third, attempt to guess based on first 4 bytes of input
+//	data, err := file.Peek(4)
+//	if err != nil {
+//		return "", fmt.Errorf("unable to read file: %s\n", err)
+//	}
+//
+//	// Heuristics for guessing -- best effort.
+//	magic := binary.BigEndian.Uint32(data)
+//	if magic == 0xCECECECE || magic == 0xFEEDFEED {
+//		// JCEKS/JKS files always start with this prefix
+//		return "JCEKS", nil
+//	}
+//	if magic == 0x2D2D2D2D || magic == 0x434f4e4e {
+//		// Starts with '----' or 'CONN' (what s_client prints...)
+//		return "PEM", nil
+//	}
+//	if magic&0xFFFF0000 == 0x30820000 {
+//		// Looks like the input is DER-encoded, so it's either PKCS12 or X.509.
+//		if magic&0x0000FF00 == 0x0300 {
+//			// Probably X.509
+//			return "DER", nil
+//		}
+//		return "PKCS12", nil
+//	}
+//
+//	return "", fmt.Errorf("unable to guess file format")
+//}
+
+// pemScanner will return a bufio.Scanner that splits the input
+// from the given reader into PEM blocks.
+func pemScanner(reader io.Reader) *bufio.Scanner {
+	scanner := bufio.NewScanner(reader)
+
+	scanner.Split(func(data []byte, atEOF bool) (int, []byte, error) {
+		block, rest := pem.Decode(data)
+		if block != nil {
+			size := len(data) - len(rest)
+			return size, data[:size], nil
+		}
+
+		return 0, nil, nil
+	})
+
+	return scanner
+}

internal/certigo/lib/certs_test.go

@@ -0,0 +1,62 @@
+package lib
+
+import (
+	"testing"
+)
+
+func TestClientTLSConfig(t *testing.T) {
+	derfmt := CertKeyFormatDER
+	pemfmt := CertKeyFormatPEM
+	pfxfmt := CertKeyFormatPKCS12
+	testTLSConfig(t, false, "../../testing/tls/ca.crt", pemfmt, "../../testing/tls/client.crt", pemfmt, "../../testing/tls/client.key", pemfmt, "")
+	testTLSConfig(t, false, "../../testing/tls/ca.crt", pemfmt, "../../testing/tls/client.der", derfmt, "../../testing/tls/client.key", pemfmt, "")
+	testTLSConfig(t, false, "../../testing/tls/ca.crt", pemfmt, "../../testing/tls/client.pfx", pfxfmt, "../../testing/tls/client.key", pemfmt, "")
+	testTLSConfig(t, false, "../../testing/tls/ca.crt", pemfmt, "../../testing/tls/client_pass.pfx", pfxfmt, "", pemfmt, "pfxpassword")
+	testTLSConfig(t, false, "../../testing/tls/ca.der", derfmt, "../../testing/tls/client.pfx", pfxfmt, "", pemfmt, "")
+	testTLSConfig(t, false, "../../testing/tls/ca.crt", pemfmt, "../../testing/tls/testcert.pem", pemfmt, "../../testing/tls/testkey.pem", pemfmt, "")
+}
+
+func testTLSConfig(
+	t *testing.T,
+	insecure bool,
+	cacert string,
+	cacertFormat CertificateKeyFormat,
+	cert string,
+	certFormat CertificateKeyFormat,
+	key string,
+	keyFormat CertificateKeyFormat,
+	pass string,
+) {
+	tlsConf, err := ClientTLSConfigV2(insecure, cacert, cacertFormat, cert, certFormat, key, keyFormat, pass)
+	if err != nil {
+		t.Fatalf("Failed to create TLS config err: %v", err)
+	}
+	if tlsConf == nil || tlsConf.Certificates == nil || tlsConf.RootCAs == nil {
+		t.Fatal("Failed to create TLS config tlsConf is nil")
+	}
+
+}
+
+func TestGuessFormat(t *testing.T) {
+	guessFormat(t, "../../testing/tls/client.crt", CertKeyFormatPEM)
+	guessFormat(t, "../../testing/tls/client.cer", CertKeyFormatPEM)
+	guessFormat(t, "../../testing/tls/client.key", CertKeyFormatPEM)
+	guessFormat(t, "../../testing/tls/client.pfx", CertKeyFormatPKCS12)
+	guessFormat(t, "../../testing/tls/client.der", CertKeyFormatDER)
+	forceFormat(t, "../../testing/tls/client.guess", CertKeyFormatPEM, CertKeyFormatPEM)
+}
+
+func guessFormat(t *testing.T, filename string, formatExpected CertificateKeyFormat) {
+	forceFormat(t, filename, formatExpected, CertKeyFormatNONE)
+}
+
+func forceFormat(t *testing.T, filename string, formatExpected, formatForce CertificateKeyFormat) {
+	guessFormat, err := GuessFormatForFile(filename, formatForce)
+	if err != nil {
+		t.Fatalf("failed to guess file err: %v", err)
+	}
+	if guessFormat != formatExpected {
+		t.Fatalf("failed to guess file %v format: %v expected: %v", filename, guessFormat, formatExpected)
+	}
+	t.Logf("format %v filename %v", guessFormat, filename)
+}

internal/testing/tls/client.cer

@@ -0,0 +1,98 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            fb:74:28:21:75:d8:66:1b:0a:85:23:ee:49:63:e7:f0
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=ca
+        Validity
+            Not Before: Aug 25 15:45:53 2017 GMT
+            Not After : Aug 25 15:45:52 2027 GMT
+        Subject: CN=client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b5:27:11:0f:3a:c6:72:7f:cf:3c:de:d9:4f:04:
+                    46:a3:a2:dc:84:0a:da:d8:31:9e:3c:16:c6:04:99:
+                    0d:57:bc:a3:e8:1f:77:9b:ef:e1:2f:ee:d4:41:54:
+                    0b:a9:c8:1f:3b:5d:0e:4f:53:fa:0d:a8:0b:69:a3:
+                    fe:96:0f:92:46:9c:a4:95:b3:e1:00:30:44:97:9b:
+                    31:05:d3:84:fd:84:af:2e:49:dd:1c:54:41:24:77:
+                    4b:5b:54:da:57:6d:63:1b:8a:f1:e7:c7:95:69:f2:
+                    8d:a6:23:1d:2c:56:b8:06:b0:95:b7:b7:e7:18:6c:
+                    d4:e9:dd:b3:93:76:6c:fb:2c:a6:e2:40:dd:88:c7:
+                    4c:07:fb:6f:ec:3d:76:1a:71:9b:20:6c:8d:18:76:
+                    8f:4a:9e:ac:a4:3e:6d:93:a8:16:02:2f:59:33:84:
+                    69:6f:68:0a:2d:8d:d0:c8:9b:b3:a0:9d:a1:82:15:
+                    ee:02:6c:ae:10:64:1e:2e:17:0d:de:33:e3:e6:2c:
+                    6d:13:b1:a1:fd:09:3f:d9:46:b1:36:d6:20:5f:83:
+                    4a:ea:82:92:99:28:c7:2a:61:07:ed:5d:d2:ea:96:
+                    29:2e:57:af:45:fb:42:fc:e3:14:5f:79:5a:81:d4:
+                    4e:23:d1:1c:01:19:65:bc:13:06:38:58:72:b7:54:
+                    4d:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                CB:3E:FD:01:7F:64:96:91:BB:C5:AF:BD:C6:8C:0B:B8:C6:98:FC:31
+            X509v3 Authority Key Identifier: 
+                keyid:CD:05:2E:EB:98:07:0B:80:27:EB:68:71:19:6E:FB:15:2E:3B:0E:85
+
+    Signature Algorithm: sha256WithRSAEncryption
+         74:80:f0:ec:f3:a4:63:cb:f3:b6:fa:5f:10:c9:a6:1f:c2:69:
+         b2:4c:c3:e3:35:5a:8a:81:53:f5:ba:e8:a4:58:4a:cd:e6:14:
+         c0:97:0b:43:23:d1:6e:88:c1:41:a9:e0:5d:7a:24:fc:21:0b:
+         f3:10:44:0f:62:ee:bd:90:05:f6:5d:80:56:04:c5:83:6b:ce:
+         5c:a3:97:c9:ce:d0:33:57:b6:33:54:bd:5b:ca:1c:5d:da:38:
+         0c:d7:8b:ac:cb:1e:8f:6f:39:21:60:a0:4d:7a:cb:a3:1e:3e:
+         f0:43:4b:ab:fb:ce:4a:a7:ae:87:a8:a0:ae:34:2b:db:8f:4c:
+         ef:e7:c3:c7:45:69:28:8d:13:e0:c9:3a:5b:2d:d5:d7:08:e5:
+         89:5e:9e:b6:5d:f7:5d:2f:50:5f:ec:d2:42:5b:94:13:c8:7a:
+         07:a0:eb:0e:7a:83:da:8d:be:0e:3a:64:1e:87:3a:af:6f:d1:
+         4f:00:75:45:04:fa:d4:e7:75:e7:d4:25:11:03:34:de:05:0d:
+         93:fc:e2:b8:9f:1e:84:75:08:31:3f:df:95:56:ea:c1:43:d3:
+         76:60:13:3d:54:42:66:7d:02:bc:2d:fe:7f:f8:42:47:7b:97:
+         2d:3b:2d:57:9b:80:37:03:9d:b3:67:59:06:8d:fb:d6:52:d1:
+         89:51:29:c9:e5:a8:61:32:6e:83:c7:ad:f0:93:ba:18:34:24:
+         d7:9c:fb:a9:69:5b:48:35:6c:a0:36:54:bf:75:0b:16:b9:b1:
+         da:59:21:70:07:df:d0:c0:ad:3b:e3:e1:ff:e0:4a:43:ab:d1:
+         c2:30:c9:7c:c8:f3:24:b4:e9:af:eb:d1:f2:6a:3b:b7:32:f1:
+         ac:87:3f:c3:2c:d6:5f:f6:86:29:3b:e9:5b:53:c5:f5:db:86:
+         7a:5e:27:c4:ce:d3:22:06:55:0f:5b:be:4a:62:ff:57:e0:24:
+         db:29:37:44:e3:94:1a:44:c8:8e:65:77:07:e0:71:35:fe:24:
+         3d:20:e1:a0:ec:2a:65:32:53:1c:1e:0f:a5:43:b0:a9:5d:08:
+         ed:51:48:c2:12:99:23:f0:10:2c:f1:82:c3:a1:d2:e7:8e:28:
+         2c:e7:af:fc:ef:9f:b7:71:56:6e:d3:e7:58:fb:d7:8d:b7:f1:
+         08:ab:38:da:17:01:31:ef:68:5b:2f:28:64:d8:87:92:fb:ee:
+         d0:96:82:43:85:8a:a5:ab:e9:e0:e7:85:25:f7:9e:c0:f1:ee:
+         d3:b1:25:47:94:b6:55:19:7c:3c:ca:a8:f2:c7:13:b0:59:a1:
+         71:ea:6b:c5:cc:6a:dc:06:db:c2:80:ad:87:c0:48:98:43:da:
+         97:27:95:4f:91:da:38:db
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAgKgAwIBAgIRAPt0KCF12GYbCoUj7klj5/AwDQYJKoZIhvcNAQELBQAw
+DTELMAkGA1UEAxMCY2EwHhcNMTcwODI1MTU0NTUzWhcNMjcwODI1MTU0NTUyWjAR
+MQ8wDQYDVQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC1JxEPOsZyf8883tlPBEajotyECtrYMZ48FsYEmQ1XvKPoH3eb7+Ev7tRBVAup
+yB87XQ5PU/oNqAtpo/6WD5JGnKSVs+EAMESXmzEF04T9hK8uSd0cVEEkd0tbVNpX
+bWMbivHnx5Vp8o2mIx0sVrgGsJW3t+cYbNTp3bOTdmz7LKbiQN2Ix0wH+2/sPXYa
+cZsgbI0Ydo9KnqykPm2TqBYCL1kzhGlvaAotjdDIm7OgnaGCFe4CbK4QZB4uFw3e
+M+PmLG0TsaH9CT/ZRrE21iBfg0rqgpKZKMcqYQftXdLqlikuV69F+0L84xRfeVqB
+1E4j0RwBGWW8EwY4WHK3VE25AgMBAAGjcTBvMA4GA1UdDwEB/wQEAwIDuDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFMs+/QF/ZJaRu8Wv
+vcaMC7jGmPwxMB8GA1UdIwQYMBaAFM0FLuuYBwuAJ+tocRlu+xUuOw6FMA0GCSqG
+SIb3DQEBCwUAA4ICAQB0gPDs86Rjy/O2+l8QyaYfwmmyTMPjNVqKgVP1uuikWErN
+5hTAlwtDI9FuiMFBqeBdeiT8IQvzEEQPYu69kAX2XYBWBMWDa85co5fJztAzV7Yz
+VL1byhxd2jgM14usyx6PbzkhYKBNesujHj7wQ0ur+85Kp66HqKCuNCvbj0zv58PH
+RWkojRPgyTpbLdXXCOWJXp62XfddL1Bf7NJCW5QTyHoHoOsOeoPajb4OOmQehzqv
+b9FPAHVFBPrU53Xn1CURAzTeBQ2T/OK4nx6EdQgxP9+VVurBQ9N2YBM9VEJmfQK8
+Lf5/+EJHe5ctOy1Xm4A3A52zZ1kGjfvWUtGJUSnJ5ahhMm6Dx63wk7oYNCTXnPup
+aVtINWygNlS/dQsWubHaWSFwB9/QwK074+H/4EpDq9HCMMl8yPMktOmv69Hyaju3
+MvGshz/DLNZf9oYpO+lbU8X124Z6XifEztMiBlUPW75KYv9X4CTbKTdE45QaRMiO
+ZXcH4HE1/iQ9IOGg7CplMlMcHg+lQ7CpXQjtUUjCEpkj8BAs8YLDodLnjigs56/8
+75+3cVZu0+dY+9eNt/EIqzjaFwEx72hbLyhk2IeS++7QloJDhYqlq+ng54Ul957A
+8e7TsSVHlLZVGXw8yqjyxxOwWaFx6mvFzGrcBtvCgK2HwEiYQ9qXJ5VPkdo42w==
+-----END CERTIFICATE-----

internal/testing/tls/client.guess

@@ -0,0 +1,98 @@
+invalidGuessCertificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            fb:74:28:21:75:d8:66:1b:0a:85:23:ee:49:63:e7:f0
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=ca
+        Validity
+            Not Before: Aug 25 15:45:53 2017 GMT
+            Not After : Aug 25 15:45:52 2027 GMT
+        Subject: CN=client
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b5:27:11:0f:3a:c6:72:7f:cf:3c:de:d9:4f:04:
+                    46:a3:a2:dc:84:0a:da:d8:31:9e:3c:16:c6:04:99:
+                    0d:57:bc:a3:e8:1f:77:9b:ef:e1:2f:ee:d4:41:54:
+                    0b:a9:c8:1f:3b:5d:0e:4f:53:fa:0d:a8:0b:69:a3:
+                    fe:96:0f:92:46:9c:a4:95:b3:e1:00:30:44:97:9b:
+                    31:05:d3:84:fd:84:af:2e:49:dd:1c:54:41:24:77:
+                    4b:5b:54:da:57:6d:63:1b:8a:f1:e7:c7:95:69:f2:
+                    8d:a6:23:1d:2c:56:b8:06:b0:95:b7:b7:e7:18:6c:
+                    d4:e9:dd:b3:93:76:6c:fb:2c:a6:e2:40:dd:88:c7:
+                    4c:07:fb:6f:ec:3d:76:1a:71:9b:20:6c:8d:18:76:
+                    8f:4a:9e:ac:a4:3e:6d:93:a8:16:02:2f:59:33:84:
+                    69:6f:68:0a:2d:8d:d0:c8:9b:b3:a0:9d:a1:82:15:
+                    ee:02:6c:ae:10:64:1e:2e:17:0d:de:33:e3:e6:2c:
+                    6d:13:b1:a1:fd:09:3f:d9:46:b1:36:d6:20:5f:83:
+                    4a:ea:82:92:99:28:c7:2a:61:07:ed:5d:d2:ea:96:
+                    29:2e:57:af:45:fb:42:fc:e3:14:5f:79:5a:81:d4:
+                    4e:23:d1:1c:01:19:65:bc:13:06:38:58:72:b7:54:
+                    4d:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                CB:3E:FD:01:7F:64:96:91:BB:C5:AF:BD:C6:8C:0B:B8:C6:98:FC:31
+            X509v3 Authority Key Identifier: 
+                keyid:CD:05:2E:EB:98:07:0B:80:27:EB:68:71:19:6E:FB:15:2E:3B:0E:85
+
+    Signature Algorithm: sha256WithRSAEncryption
+         74:80:f0:ec:f3:a4:63:cb:f3:b6:fa:5f:10:c9:a6:1f:c2:69:
+         b2:4c:c3:e3:35:5a:8a:81:53:f5:ba:e8:a4:58:4a:cd:e6:14:
+         c0:97:0b:43:23:d1:6e:88:c1:41:a9:e0:5d:7a:24:fc:21:0b:
+         f3:10:44:0f:62:ee:bd:90:05:f6:5d:80:56:04:c5:83:6b:ce:
+         5c:a3:97:c9:ce:d0:33:57:b6:33:54:bd:5b:ca:1c:5d:da:38:
+         0c:d7:8b:ac:cb:1e:8f:6f:39:21:60:a0:4d:7a:cb:a3:1e:3e:
+         f0:43:4b:ab:fb:ce:4a:a7:ae:87:a8:a0:ae:34:2b:db:8f:4c:
+         ef:e7:c3:c7:45:69:28:8d:13:e0:c9:3a:5b:2d:d5:d7:08:e5:
+         89:5e:9e:b6:5d:f7:5d:2f:50:5f:ec:d2:42:5b:94:13:c8:7a:
+         07:a0:eb:0e:7a:83:da:8d:be:0e:3a:64:1e:87:3a:af:6f:d1:
+         4f:00:75:45:04:fa:d4:e7:75:e7:d4:25:11:03:34:de:05:0d:
+         93:fc:e2:b8:9f:1e:84:75:08:31:3f:df:95:56:ea:c1:43:d3:
+         76:60:13:3d:54:42:66:7d:02:bc:2d:fe:7f:f8:42:47:7b:97:
+         2d:3b:2d:57:9b:80:37:03:9d:b3:67:59:06:8d:fb:d6:52:d1:
+         89:51:29:c9:e5:a8:61:32:6e:83:c7:ad:f0:93:ba:18:34:24:
+         d7:9c:fb:a9:69:5b:48:35:6c:a0:36:54:bf:75:0b:16:b9:b1:
+         da:59:21:70:07:df:d0:c0:ad:3b:e3:e1:ff:e0:4a:43:ab:d1:
+         c2:30:c9:7c:c8:f3:24:b4:e9:af:eb:d1:f2:6a:3b:b7:32:f1:
+         ac:87:3f:c3:2c:d6:5f:f6:86:29:3b:e9:5b:53:c5:f5:db:86:
+         7a:5e:27:c4:ce:d3:22:06:55:0f:5b:be:4a:62:ff:57:e0:24:
+         db:29:37:44:e3:94:1a:44:c8:8e:65:77:07:e0:71:35:fe:24:
+         3d:20:e1:a0:ec:2a:65:32:53:1c:1e:0f:a5:43:b0:a9:5d:08:
+         ed:51:48:c2:12:99:23:f0:10:2c:f1:82:c3:a1:d2:e7:8e:28:
+         2c:e7:af:fc:ef:9f:b7:71:56:6e:d3:e7:58:fb:d7:8d:b7:f1:
+         08:ab:38:da:17:01:31:ef:68:5b:2f:28:64:d8:87:92:fb:ee:
+         d0:96:82:43:85:8a:a5:ab:e9:e0:e7:85:25:f7:9e:c0:f1:ee:
+         d3:b1:25:47:94:b6:55:19:7c:3c:ca:a8:f2:c7:13:b0:59:a1:
+         71:ea:6b:c5:cc:6a:dc:06:db:c2:80:ad:87:c0:48:98:43:da:
+         97:27:95:4f:91:da:38:db
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAgKgAwIBAgIRAPt0KCF12GYbCoUj7klj5/AwDQYJKoZIhvcNAQELBQAw
+DTELMAkGA1UEAxMCY2EwHhcNMTcwODI1MTU0NTUzWhcNMjcwODI1MTU0NTUyWjAR
+MQ8wDQYDVQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC1JxEPOsZyf8883tlPBEajotyECtrYMZ48FsYEmQ1XvKPoH3eb7+Ev7tRBVAup
+yB87XQ5PU/oNqAtpo/6WD5JGnKSVs+EAMESXmzEF04T9hK8uSd0cVEEkd0tbVNpX
+bWMbivHnx5Vp8o2mIx0sVrgGsJW3t+cYbNTp3bOTdmz7LKbiQN2Ix0wH+2/sPXYa
+cZsgbI0Ydo9KnqykPm2TqBYCL1kzhGlvaAotjdDIm7OgnaGCFe4CbK4QZB4uFw3e
+M+PmLG0TsaH9CT/ZRrE21iBfg0rqgpKZKMcqYQftXdLqlikuV69F+0L84xRfeVqB
+1E4j0RwBGWW8EwY4WHK3VE25AgMBAAGjcTBvMA4GA1UdDwEB/wQEAwIDuDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFMs+/QF/ZJaRu8Wv
+vcaMC7jGmPwxMB8GA1UdIwQYMBaAFM0FLuuYBwuAJ+tocRlu+xUuOw6FMA0GCSqG
+SIb3DQEBCwUAA4ICAQB0gPDs86Rjy/O2+l8QyaYfwmmyTMPjNVqKgVP1uuikWErN
+5hTAlwtDI9FuiMFBqeBdeiT8IQvzEEQPYu69kAX2XYBWBMWDa85co5fJztAzV7Yz
+VL1byhxd2jgM14usyx6PbzkhYKBNesujHj7wQ0ur+85Kp66HqKCuNCvbj0zv58PH
+RWkojRPgyTpbLdXXCOWJXp62XfddL1Bf7NJCW5QTyHoHoOsOeoPajb4OOmQehzqv
+b9FPAHVFBPrU53Xn1CURAzTeBQ2T/OK4nx6EdQgxP9+VVurBQ9N2YBM9VEJmfQK8
+Lf5/+EJHe5ctOy1Xm4A3A52zZ1kGjfvWUtGJUSnJ5ahhMm6Dx63wk7oYNCTXnPup
+aVtINWygNlS/dQsWubHaWSFwB9/QwK074+H/4EpDq9HCMMl8yPMktOmv69Hyaju3
+MvGshz/DLNZf9oYpO+lbU8X124Z6XifEztMiBlUPW75KYv9X4CTbKTdE45QaRMiO
+ZXcH4HE1/iQ9IOGg7CplMlMcHg+lQ7CpXQjtUUjCEpkj8BAs8YLDodLnjigs56/8
+75+3cVZu0+dY+9eNt/EIqzjaFwEx72hbLyhk2IeS++7QloJDhYqlq+ng54Ul957A
+8e7TsSVHlLZVGXw8yqjyxxOwWaFx6mvFzGrcBtvCgK2HwEiYQ9qXJ5VPkdo42w==
+-----END CERTIFICATE-----

internal/testing/tls/testcert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIUb9rMtZakmrPUSehrVFATTotK2JAwDQYJKoZIhvcNAQEL
+BQAwgZYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdB
+dGxhbnRhMRIwEAYDVQQKDAlGdWxsU3RvcnkxFDASBgNVBAsMC0VuZ2luZWVyaW5n
+MRMwEQYDVQQDDApTY290dCBCbHVtMSQwIgYJKoZIhvcNAQkBFhVkcmFnb25zaW50
+aEBnbWFpbC5jb20wHhcNMjMxMTAyMTYzMDI2WhcNMjQxMTAxMTYzMDI2WjCBljEL
+MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGEx
+EjAQBgNVBAoMCUZ1bGxTdG9yeTEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzARBgNV
+BAMMClNjb3R0IEJsdW0xJDAiBgkqhkiG9w0BCQEWFWRyYWdvbnNpbnRoQGdtYWls
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKWAjgrJW+83dAYb
+N8aQpVSxbbqxfhokavnulLtko5l0TBnZKAJROKHYEKF84wEYMAudqsfUkEq6AxEg
+z9ob3MqpyFORLO1aysgw4uzOzmp/D95dcbY49soQfxQKA19UvMSr8ERBdoULjaR7
+oNCnf2j2cNkZT/yBN68FcTLLoGH+CH+KZovUhzjswew9Q51l9Wq2QxENFreKaxQE
+kwA8i+hxd2VoVIrDRL1i7UMQOYfjgPaVWPPilvuH+/eyuHuVW84ziqHzLM78ZMHB
+XJB3g4H1irj1bfPt54L7kqymv1paYaOUpSHqBcIE8+NlvOSnW2LeRqDdAN3tcq7N
+IvsYRvECAwEAAaNTMFEwHQYDVR0OBBYEFEtQbQRGQjJJgKwYhIHbnCihExdxMB8G
+A1UdIwQYMBaAFEtQbQRGQjJJgKwYhIHbnCihExdxMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAIw/P+VNIv75FghOYuEiCIGf63A1vjoMmNOJ7xI2
+t9dmW54/1MHqC3KlQYyOzTBCbOuEASfLT05mq16aIh834gIVB3upYFsBkB5bBpRg
+LnNTYHSnnpB5k/jikLapgJk/cyRXPQkxCdtH4TwB813iOvou/BSrIIvUYh0vFmGW
+cLe3abB+zCg8gwbOf4pvLGp37ogtTQo2gkcPI2CrKEnpxs4J5AabkCLuk+2XyClP
+9ow3eZAqTUsMOsKbHLGMBOnMthRbpN8UWGWTm8yYo296Kt1Gs1PbBw+xHC84KLsq
+unwlChN+nOKOW4sPIMb9rjkPGMgOgu4rQmqeoGf295fbFIs=
+-----END CERTIFICATE-----

internal/testing/tls/testkey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClgI4KyVvvN3QG
+GzfGkKVUsW26sX4aJGr57pS7ZKOZdEwZ2SgCUTih2BChfOMBGDALnarH1JBKugMR
+IM/aG9zKqchTkSztWsrIMOLszs5qfw/eXXG2OPbKEH8UCgNfVLzEq/BEQXaFC42k
+e6DQp39o9nDZGU/8gTevBXEyy6Bh/gh/imaL1Ic47MHsPUOdZfVqtkMRDRa3imsU
+BJMAPIvocXdlaFSKw0S9Yu1DEDmH44D2lVjz4pb7h/v3srh7lVvOM4qh8yzO/GTB
+wVyQd4OB9Yq49W3z7eeC+5Kspr9aWmGjlKUh6gXCBPPjZbzkp1ti3kag3QDd7XKu
+zSL7GEbxAgMBAAECggEAEh4xLpgdkuIQtwxqvjeeideEqi/9HJKJDYRjTuJ1EHsN
+S7UcrqhCmWEkbPFVjoyd0d+4TvkDtNKJPGpJpthvAta0YgWeE/vhACpt5Tu8mCcB
+zzeOl8LDrZpBtyljdh+6LJOgEXDTLzx1DKEmGUGE7rIv52xgd8WTmXrwif2FuMRf
+7o3hJe7KxUZ3ZtOPzHvyy+L2mghrqkMp0kEIb7XfoCYPHWHHElvunZBndQUTC6g5
+MIbMfB5nBilniZtk3YxNIeMgDxj2iOX6SPYUiTmJrVPuT9zuhdX88rhJKtC18Nqt
+aF1L2c6+DBNT9toPsaXZH9tu7NKasf0RhwEtNU+4SwKBgQDc8eeIhsrhhmleXd8e
+AUQZdrc0GYdXMJpbyxXFkaVpv0K30rwXj0ON7Mtvb9twihGOQB9jS3syKvPkRW2o
+2rYNE4sASy+Z9Vi7UbTPT7fozwpymC714+sT31rVTy0QbxDLuj/IcR+65r0kd7xF
+tV9IaPH+UiEN/J0ib7Q3nWggPwKBgQC/wrzWJAMAzwhQy3lwalje5xsa2V7Ud0L7
+RTEA5P1ix7Fn+dVGKmcTn6c+i7vyKQDkpSfMRQ0z3+ycwP2yu4ng6UkTRzlECKHI
+MpwL92bQNXBhDSjLbH+K8pn7ZQIxdYhpgPjwD+o3D0F1GmnOr+nUFFx5ZZHOyNgn
+bHo7+MzMzwKBgQCJxKkrv2kIQUi4l+4FBqMRAa5w5S44Fs1ZSYP04sFy89jFSLkS
+M7na6HldrjD1tpIF0kQAJVPXT2Muxn//VwlHlBULhNZUuOCwRN1qm3nAyEDqfaxi
+lNDDXnWEJs+hvK+LaUJWWPuBDlmIQMT77oFQZGfovgtwbkEI9QA54YPI/wKBgF13
+xiN6mhwizaLUCvVIYNkFPKjxms9k8jkXmLMe6oLjYw2TMOlqcaOXBiXuZkW6xryr
+46IlZjIKy4H8b6xWzPXbv8qtxLPsoS67vGP4yxxhb81eZKwCzogjh/qJWXBSIZOL
+UctxdnAv92/k1/3usMK2yfxCDbgFHZbZwRrKQsjxAoGAX/ZzFLVjtJAX0M0iYJ8i
+NoJeqNpK7CtnBPcIWFFMamQ1OPOWHtVV32OlD5IfKXTNYhLMLVHzHLEl4fkjUoFN
+u+TkCymZqISPUPLJF8PxT9J0uYxvFNpSTDhYK7QacO5TnboYDjjSodg/9PChclBp
+Gwo7hmAwa/JiWuOh/yvo2f4=
+-----END PRIVATE KEY-----

mk-test-files.sh

@@ -55,3 +55,23 @@ cs sign wrong-client --years 10 --CA wrong-ca
 # Create expired cert
 cs request-cert --common-name expired --ip 127.0.0.1 --domain localhost
 cs sign expired --years 0 --CA ca
+
+## Create DER PKCS12 file
+#openssl x509  -outform der -in testing/tls/ca.crt -out testing/tls/ca.der
+#openssl x509  -outform der -in testing/tls/client.crt -out testing/tls/client.der
+#openssl x509  -outform der -in testing/tls/client.crt -out testing/tls/client.der
+#openssl x509  -text -in testing/tls/client.crt > testing/tls/client.cer
+#sed '1s/^/invalidGuess/' testing/tls/client.cer > testing/tls/client.guess
+#openssl pkcs12 -export \
+#	-in        testing/tls/client.crt \
+#	-inkey     testing/tls/client.key \
+#	-certfile  testing/tls/ca.crt \
+#	-out       testing/tls/client.pfx \
+#	-password pass:
+#openssl pkcs12 -export \
+#	-in        testing/tls/client.crt \
+#	-inkey     testing/tls/client.key \
+#	-certfile  testing/tls/ca.crt \
+#	-out       testing/tls/client_pass.pfx \
+#	-password pass:pfxpassword
+